Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

PrivacyGuides-India deals with enhancing "privacy" in a 360° surveilled country like India

License

Notifications You must be signed in to change notification settings

pixincreate/PrivacyGuides-India

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 

Repository files navigation

NOTE TO THE READER

THIS REPOSITORY IS UNMAINTAINED AND SUBSTANTIAL UPDATES IS NOT PLANNED AT THE MOMENT. READER SHOULD ALSO NOTE THAT THE CONTENT MENTIONED IN THIS README WILL CONTINUE TO STAND STILL FOR AT LEAST NEXT 5 YEARS GIVEN THAT THE GOVERNMENT'S CRACKDOWN ON USER PRIVACY HAS JUST INCREASED OVER TIME.
USER SHOULD ALSO NOTE THAT THE NEW CRIMINAL LAWS, DATA PROTECTION BILLS, BROADCASTING BILLS, ARE NOT HERE TO SAFE GUARD YOU. NEITHER LINKING AADHAAR WITH PAN WILL.
FLAWED DESIGN WILL CONTINUE TO HAMPER PUBLIC LIVES UNTIL THEY REALISE THEY'VE BEEN HARMED ALL THESE YEARS.

Privacy Guides - India

DISCLAIMER:

This is an extend version of PrivacyGuides specially tailored for Indian needs which is not in affiliate with privacyguides.org in any way.

Tools and services mentioned in this guide are not affiliated with anyone. They're mentioned here solely based on the author's interest and experience. The author is not responsible for any damage caused by the tools and services mentioned in this guide.

Without the involvement of Politics in this Privacy Guide, it is not possible to give clear context or information to achieve privacy in India. This guide is not meant to be a political guide but rather a guide to help people understand the importance of privacy and how to achieve it.

Index

CHAPTER 1: Introduction

Privacy Guides - India only exists to spread privacy to the masses to Crores of Indians who are living in denial of their privacy. This is a community effort to educate people about privacy and how to protect it. We are not affiliated with any organization or company. We are not here to sell you anything. We are here to help you protect your privacy.

1.1: What is Privacy?

Many people get the concepts of privacy, security, and anonymity confused. You'll see people criticize various products as "not private" when really they mean it doesn't provide anonymity, for example. On this website, we cover all three of these topics, but it is important you understand the difference between them, and when each one comes into play.

Privacy is the assurance that your data is only seen by the parties you intend to view it. In the context of an instant messenger, for example, end-to-end encryption provides privacy by keeping your message visible only to yourself and the recipient.

Security is the ability to trust the applications you use—that the parties involved are who they say they are—and keep those applications safe. In the context of browsing the web, for example, security can be provided by HTTPS certificates.

Anonymity is the ability to act without a persistent identifier. You might achieve this online with Tor, which allows you to browse the internet with a random IP address and network connection instead of your own.

Pseudonymity is a similar concept, but it allows you to have a persistent identifier without it being tied to your real identity. If everybody knows you as @GamerGuy12 online, but nobody knows your real name, that is your pseudonym.

All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where threat modeling comes into play, allowing you to make informed decisions about the software and services you use.

In short - Privacy is about data, Security is about trust, and Anonymity is about identity.
Example: You close the door when you go to bathroom, that's privacy. You lock the door when you leave home, that's security. You wear a mask when you go to a protest, that's anonymity.

More about privacy here.

1.2: Why Privacy Matters?

In the modern age of digital data exploitation, your privacy has never been more critical, and yet many believe it is already a lost cause. It is not. Your privacy is up for grabs, and you need to care about it. Privacy is about power, and it is so important that this power ends up in the right hands.

CHAPTER 2: Privacy in India

2.1: Introduction

Privacy in India has been a mixture of privacy itself, denials, ignorance and politics.

The Indian constitution does not explicitly mention the word "privacy", but with the Puttaswamy judgement that rolled on August 24, 2017 grants Indian the right to privacy (on paper, of course). The Information Technology Act 2000 and the Reasonable Restrictions on Right to Privacy Act 2017 are two key privacy-related laws enacted by the Parliament of India.

PDF to access the judgement can be accessed here Analysis of the same can be accessed here

2.2: Privacy and YOU

Privacy is a fundamental right, but it is not absolute. The Indian constitution allows the government to impose reasonable restrictions on the right to privacy in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence.

