My take on the draft Indian data privacy bill. An abridged version of this piece was published by The Tribune. It was also cross-posted at Medianama.

Let’s take a step back from the constant quibbling between the activists and the government. The interests of a citizen, especially in cyberspace, are aligned with that of neither. But let’s first understand the political shape-shifting of the internet in the recent years.

This isn’t a reverberation from my echo chamber, but anyone who hasn’t violated privacy at scale or undertaken mechanised cyber offence would be divorced from the reality on the ground. Or at the least, if the structural dominance of offence in cyberspace isn’t accounted for as a variable in your privacy equation, then it would remain inapplicable in the majority of the cases.

Really, the unifying thread that binds regulatory cyber initiatives across the globe is their inapplicability.

Let’s start with the much vaunted GDPR, the magna carta of cyber civil liberties.

In 2016, French spymaster Bernard Barbier hinted at the existence of an expansive cyber intelligence metadata collection platform in his country. Prone to enthusiasm, he ended up briefing the uninitiated schoolkids on a highly classified operation in which the French traced a cyber intrusion into the Élysée Palace that led them right to the doors of the NSA.

Germany’s domestic surveillance agency BfV, too, has been more than open about its nationwide collection programme. In 2017, Wikileaks laid its hands on a massive cyber weapons stockpile of the CIA, dubbed as Vault7. When some data on live operations linked to the Vault7 were leaked on the said portal, the BfV released an impressive dossier just days later that exposed the CIA’s cyber attack infrastructure targeting Germany. It listed, what we term as, the indicators of compromise. Doing that with such swiftness and precision – that too at the national level – could only be accomplished via a metadata framework that scans, strips and stores every passing packet for years.

Such dragnets aren’t possible without the involvement of the private sector, especially the service providers. How the GDPR may be accommodating those provisions made me very curious and I reached out to some European policy experts. I found out that there are blanket exemptions under the Article 23. But the experts were still unsure how private organisations could be waivered, or at least proffered maintaining compliance with the GDPR’s statutes while participating in such operations.

Privacy really is the bastard child of security, fathered by surveillance. Let me explain that paradox by quoting the cybersecurity guru Dan Geer,

Leading cybersecurity products promise total surveillance over the enterprise and are, to my mind, offensive strategies used for defensive purposes…With total surveillance, and total surveillance alone, it is possible to treat the absence of evidence as the evidence of absence.

Here’s the thing: digitised information is the most dual-use of technologies ever invented. DARPA, which operated the forerunner to the internet, has known this dichotomy all too well. One of its scientists sounded bemused, as he monitored an army of AI bots hacking and securing networks in a wargame,

I cannot change the reality that all security tools are dual-use.

Asking a mathematician to designate a piece of code as offensive or defensive would always remain an exercise in probability. This fundamental monism of information also binds to the dualities like surveillance-security, censorship-copyright, and even terrorism-encryption.

It has bred a kind of cognitive dissonance among the interlocutors and stakeholders of privacy and security. All the sides are now engaged in a war of attrition, seeking to undermine the already fractured foundations of the internet. The activists, too, aren’t sitting on a higher pedestal.

All roads of data sovereignty lead to a dystopia. And a secured cyberspace is a controlled cyberspace.

It’s rather convenient to label China’s new Cybersecurity Law as draconian when it’s the most militant attempt to claim sovereignty in cyberspace. The Jungian collective unconscious of Indian cyber activists is actually wishing for the same.

The internet is like a cluster of tectonic plates that are barely held together – each having its millions of layers of abstraction which toss your data around. With the onset of the IoT and the cloud, every layer is now network-enabled. Geer has a beautiful take on the complexity of this evolving organism, only comparable to that of mother nature,

Ecology professor Philip Greear would challenge his graduate students to catalogue all the life in a cubic yard of forest floor. Computer science professor Donald Knuth would challenge his graduate students to catalogue everything their computers had done in the last ten seconds. It is hard to say which is more difficult.

To establish sovereignty, one needs to replace the existing layers of the internet with indigenous ones. From Huawei and ZTE to Baidu and Weibo, China took 20 years to accomplish exactly that – balkanising the cyberspace in the process – culminating with the passing of the aforementioned law.

