As background, to set the scene for what the state of privacy is in India: India has no privacy legislation, and selling datasets seems to be a popular informal activity[1]. (That article is worth a read in its entirety.)
It’s not unusual for shops to demand a telephone number during even small purchases, and your number will be spammed with SMS ads shortly thereafter. Also email spam if they somehow get your email.
Chat archives (possibly backups?) of people under investigation have been leaked to the media with no consequence to the leaker.
Essentially it’s an extreme “laissez-faire” environment, one almost out of a textbook example of what happens in the absence of any regulation whatsoever.
The above doesn’t have anything to do with Facebook or WhatsApp (except tangentially), it’s just to note that privacy legislation would be a very helpful quality of life improvement for many Indians.
Perhaps someone on HN who knows more about this can share why the efforts to have privacy legislation in India have so far been unsuccessful.
This ruling was one the the landmark rulings in recent times, and a true David vs Goliath story - where a small group of privacy activists won against mandatory Aadhaar.
While it is true that right to privacy implementation remains patchy, there is growing awareness around privacy - both from government, and against large corporations. For example, half of my contact list is now on Signal and last week I had more chats on Signal than on WA.
Due to the lack of legislation, the data broker market operates freely without any repercussions. Deleting your data from a website which publicly displays your private information is a nightmare and often unsuccessful.
On that note, a pro tip for anyone incorporating a company in India. Give a separate email id, phone number when you incorporate because as soon as its available on the MCA(Ministry of Corporate Affairs) database the brokers buy it for (~ INR 100/ ~1.37 USD) legally and put it out for sale to the spammers/scammers often displaying the email id publicly.
It will feel intuitive to give your personal phone, email in the forms when starting a company but you'll regret it. I'm waiting for the Data-Privacy legislation to be passed, so I can sue the X out of these brokers; Until then I'm creating an account with these brokers to delete my own details and if not possible then updating it with fake data.
In section titled "Part 3: Becoming Data Rich" of the above article, they talk about the privacy protection legislations that are going to be implemented in India. Adding the part that caught my attention below:
___
Data Empowerment and Protection Architecture (DEPA) is a policy framework that defines how the economic primitive of data can be freed up so that individuals and businesses can choose how to best protect it and use it for their own gain. This innovation, which is presently being rolled out in the financial services industry, has its philosophical roots in a piece of impending legislation known as the Personal Data Protection Bill (PDP).
According to this bill, Indians will (for the first time) get a litany of new rights pertaining to their data. Specifically, they will get the following rights:
The right to data confirmation: The right to know what data is being stored about them, how it has been processed, and who else it might have been shared with
The right to data correction or erasure: The right to update their data stored with a service provider, in order to make corrections, edits, and omissions of data that is no longer relevant
The right to be forgotten: The right to have their data deleted from a service provider’s database should they withdraw their consent to its continued storage
The right to data portability: The right to obtain and share their data in a structured and machine-readable format
It exempts government and give them more power over data held by the private companies in later amendments.
Proper enforcement capacity is also needed otherwise it will be abused to selectively target companies and startups but make little difference in privacy.
Most Indians are not rich enough to afford paying for multiple software subscriptions monthly. They give away privacy as a substitute for that. Market forces at play.
That bill is seriously hard to comply with. It's like GDPR but more stringent and there are data import / export mandates on top.
Whenever that rule gets passed it's going to put a real squeeze on a lot of mid-large sized companies that have been playing fast and loose for a while. Facebook would definitely be violating many different parts of the law
Indian here
There are some privacy laws, and some cyber-crime laws, but basically no one cares enough about those to implement them.
I feel this is not an india only problem but with many developing nations as most people literally do not care...
Also I have not been bombarded by spam except through SMS, but that's not a big problem either as no one uses SMS anymore
Ah india also has anti piracy laws but that's a story for another time
Incidentally, it's weird to me how we lack internet laws in a lot of aspects yet have strong IT laws when it comes to blocking and censoring websites when needed (eg. porn¹)
Incidentally, WhatsApp as a platform contributed a lot towards the current ruling party's electoral successes. It was and remains the main focused platform for BJP's campaigns.
In India, WhatsApp is much more ubiquitous than any other platform and penetrates even the lesser developed regions - if one has a smartphone in India, it almost always has WhatsApp on it. It is even available on some feature phones in the country. "Texting" in India means sending a WhatsApp message.
Additionally, WhatsApp also acts as a mobile payments platform in India. Although not very popular yet, it is increasingly becoming a significant sales and support platform for many businesses.
This is silly on so many levels that its not even funny. In India whatsapp is used as a tool for public dissemination of govt propaganda but that is not even the whole thing.