Violation of privacy has become a norm in India to an extent that people are living in denial of their privacy and are not aware of the consequences of the same. This is normal in a country where the government is trying to impose a surveillance state on its citizens and privacy is not an end point but rather a journey. With less people opting in due to lack of awareness, journey in the world of privacy has been quite difficult. With the necessary tools and knowledge, you can protect your privacy and take back control of your data.

2.2.1: Mindset of people

One cannot blame on people snooping into other's privacy when they themselves are not aware of their own privacy. The mindset of people in India is that they have nothing to hide and they are not doing anything wrong. This is a very dangerous mindset to have. Privacy is not about hiding something, it is about protecting something. Privacy is not about doing something wrong, it is about doing something right. Privacy is not about being suspicious, it is about being safe. Privacy is not about being a criminal, it is about being a citizen.

2.3: Privacy, Security and Aadhaar

Aadhaar is a unique identity number for every citizen of India issued by the Unique Identification Authority of India (UIDAI). It is a 12-digit number that serves as proof of identity and address, anywhere in India. Aadhaar is a biometric database (Iris, fingerprints, face) of Indian citizens, collected by the Unique Identification Authority of India (UIDAI) and stored in a centralised database.

It is claimed that Aadhaar database is stored securely behind 11ft height 5ft wide wall. However, there are 100+ incidents that prove that wall has a large hole in it allowing mass data surveillance, data and identity thefts. Here are some recent incidents that holds good:

2.4: Aadhaar and its implications

Aadhaar, despite being known to be insecure and highly prone to data breaches, the government continues to push that in everyway possible.

It is people's responsibility to resist themselves from Aadhaar even though it provides some conveniences like Government monetary benefits for your own good that helps you escape from the Government 360 degree profiling and surveillance of you. Here are some implementations of Aadhaar that promotes mass surveillance and profiling and people are okay with that for no reason:

Apple running 'health data is private' ads in a country where citizens nonchalantly linked their Aadhaar with vaccine certificate to be automatically enrolled for government's ABHA ID.
— Abhishek Baxi (@baxiabhishek) June 10, 2023

More about implications of Aadhaar here

2.5: Government cracking down on Privacy

In September 2022, Government of India took a step further to crack down on privacy by asking all the VPN providers in India to collect logs and other personal data of their users and share them with the government. Adding to this, VPN providers were asked to retent the data for 5+ years. Sources attached below:

Government overreach and obssession with mass surveillance and profiling is not new. It has been happening for a long time now. Those who criticize teh government for its instance and ideology are threatened to hide the facts from the public or be jailed. For context, recently, Jack Dorsey, former CEO of Twitter, claimed that they were threatened to shut Twitter and raid employees for which he received a lot of criticism from the Indian Government and its officials. Within weeks, Elon Musk, who's the Chief of Twitter, acknowledged that

"Twitter doesn't have a choice but to obey local governments. If we don't, we get shut down," says Elon Musk. pic.twitter.com/BBQGptJL4v
— Press Trust of India (@PTI_News) June 21, 2023

With the parliament passing bills like a bullet train with NO discussions done, one can expect how bad the situation is for citizens within the nation.

2.6 Privacy in no where

With no Bills exist in the country to protect citizens from cybercrimes, digital exploitation, surveillance, profileration and abuse from scammers and extortionists. Companies have been taking advantage of the situation and collecting data about you and selling them to third parties for profit. The Government, on the other hand, is busy with its mass surveillance and profiling of citizens while trying to pass a bill that will allow them to collect data from private companies and use them for their own purposes. Here are some incidents:

  • Very recently some users reported on the internet that Chinese company Realme having collecting excessive amount of user data without their consent in the name of Enhanced user experience and the option was turned on by default. The company later pushed a patch that turned it off user's devices after the news spread like wild fire. But, the damage was already done. The same kind of data collection is still being done other companies owned by BBK Electronics viz., Oppo, Vivo, OnePlus, iQOO, etc.
  • On the other hand, some bank's like Bank of Maharashtra have been enrolling it's customers/account holders into insurance schemes like PMJJBY and PMSBY silently. They initially cut the money from your bank account and then send you a message after some 4 - 5 days, you're eligible for the scheme and you can opt out if you want. But, the money is already gone. This is a clear violation of privacy and data protection. The bank has no right to enroll you into any scheme without your consent. But, they do it anyway. Author of this guide has been a victim of this.
  • Author's friends have reported that their SIM operator Jio, had been blocking GRE ports (GRE ports help you connect to the VPN network) on their network which actually violates net neutrality and upon asking on Twitter, Jio put up a vague reply stating:

    Hi, we are here to help you. Please be informed that as per the global standards ports are blocked in the RIL network - Nausheen
    — JioCare (@JioCare) June 16, 2023

  • MLA's in Karnataka illegally sent voter slips to voters with their personal details like name, address, phone number, etc. on WhatsApp tha tsparked controversy. Read more here.
  • Here comes the big part. The UPI that you use to do transactions is not safe either. It has added convenience to Indians in making digital payments, it is not privacy friendly, experts warn.
    • TL;DR: When you make a payment through UPI, not only the UPI ID and transaction ID is shared but rather a lot of personal data that includes your phone number, name and physical address is also shared with the merchant.

When crony capitalism and Billionaires rule the country, you can't expect privacy to be a thing. image So, one can say that a data protection bill in India is no where to be expected to come. Even if it comes into force some day in future, it will only legalise data collection and nothing else.

To know more about the state of privacy in India, follow here

Some important links to know more about the state of privacy in India:

CHAPTER 3: How to protect your privacy then?

It is too hard for you to protect your privacy in India. You're being tracked 24/7, 365 days. Your profiling was started when you were in your mother's womb, and you'll be tracked until your death. But, there are some ways to protect your privacy to some extent. This chapter will guide you through some of the ways to protect your privacy.

NEVER put all your eggs in a single basket. Use multiple services for multiple purposes. This will help you protect your privacy to some extent.

3.1 Use a VPN

A VPN is a Virtual Private Network that helps you connect to a remote server and route your internet traffic through it. This helps you hide your IP address and location from the websites you visit. It also helps you bypass censorship and geo-restrictions. It also helps you protect your data from hackers and other malicious actors.

Telecom companies like Jio and Airtel do deep packet inspection and it is recommended that you use a VPN from trust worthy provider.

VPNs DO NOT provide anonymity. They only provide privacy, to some extent. If you want anonymity, use Tor.

To learn which VPNs are trust worthy, take a look here

3.2 Refrain from using proprietary services as much as possible

Proprietary services are those services that are owned by a company or an individual. They are not open source and you cannot see what's happening behind the scenes. They can be used to track you and collect your data. It is recommended that you refrain from using proprietary services as much as possible.

Services offered by Google, Microsoft, Apple, Amazon are proprietary. Government apps like Aarogya Setu, CoWIN, mAadhaar, mParivaahan etc. are proprietary and are not open source to review the code or to trust.

To learn about some of the open source alternatives to proprietary services, follow:

3.3 Use services that allow deletion of account and data

Yes, the service that you use should be trustable and should allow deletion of account and data.

This is because, if you want to stop using a service, you can delete your account and all your data will be deleted from the service provider's servers. This will help you protect your privacy to some extent and have control over your data and life.

3.4 Restrict your Aadhaar (if you've one)

In case you've already enrolled for Aadhaar, by mistake or by force, you cannot delete your Aadhaar. But, you can lock your Aadhaar so that no one can use it for authentication purposes [not even for verification in background, it just throws 500 -- Internal Server Error (as the developers are not paid well enough to handle errors properly even after 10+ years of its existence)].

If Aadhaar was created when you were under 18, you can opt out of it and request deletion of your data once you turn 18 by visiting the nearest Aadhaar centre within the next 6 months after you turn 18.

Make sure you that you lock biometrics so that, even if some one who gains access to your Aadhaar by any means, they cannot use your biometrics for authentication purposes. By visiting this link, you can lock your Aadhaar overall so that no one can use it (assumed). This will prevent anyone from using your Aadhaar for authentication purposes. You can unlock it whenever you want to use it for authentication purposes. Make sure that you write down your Virtual Aadhaar number or store it in your password manager. If you trust government, even after reading the Chapter 2, you can proceed and install Government app mAadhaar to lock/unlock your Aadhaar from there.

Here, it is mentioned that you can update your data sharing consent. However, data sharing consent option is available no where on Aadhaar website.

3.4.1 Delete ABHA ID

As of now, you can opt out of Ayushman Bharat Health Account (ABHA) and the same is mentioned in their fundamentals. Delete when you can.