Until that happens, the one Westphalian precept that would never manifest itself in cyberspace is territoriality. But it is this very presumption on which the majority of our norms and laws are written – right from the Nato’s Tallinn Manual of cyber conflict to The Personal Data Protection Bill under examination.

Cyberspace is a bit like the divided Kashmir. It’s a contested territory, as the national security kahuna Richard J. Danzig rightly postulated. Thomas Dullien – the legendary malware reverse engineer who now works for Google – stated at this year’s Nato CyCon conference that ownership, possession and control in cyberspace necessarily don’t overlap. The former NSA cyber operative Dave Aitel goes to the extent of replacing offence-defence with control and non-control. “Think about it for a moment – we share the same network with our adversaries,” exclaimed George Tenet, the director of the CIA, exactly 20 years ago.

This anxiety around the paradox of control, or the lack of it, in cyber has not waned even a bit. The structural and geopolitical dominance of offence is the direct outcome of it. The former deputy director of the NSA Chris Inglis’s comment comes handy here,

If we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence.

Cyber defence would always play the catch-up game. In fact, all international policy is merely the Clausewitzean continuation of cyberwar by other means.

In 2016, the U.S. had to amend the Rule 41 (Search and Seizure) of the Federal Rules of Criminal Procedure to allow the FBI to hack into foreign networks for stuff as trivial as criminal investigations. As territoriality gets upended, governments resort to vague legislative picket-fencing. (Also see ‘Microsoft Corp. vs the U.S.’)

A nation state may exist online as the sum of all the global information flows associated with it at a given instant. Your data is everywhere but nowhere. It’s simpler to imagine than analyse. The supply chain of an iPhone covers six countries – rogue code may get injected at any juncture. Even the tiniest of processors now have their own inbuilt operating systems. Many of them beam and sell your location data to hedge funds, and it’s nearly impossible to detect that at the regulatory level.

Not only that, the deduction of whether a given piece of information is data or code is also mired in mathematical uncertainty – a little known concept of computer science called homoiconicity. It’s increasingly relevant in Big Data and AI more than anywhere else. The demarcation around the use of personally identifiable information is going to get really confusing.

Even the intent of a computer program has become a vague probability distribution. In most cases, regulators would not be able to ascertain if an alleged subversive operation was a breach, a hack or a legitimate tweak of the programmer. Along with territoriality, the legal conventions for estimating causality and proportionality also become vestigial.

The museum of data breaches haveibeenpwned.com now lists 5 billion stolen credentials, a little short of the world’s population. Most originate from the U.S. Its stringent data security and breach notification regime hasn’t served as a deterrent. The going rate of your digital identity has fallen to a few cents in the darknet. It’s not even business but scrap trading.

Emin Gün Sirer of Cornell is bracing for a time “when everyone will have access to all the data related to everyone who is alive during their lifetime on earth”. (Also check my piece ‘When Code is Law’.)

The notion of privacy, brokered with the state via the Hobbesian social contract, is dead. For even the nation state struggles to maintain its legitimacy, challenged by a libertarian organ of the world government that is the internet. This contestation, recorded by Geer, pits the individual against both the system and the society,

The provision of content from anywhere to anywhere, which is the very purpose of an internetwork, is a challenge to sovereignty. America’s Founders wanted no sovereign at all, and they devised a government that made the center all but powerless and the periphery fully able to thumb its nose at whatever it felt like.

In her moving speech ‘The Lifecycle of a Revolution‘, the venerable cyber civil liberties lawyer Jennifer Granick credited the “decentralisation as a design principle” of the internet to the hacker ethic . Hackers, truly, are the only arbiters of power in cyber statecraft. And until they come together, the leaking roof of cyberspace would never be sealed. In fact, it’s most likely that they’ll be co-opted by their respective governments – as the latter feel undermined by online freedom and anarchy – only tilting the axis of offence away from the centre of privacy and security.

Part II: An oral history of the inapplicability of laws in cyberspace.