WhatsApp admins are made to "register" their groups with local police station and I have a relative who manages one group. Had to frequently visit the police because of his "posts" which are only news forwards but they want their views put to public.
I read on twitter the police install that WhatsApp malware on their phones so it can propagate through these news groups. No confirmation on this but just saying.
Then you have this crackdown on dissent whereby forwards and messages and statuses crticial to govt are arrested and literally tortured.
I know because friends have taken a beating on more than one occasion.
This is damage control by govt on behalf of the company because that allows their users to not jump ship and govt can maintain surveillance
> “He has been also found involved in misusing of social media platform by creating fake accounts and posting seditious and provocative posts for antinational activities which are highly prejudicial in maintaining law and order,” he added.
So speak anything critical to govt means antinational and sedition and that needs arrests?
This one while not directly related to WhatsApp does makes a point to explain how the govt is using social media in most productive manner which is benefical to the society.
People jumping ship is super bad news for government surveillance as WhatsApp has a convenient backdoor that alternatives don't have: the majority of users don't disable unencrypted backups in the cloud.
So until now, despite all their hand waving about how bad encryption is, governments had an easy judicial way of accessing messages.
This is just a show of power by poorly informed people and a gimmick to distract people. Don’t read too much into this as the government caring about privacy.
The central government in India has no interest in the privacy of residents or citizens. This government argued in the Supreme Court that Indians do not have the right to privacy in the constitutional case about it a few years ago (fortunately, the Supreme Court disagreed and declared that privacy as a fundamental right is read in/through a few articles in the constitution). This government also sold vehicle registration and related data to several entities for money.
It has pushed the poorly designed and poorly implemented Aadhaar biometric identity for residents for almost everything, resulting in denial of service and also deaths (including starvation deaths of kids) due to people not getting their entitlements.
This government hurriedly got a couple of private companies (Make My Trip and 1mg) to develop a “contact tracing app” called Aarogya Setu for COVID-19 that requires 24/7 location access and Bluetooth to be on as well. The data from the apps is stored in central servers that these private companies have access to (a right to information request showed that the government isn’t really aware who engaged the companies or what the relationship with the government is). The application was declared to be open source but the sources have been old versions released a long time after, and have little bearing to what’s in the app stores.
India still doesn’t have a privacy law (personal data protection law). It has been in the works for a very long time, though broad reasoning in the draft gives the government the power to compel anyone to provide data.
The recent suspensions of prominent politicians in the U.S. by major tech companies has triggered the ruling party and the central government to worry about the “control” that these companies wield. The government is worried that its own propaganda troll armies (called “IT cell” locally) will start facing such issues.
The ministry that wrote to WhatsApp to not implement the new policy wouldn’t even know that WhatsApp has been sharing information with Facebook since 2016 (when it temporarily allowed some users to opt out, which most didn’t because they didn’t understand or care about the implications).
The government, faced with farmers agitating against recent laws and unwilling to accept anything but a repeal of those, seems to consider this as a time to gather some goodwill by making WhatsApp kneel to show who’s the boss in the country (both the carrot and the stick here are WhatsApp Pay’s sustainability and future).
P.S.: I haven’t listed sources for the claims made above, because all of them, except for the personal speculation about why the government is doing this, can be verified from authentic news sources online.
I always hear out this mythical IT army. But then you see more of anti govt especially anti modi comments everywhere. Like the one above and some other in this very list. If they exist it seems that are very bad or the opposition has very good IT army.
The BJP IT cell is bigger, better and more organized. It's India's state of the art. Dismissing the work being done here is a bit insulting to people working very hard to make it seem they do no work at all.
n for bjp accounts analyzed = 2,71,579 accounts
n for congress = 1,22,023 accounts.
Its fascinating stuff.
Also what you find is that internet forums usually get the people who are unhappy. The happy people aren't online. During the congress' tenure you had EVERYONE crying against the congress and everyone was a BJP supporter.
Today the roles have reversed. I bet it switches if the BJP drops from power.
If the roles reveres when power changes then the IT army is useless or non existenting. I can in my group the people supporting the govt have not changed when they were in opposition. You don't need an army when many are religious aligned.
Because this is hacker news, no Indian aunty uncle are here. To see it go to local twitter, fb, whatsapp local groups. That "IT army" can be seen everywhere and whoever says it's mythical clearly belongs to that army or don't live in India.