3.4.2 Delete your Digilocker account

Digilocker is a service offered by Government of India to store your documents digitally on Government server unencrypted. It is not recommended to use Digilocker as it is not open source and you cannot trust it. It is recommended that you delete your Digilocker account and store your documents in your password manager or in your encrypted hard drive.

Once, you create your digilocker account, you cannot delete it. You can request your digilocker account to be deleted if you did not link your Aadhaar to it. Even you did, you can mail them asking them to delete. They'll reject your request initially, but you can mail them again and again until they delete your account. You can mail them at. This is the only way to delete your digilocker account and the author of this guide has done it successfully and you can read the story (it is a story) of the process here.

3.5 Refrain from sharing personal data and Aadhaar **

It is recommended that you refrain from sharing your personal data as much as possible. You can use fake names, fake email addresses, fake phone numbers, etc. to protect your privacy. Some services like mail.tm offer you temporary email addresses that you can use to sign up for services that you don't trust and of course, you need to be cautious while sharing personal info on such platform. Temporary phone numbers in India are really hard to get. Services like Mysudo, do not exist in India as Government do not allow such services to exist in India.

Since it is not really possible to get a phone number alias or temporary Indian phone number, it is not recommended to share your phone numbers without second thought as it is today, tied to your identity and cannot be changed easily unless you make some sacrifices.

You do NOT need to link your Aadhaar everywhere. Aadhaar is optional, not mandatory, said by supreme court of India in 2019. Virtual ID is a joke and cannot be used anywhere other than locking your Aadhaar and its Biometrics.
In most of the place, you're asked to provide your Aadhaar only for proof. That proof is usually address proof. For that, you can give your Driving License, Passport, Voter ID, etc instead. since they cannot be used to obtain your biometrics and other details like your Phone number or your bank details.

Like when you go to buy an electric vehicle in India, they ask for your Aadhaar for FAME II subsidy. For context, FAME II is a scheme by Government of India to promote electric vehicles. You can give your Driving License instead of Aadhaar as proof. They'll accept it as it is a valid proof of address.

When you go to your nearest SIM provider say Jio / Airtel (VI and BSNL are long dead) to buy a new phone number, you do not need to give your Aadhaar as address proof as it will be linked to your Aadhaar. You can give your Driving License, Voter ID or Passport instead. They'll accept it as it is a valid proof of address.

Yes, you do NOT need to link your Bank account with Aadhaar at the time of opeing a bank account. You can simply say no and walk away. If you already have a bank account linked with Aadhaar, you can unlink it by visiting your bank branch.

3.5.1 You do not need to share your phone number everywhere

When you go to shops like retail stores, shopping malls and etc., after you make a purchase, at the time of billing, they ask for your phone number like it is the norm. No, it is not the norm and you need not share that. yes, they'll look at you like a criminal. You can simply say no and walk away. If you really need the product and there exist no other option, you can give them a fake number given that you remember it and no OTP is generated for that number. But, usually, after saying no and couple of times, they'll give you the product without asking for your phone number.

Companies know the fact that you do not care about sharing your phone number and will share it without second thought. They use this to track you and sell your data to third parties. They also use this to send you spam messages and calls like you usually recieve on your phone.

Most of the apps that are developed in India ask for your phone number for authentication purposes. They do this to reduce server costs as it will reduce spam but at the cost of your privacy (why do you care about them?). It is recommended that you refrain from using such apps. If you really need to use them, you can use a fake number or an alias to your original number.

3.5.2 Aadhaar is a proof of nothing but everything

As mentioned above, government itself claims that Aadhaar is neither a proof of citizenship nor date of birth. Altough you can use it as a proof of address, it is not recommended given the security issues mentioned else where in the guide and yes, you might be forced to give your biometrics. You can check this article to learn about the valid documents that you can provide for verifying your physical address.

Aadhaar is voluntary, but without Aadhaar, you'll have to face hard times in your life as most of the government services will be denied. As a prime example, the mandate of linking PAN with Aadhaar forces citiens to enroll for Aadhaar (voluntarily mandatory).

Here are some more references for verification of the claims made in this guide:

3.6 Whats up with WhatsApp!?

WhatsApp is a proprietary messaging service owned by Meta (formerly known as Facebook). The app is extremely popular in the country and is used by almost everyone. It is really hard to convince anyone to not use WhatsApp.

