Wednesday, May 23, 2012

Inherent Lack of Privacy in India

Over the last few weeks, I came across multiple scenarios where there was an absolute lack of concern over privacy or user data. This got me thinking about how there was an inherent lack of concern for privacy in India and what we in our capacity as security professionals, regulators / law makers and end-users could do about it.

Scenario 1: The Election Mail
The Backstory: I am a member of the N.S.C.I club and as such receive the occasional paper mail communication from them about various events, activities etc. Around sometime last year, as part of the transition to RFID access cards - I also provided them with alternate contact details such as my phone number, e-mail address etc. However, I don't believe I have received any official communication from them over any alternate medium since.

At some point in the afternoon last monday, my phone beeped and the nagging red light ensured that I checked it right away. It seemed to be an unsigned message asking me to "Vote for Progressive Group" - which at the point didn't make much sense to me. Over the next couple of days, I received about three different e-mails from a Mr. Nasir Amlani asking me to vote for him in the upcoming NSCI board elections. I have a couple different concerns with this whole mess:

  1. Who gave Mr. Amlani my mobile number and e-mail address?
  2. If it was NSCI - Under whose authority was my personal information shared with a third party.
  3. Mr. Amlani used CC to send one of the e-mails and therefore has now shared the entire e-mail list with everyone marked on it.

Scenario 2: The Airline Trying to Survive

The Backstory: I tend to use unique e-mail addresses for various account registrations, which allows me to efficiently manage e-mail, spam, etc. For e.g. if I was registering for an account on the website of ABC Pizza, I would probably use [email protected]

So when I registered my account on the Fly Kingfisher website - I ensured that I used a unique e-mail address that would only be used for that particular purpose. Now earlier today, I received an e-mail from someone called "HighOnTravel" offering me some travel packages on that particular e-mail address. There was no mention of Kingfisher in the e-mail and the e-mail even suggested that I received it as I must have signed up for it on their website. Again, this raises a couple different concerns for me:
  1. Who gave Kingfisher the right to sell my information?
  2. If the information was sold officially and legally - shouldn't appropriate bulk mail practices have been used?
Scenario 3: The Anti-Corruption Corruption
The Backstory: I am a supporter of the Anna Hazare movement for the implementation of the Jan Lokpal bill. As such, I had signed up for newsletter on their website which had promised to keep me up-to-date with future events, etc.

Once again, I used an e-mail address that was unique to the particular organization and was not used anywhere else. A few weeks after signing up for the newsletter, I started receiving random e-mails about various social causes, mails where I was marked as part of petitions for unrelated issues, random marketing mails - even an e-mail from Think Digit offering me some special subscriptions. My concerns here are the same as above.

In all of the above scenarios, there are a few different common trends or root causes if you will.
  • Organizations seem to find it amazingly easy to sell / distribute personal information.
  • There is a level of negligence when it comes to CC'ing people on such mass e-mails and therefore making a bad situation worse.
  • Otherwise reputable organizations seem to completely ignore privacy regulations and spam regulations in-order to adhere to bulk mail regulations.
Based on all of the above - we as an industry really need to look at how we handle, manage and ration personal information. Although there are certain laws in place, we need to look at re-evaluation of said laws and their effectiveness. As end-users the only way we can protect ourselves is by using such random e-mail addresses for different registrations. For e.g. Gmail supports a wildcard functionality in e-mails. [email protected], [email protected], [email protected] will all come back to the same inbox. By using this sort of functionality while registering accounts, we can at-least start identifying organizations that are selling our information out there. Only when there is a certain amount of awareness and outcry will organizations as well as the government take such privacy concerns much more seriously.


NaPsTeR said...

Interesting technique, I didn't know that Gmail allowed wild cards. I will start using them now. What do you think we can do to limit this spam after we identify the agency ? What if there is no way to unsubscribe ? I'd like to hear your thoughts on this - I am a security consultant who lives and works in USA and things are not much different here. Although many organizations *claim* to keep your information safe and secure, they still pass it around.