We use smartphones for everything, you’re probably reading this on a smartphone but seldom do we pay attention to our privacy settings and our personal data that is being collected. In this edition of #PrivacyOfThePeople we explore the privacy concerns that our new and smart appendages i.e. smartphones may cause. We also assess whether the upcoming draft Digital Personal Data Protection Bill, 2022 will be able to address these concerns.
Why should you care?
There’s no question that smartphones have changed our daily lives, be it our work, social media, how we interact, and much more. India is one of the largest smartphone markets, with over 600 million active users, which is only bound to increase further. With the expansive market permeation comes great privacy and security concerns, specifically emerging from the default/in-built phone settings.
Researchers have found that less than 5% of users actually change their default settings. By paying attention to these settings, individuals can safeguard their personal information, limit data collection, and prevent unauthorised access to their device and data. Additionally, optimising phone settings can enhance battery life, improve performance, and customise the user interface according to individual preferences. Ignoring phone settings may leave one vulnerable to privacy breaches, security threats, excessive data usage, and suboptimal user experience. Thus, it has become essential to be proactive in managing and adjusting phone settings to ensure a safe, secure, and personalised smartphone usage.
Phone settings have come into the forefront as just last month, the Minister of State (MoS) for Electronics and Information Technology, Rajeev Chandrasekhar said that the Ministry will look into the ‘Enhanced Intelligent Services’ feature on Realme phones which is a data collection feature that is turned on by default. Following the public backlash on this feature and the statement from the MoS, Realme has rolled out a new software which disabled the default option for ‘Enhanced Intelligent Services’. This update will now leave it up to the user to enable the feature if they trust and want the performance enhancement claims made by this service.
While in this instance Realme was quick to make amends and respond to the public sentiment around the feature, this is the latest in a long series of privacy concerns raised against smartphone companies. In the past, OnePlus has admitted to collecting all important information from the phones running on its OxygenOS without the consent of users. The reasoning provided by the OnePlus co-founder, Carl Pei, i.e. the company was collecting data to “better understand general phone behaviour and optimise OxygenOS for a better overall user experience”, seems to be a slippery slope. Even one of India’s smartphone leaders, Xiaomi has been known to collect large amounts of user data. Researchers found that the device’s default Xiaomi browser recorded all the websites that a user visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, as well as every item viewed on a news feed feature of the Xiaomi software. The tracking supposedly continued even after the users used the private “incognito” mode for browsing. The device also recorded what folders a user opened and to which screens they swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains hosted by them and registered in Beijing.
Unfortunately, these are just some of the repeated instances of mobile companies invading the privacy of their users to advance their business interests.
Changing the Setting Gear ⚙️
While the above can paint a rather grim picture, with a few tweaks we can all be more cognizant of our privacy and not take the settings on our smartphones for granted.
1. Ad Personalisation: Personalised advertisements, wherein mobile companies and applications use your data to show you ‘personalised’ ads based on your inferred interests, are the primary reason for data collection. While some users prefer this personalised service, others feel uncomfortable with advertisers like Google and Meta capturing data to show targeted, interest-based ads. If you share the same concerns, you can just opt out.
To do this, visit your general settings, select Google and click on the Ads option to turn off personalised advertisements. It is suggested to go through other options under the ad tab to further explore what advertisements Google may show you.
You can do this for Meta as well, using the Privacy Checker tool under Facebook’s settings which allows you to change your ‘Facebook Ad Preferences’ and specifically turn off options for location, relationship status, work status etc.
More recent iOS versions have introduced an Apple Advertising option in their general setting where a user can disable the ‘Personalised Advertising’ option as well, iOS 14.5 requires explicit user permission in order to track or access their device's advertising identifier under their ‘AppTrackingTransparency’ framework.
2. Location History: Automatic location tracking has become increasingly common for a lot of smartphones and applications, of which Google through Google Maps being the most known example.On the upside, both Android and iOS allow for the tracking to be turned off. For iOS devices, one can turn off ‘request tracking’ and location services under the privacy settings. As for Android phones, one can disable location permissions (permanent/while using the app) under the privacy setting tab.
3. App Permissions: While changing phone settings as per your privacy needs is a good first step, sharpening your app-downloading IQ is also crucial. While installing any application, there would be a list of permissions that the app would request access to. Before granting the permissions, it becomes necessary to check whether they are central to the working of the application. For instance, it is worth questioning why a camera application would need access to your contact or payment information.
Another thing to keep in mind while downloading applications is to steer clear of unknown sources and developers. Primarily sticking to the Play Store and App Store is a good rule of thumb, especially when you’re unaware of the app developer.
Will the latest draft of the data protection bill address these concerns?