Messaging apps popularity grow in an exponential manner. People use an app because their friends use it. Their friends use it because their friends use it. This is how it grows. It is not because it is the best app out there. It is because it is popular.

Meta (formerly known as Facebook) is known for its privacy violations and data breaches. WhatsApp is no exception and hence Brian Acton, left Facebook in 2018 to co-found Signal Foundation by investing $50M.

For context, WhatsApp was acquired by Facebook in 2014 for $19B. Brian Acton was one of the co-founders of WhatsApp and he left Facebook in 2018 due to disagreements with Facebook's privacy policies. He co-founded Signal Foundation and invested $50M in it. Signal is an open source messaging app that is recommended by privacy advocates and is used by Edward Snowden, Elon Musk, Jack Dorsey, etc.

WhatsApp is not open-source and it collects a lot of data about you starting from your Profile photo, Contacts that you saved on your phone, your phone number, your IP address, your location, your device information, etc. In short, WhatsApp collects everything about you except the actual content of your messages. However, metadata generated by your messages is collected and used to show you targeted ads on Facebook and Instagram and is more than enough for anyone to get a context of your messages. WhatsApp also shares your data with Facebook and Instagram. You can read more about it here.

You can know more about the data collected from WhatsApp's privacy-policy here and by requesting GDPR from WhatsApp settings within the app.

You talk your doctor on WhatsApp, then you talk to the Cancer Diagnostic Center on WhatsApp, then you send a pdf to your doctor again, and forward the same to Pharmacy along with a photo. Then you talk to your family on WhatsApp. Now, Facebook knows that you might have cancer and will show you ads related to cancer treatment all over the internet as WhatsApp shares all your data with its parent company, Meta.

When you give your phone number to sign up for other proprietary services like Uber, Ola, Myntra, Swiggy, Zomato, Paytm and etc., they start sending automated texts on WhatsApp without your prior consent. This is because they have your phone number and they can send you messages on WhatsApp as you've agreed to their policies. This is how they get around the fact that you did not give them your consent to send you messages on WhatsApp like below:

So done with WhatsApp pic.twitter.com/pEutCg38mI
— Karthikaa.eth ✨ (@designermaybe) May 7, 2023

They do not allow permanent deletion of account either:

We will make sure users have plenty of time to review and understand the terms. Rest assured we never planned to delete any accounts based on this and will not do so in the future.
— WhatsApp (@WhatsApp) January 15, 2021

There has been reports stating WhatsApp has opened backdoor for Indian Government to snoop on its users' private messages. You can read more about it here, here and here but the company has denied the claims. It is not open-source and hence, it is not possible to verify the claims.

3.6.1 What can you do?

Instead of using a proprietary messaging app like WhatsApp, you can use an open source messaging app like Signal. Signal is recommended and endorsed by many due to its stance on protecting privacy of an individual. It has been audited by many security researchers and is considered to be secure. Signal collects the least amount of data i.e., your phone number (which is rumoured to go away soon for usernames), timestamp of you registered to Signal and the last time you connected to the internet and nothing else. There also exist other better apps than Signal like Session and Briar but they are neither as popular as Signal nor as easy to use as Signal. Signal is available on Android, iOS, Windows, macOS, Linux, etc. And hence, we recommend you the same. You can download Signal from here.

Signal is not perfect. It is not the best app out there. It is just better than WhatsApp with more features and better privacy. It is recommended that you use Signal instead of WhatsApp.

You can also look at other options by visiting this link that analyses various messaging apps and their privacy policies.

With WhatsApp rolling out its new features i.e., Channels, it is no more a messaging app but rather a full fledged business tool that is there to help businesses have wider reach to its customers. According to the author, the UI and UX is now completely ruined since the app now focuses more on outsiders rather than insiders i.e., you don't get to see updates from your loved ones or the one who has a close contact with you but rather from an unknown person or a business.
It is high time that you get out of this loop and escape WhatsApp AKA Meta's tentacles.

3.7 Move to a new country

Although this is really hard than said, especially for the middle -- working class and lower class people, this is the only option for you to escape from this rabbit hole where you're forced to live in. The government is keen on its knee to stop you from questioning and make any significant improvements to protect you, so, this is a viable option and a last resort.