What most people do not understand is the difference between personally identifiable information and confidential information, or as Schneier puts it ‘the difference between personal data and secret data. To put it simply, personally identifiable Information (PII) refers to any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. It has little to do with confidentiality of the information on its own. Postal codes/ zip codes and fingerprints are few such examples of less-confidential personal data.

The way things are turning out in India, we will soon see DoT ordering NIC to maintain a national mail server where all our emails will be mirrored and scanned for keywords that reflect terrorism. Atleast people can look up to NIC to snoop around in other’s email and ask for backup just incase an email is deleted from their servers!

First, the casual attitude infecting our system day after day seems to have spread to our use of technology. Walk into a transport department office and you will find servers containing sensitive personal information about license holders lying next to dustbins, under the table as a foot rest and if better, under a heap of files. It is not difficult to steal such information. It is just that this information has been made public through so many channels that its not even worth stealing it anymore. The hospitals do not feel responsible for protecting personal and sensitive information about its patients. Information that is supposed to be confidential, is conveniently passed on to the media for few minutes of fame.

Second, we, as Indians, take great pleasure in enjoying personal lives of fellow country men/women. Be it Mr Pandher or Mr Telgi, we all have enjoyed their sub-conscious talks. For no other reason, the media, rebuking all social norms of privacy of individuals, takes great pride in showing the tapes which are ideally supposed to be classified. Now this has nothing to do with data security in general, but does hint at the possible privacy violations in India going untouched. Infact, What Mr Pandher did in Noida did not demand his psycho-analysis test to be aired on national television. Similarly, Mr Telgi’s status of HIV+ had nothing to do with his stamp paper scam.

Third, the biggest challenge in India yet remains “people”. Each of the data breaches, barring one, that have occurred in the past 5 years in India has an element of social engineering. With an open, multi-cultural society, people have started trusting others with information a bit more than the acceptable level. So much so, that it is a routine for most of us to share our personally identifiable information with unauthorized individuals. Stand outside a call centre with a bunch of fancy credit card forms, and 25 year olds will throng the place carrying their salary slip, driving license and just about every other personal information. Most of them would not know the name of the agent who is collecting the forms. All of them actually wouldn’t care.

Not too behind in the “private information made public” race are the DSA agents for telecom companies that companies appoint to collect information and feed into their system for various legitimate purposes such as new connections, up-selling/cross-selling, retention and collections.
As a bonus, we are also blessed with sharing of out personal information with 250 odd domestic call centres in and around Delhi at no extra cost. I haven’t really come across a descent chap who hasn’t got a grudge against telemarketers. Initiatives such as Do Not Call registry are bound to fail in absence of strict penalties. The regulatory bodies have clearly not come down on telemarketers for implementing Do Not Call. If that was not enough, the database propagation of a number into Do Not Call registry takes about 30-45 days – another example of redundant technology.

As our country grows and generates electronic information, the demands for security and privacy increase. Regulatory bodies and law enforcement bodies need to be brought up to the mark for information security acts. A comprehensive data protection law is required at the least to safeguard privacy of individuals. And last, each one of us needs to understand repercussions before sharing sensitive information online, and get ready for information age.