October 12, 2018 15:30 IST

What if the digital records of a food delivery service are leaked?

What if a tech-savvy gaurakshak scans those records and discovers who the beef-eaters are?

What happens next?

Devangshu Datta highlights the risks posed by leaks of digital databases.

Illustration: Uttam Ghosh/Rediff.com

A few weeks ago, at a conference on data privacy, I outlined a semi-hypothetical situation.

Suppose the digital records of a food delivery are leaked. (This has actually happened several times).

If that food delivery service delivers in cities such as Kolkata, Bengaluru, Kochi or Shillong, it will include plenty of customers who have ordered beef fry, tenderloin steak, or beef stroganoff.

Now suppose, just suppose, a tech-savvy gaurakshak happens to scan those records.

Apart from picking up saved credit card data, the gaurakshak will also obtain data such as home addresses, mobile numbers, etc, for those beef-eating sybarites.

It is possible that they will pick up images as well, simply by searching Facebook or Google for those names and addresses.

I have no reason to believe data dumps are not analysed by crackers for such salient details.

Then, let us imagine our unfriendly neighbourhood gaurakshak does what gaurakshaks do, which is lynch one (or more) of those beef-eating customers.

The police will swing into action with their customary efficiency after the poor chap is beaten up or killed.

Along with doing a post-mortem on the content of the victim's fridge, the police will also take the victim's DNA in order to prove that the blood on the gaurakshak's hands comes from the victim.

In fact, the police should have taken DNA samples of the victims in all the lynching cases, along with the DNA samples they took of the food in their fridges.

So far, this scenario should be believable, given multiple data leaks, multiple lynchings and the procedures commonly followed by the police in lynching cases.

Now the acid test of any privacy legislation lies in deriving the right answers to the following questions in a case like this.

Can the victim (or the victim's heirs) sue the entity, which leaked the data or allowed it to be hacked and thus claim financial restitution, if only to fund the costs of the funeral?

This ought to be possible, given that the leak has caused real harm.

Indeed, it should be possible in every case of a digital data leak, including leaks from supposedly 'super-secure' government databases such as those belonging to the Unique Identification Authority of India (UIDAI) or the income tax department.

Can the victim (or heirs) ask for sensitive case records including the menu items consumed, client addresses, credit card numbers, mobile numbers, and other private information, to be redacted from court records and withheld from queries on search engines?

Also, would the trial of Sri Gaurakshak be conducted in camera to protect witnesses?

There is a chance of further harm being caused if case details are available on search engine queries or in court records.

The European General Data Protection Regulation's Right to be Forgotten processes may allow such details to be withheld.

If a trial is conducted in open court, there is a very real chance of the concerned witnesses to such an assault being intimidated, or violently assaulted.

Their privacy needs to be protected.

Can the victim (or heirs) ask for DNA records to be destroyed once the relevance of those data to the case is over?

The police should not be allowed to hold DNA records of innocent persons in perpetuity.

Once it has been proved that it is indeed the victim's DNA, that data should be deleted.

The proposed law seems to allow for such a deletion of DNA data.

But a clear process, with timelines, should also be outlined.

All sorts of criminal cases, missing person cases, accidents, etc, require the collection and examination of DNA.

That DNA should not be held in police databases forever.

I'm not sure what the answers will be under the circumstances outlined above.

But if the proposed privacy legislation doesn't protect the citizen from the reasonable threat of harm in such cases, the legislation will be ineffective.

In parenthesis, it needs to be pointed out that eating beef is legal and occurs in high volumes on a daily basis in India.

There are all sorts of leaks of digital databases, including databases that contain the sort of sensitive information outlined above.

There have been multiple lynchings of persons supposedly on the suspicion that they have eaten beef.

Sooner or later, we'll see a privacy case law created on this account.