Ha so if someone disagree then they belong to that army. Very convenient indeed. What abt persons who keep saying there exist a army. Who are they? Well-wishers or the opposite army?
so it can either be that it is a fundamental right, in which case my rights have been trampled and there is no recourse or it is not a fundamental right, and i can go fuck myself for being born here because i have to suffer because the govt gets a boner talking about the land because it gets them votes.
search for "temporary". this is from the govt. What fearmongering is this?
students have been unable to attend schools since 5 august 2019 and you make 8 million humans suffer because of a boogeyman which doesnt exist?
hasn't the recent arnab leaks suggested that pulwama was a false flag along with arnab getting prior info about something like balakot? if this is true and factually it does look like it, so who is the boogeyman? if allegedly india did pulwama attack on its own people and blamed kashmiri militants for it and pakistan for aiding them which has led to the crackdown on militancy in kashmir and this supposedly "anti-national" elements which in reality don't exist so why are we suffering?
if modi wants to fuck himself over the blood of indians to stay in power, do it but why am i suffering?
While they were figuring out the EU's ePrivacy Directive, Facebook Messenger turned off certain features to all chats with an EU user in, whether or not there were non-EU users in that chat.
(I assume they have or will come up with a work-around, as far as legally possible)
All PII (personally identifiable information) of EU/EEA citisens and residents would have to be filtered out, yes.
Chat messages in themselves are not necessarily PII, but then again WhatsApp isn't claiming to freely read the messages. I suppose the messages in the chat could be mined for keywords to give ads to the non-EU/EEA persons.
The GDPR covers EU citizens wherever in the world they are. Is there a way for me to tell WhatsApp that I am an EU citizen not currently based in the EU?
> The GDPR covers EU citizens wherever in the world they are.
No. In law, EU GDPR absolutely does not cover EU citizens who are physically outside the EU.
GDPR makes no reference to citizens or residents and is understood to apply to any person whenever they are physically present in the EU, and to data which is created/located physically inside the EU's borders (and to data which has crossed the border within the rules).
I don’t know the details and would love to know. However if I were asked to “get this done”, this is what I’d do:
The user’s phone number is a unique ID as far as WhatsApp is concerned, so any metadata related to phone numbers in the “European region” (eg numbers starting with +33, +44, +49, etc) would be treated as if the 2020-era privacy policy applies.
I appreciate your quandary, but I wonder if most people realise how little explicit profile data WhatsApp has for its users. It doesn’t have a name, country of residence, ... anything really. Just a phone number.
I know looking at a phone number’s country code is imperfect, but pretty much every other method is problematic too.
* the most explicit would be for EU residents to contact WhatsApp with proof of residency. Unfortunately it creates a vast bureaucracy and most people should be wary of sharing scans of their documents, with Facebook of all companies.
* The WhatsApp app could look at which network the phone it’s on is connected to. If it’s a EU network (say connected to a EU network for 6+ months to filter out tourists), protections could apply, but I this would probably adversely impact EU nationals in non-EU countries.
So yes, a number of options are possible, each have pros and cons. How far Facebook would go would depend on regulatory direction, almost certainly.
Dont worry too much about this. FB is an investor in Reliance. Reliance for those who don't know, is the most corrupt corporation in India and they own everything from the politicians to the judges. So this will get overturned very soon.
Somewhat unrelated but, in the U.S., I believe that the government still doesn't need a warrant for emails stored 180+ days in the cloud, because the Email Privacy Act never passed: https://en.wikipedia.org/wiki/Email_Privacy_Act .
Current Indian government had a positive outlook about Facebook. Events in US seems to have spooked many political parties. Facebook will have to spend a lot to control the narrative, though it will survive. Twitter on the other hand looks beyond saving, no strong man will trust it.
what is the difference between Twitter and FB that you are alluding to?
AFAIK Twitter is facing more troubles with censorship- banning some prominent faces, while FB has been more lenient overall.
There's a difference in perception. Twitter in India has a larger proportion of academics (who tend to be left leaning), intellectuals, and a larger portion of the English speaking urban professional population. There's more scope for speech critical of the government on Twitter. On the other hand, Facebook is far more popular, and captures a broader cross section of the population whose political views tend towards the mean in India.
It’s not unusual for shops to demand a telephone number during even small purchases, and your number will be spammed with SMS ads shortly thereafter. Also email spam if they somehow get your email.
Chat archives (possibly backups?) of people under investigation have been leaked to the media with no consequence to the leaker.
Essentially it’s an extreme “laissez-faire” environment, one almost out of a textbook example of what happens in the absence of any regulation whatsoever.
The above doesn’t have anything to do with Facebook or WhatsApp (except tangentially), it’s just to note that privacy legislation would be a very helpful quality of life improvement for many Indians.
Perhaps someone on HN who knows more about this can share why the efforts to have privacy legislation in India have so far been unsuccessful.
[1] https://restofworld.org/2020/all-the-data-fit-to-sell/