(To know more about the Draft Digital Personal Data Protection Bill, 2022, read our public brief here)
The highly anticipated draft Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) is supposed to be placed before both houses of Parliament and discussed during the Monsoon Session. As per reports, the Union Cabinet has approved the DPDPB, 2022 with the aim of tabling the bill in the upcoming Monsoon Session. More recently, the approved bill was also in the list of business for the upcoming session. Reports suggest that the version approved by the Cabinet differs from the earlier version of the bill which was released on November 18, 2022 for public consultations. The object and purpose for the bill reads as “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto”.
From the above, we see an increased focus on operationalising data processing for data fiduciaries instead of providing primacy to interests of the data principal. This interpretation is also supported in the context of mobile setting and applications after an analysis of the provisions of the DPDPB, 2022 which allow for overbroad processing of personal data and dilute protections for data principals.
Weakened Notice Requirements [Clause 6]: The DPDPB, 2022 requires data fiduciaries to merely notify the data principal about the nature of the data they will be collecting and the purpose for which such data may be processed. This is at odds with the Data Protection Bill, 2021, wherein Clause 7 had extensive notice requirements including providing clear, concise, and easily comprehensible information to the data principal about third party sharing of data, cross border transfer of data, and period of retention of data.
Since the 2022 draft does not require data fiduciaries to inform principals about the third-parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries. This may potentially allow the data fiduciaries to obtain uninformed consent of data principals and use their personal data for undefined and additional purposes.
Deemed Consent: Clause 8(7) of the DPDPB, 2022 reads as “A data principal is deemed to have given consent to the processing of her personal data if such processing is necessary for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a data principal who is an employee, verification of attendance and assessment of performance.”
A data protection law which seeks to protect the interest of data principals should have user consent as its foundational framework. However, the DPDPB, 2022 fails to do so by allowing for various situations in which non-consensual processing of data may be justified by data fiduciaries. Clause 8 allows data fiduciaries to “deem” the consent of data principals in situations which have not been strictly defined and as a result may be widely interpreted leading to misuse. Due to the vaguely defined nature of these situations, overbroad processing of personal data may occur, which would be violative of certain data processing best practices such as data minimisation and purpose limitation. Such non-consensual processing may also result in function creep, wherein data collected for one specific purpose is then processed for other purposes in the absence of the data principal’s knowledge and consent.
Right to be forgotten and reduced rights of data principals: The DPDPB, 2022 has changed the legislative outlook towards the right to be forgotten by reducing the rights extended to data principals under Clause 12 to 15. The Data Protection Bill, 2021 made a distinction between ‘erasure’ and ‘stopping disclosure' and associated the right to be forgotten with stopping of disclosure under Clause 20. Now the DPDPB, 2022 subsumes this right to be forgotten under the right to erasure. This conflation between the general right to erasure with the right to be forgotten, which is specific to disclosure of personal data, leads to ambiguity.
In the absence of legislation, the right is dependent upon principles laid down through rulings of courts across India. Some courts have applied the right in situations where court orders carrying names of accused who were later exonerated were published on websites like IndiaKanoon.com.
Exemptions under the DPDPB, 2022: Clause 18(2)(a) of the DPDPB, 2022 empowers the Union Government to exempt any state instrumentality from the application of the provisions of the bill in the “interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”. Interests stated in the provision for which exemption may be exercised are excessively vague and thus open to misuse through overbroad application. This may result in a large number of government instrumentalities being granted exemption from the application of law. Further, the exemption granted is overbroad as it effectively excludes all activities of an agency from the purview of the bill.
The option to grant blanket exemptions to particular state instrumentalities preempts any review, judicial or otherwise, of the actions of government entities, which could result in gross violations of citizens’ privacy by the State. Further, the provisions may potentially concentrate all surveillance powers within the executive branch, without instituting any safeguards such as judicial review of surveillance orders. We already have witnessed instances of executive-led surveillance like the Pegasus project and NATGRID which have been possible owing to the absence of checks and balances. The data protection law was expected to institute much awaited safeguards on this architecture but exemptions granted under 18(2)(a) widened surveillance powers held by the government instead.
Keeping in mind these provisions, it seems unlikely that the DPDPB, 2022 will be able to satisfactorily safeguard the privacy of citizens whose personal data is collected through their smartphones and applications.
- IFF’s Public Brief on the Draft Digital Personal Data Protection Bill, 2022. (link)
- Read the Draft of the Digital Personal Data Protection Bill, 2022 released on November 18, 2022 by the Ministry of Electronics and Information Technology. (link)
- ‘#PrivacyOfThePeople: End of season sale of your privacy on e-commerce platforms’. (link)
- ‘#5Questions to ask before installing an app’. (link)
- ‘#PrivacyofthePeople: The harms of biometric attendance apps’. (link)
This post has been drafted by Policy Intern Saharsh Panjwani and reviewed by the Policy Team