Through the debates about Aadhaar and the fundamental right to privacy, the Indian government took the position that privacy was only an elitist concern that was not shared by the “teeming masses”. That isn’t true, says a recent survey by CUTS-International, a non-profit organisation that works in the area of social justice. It found that respondents across education levels recognise privacy as a fundamental right – though they may not understand the best way to protect their data.

The CUTS survey, conducted in July, covered 2,400 respondents, 10% of whom were non-internet users, across six states. According to the report, the sample was distributed between “urban, peri-urban and rural areas” and across educational levels.

It threw up several interesting findings about how respondents view privacy. For example, respondents were much more careful about sharing their email address than giving out their name, age, gender, contact number or address. Respondents also said that they were not comfortable about sharing their personal views on religion and politics. In addition, they said they were hesitant about revealing their medical history and financial details to either online or offline service providers.

In August 2017, following the lead of Europe’s General Data Protection Regulation, the Indian government set up the ten-member Srikrishna Committee to draft a Personal Data Protection Bill. The bill aims to ensure that data is protected, even for people who may not have the tools to do keep it private themselves.

The draft Personal Data Protection Bill proposes to ensure special protection for information considered “sensitive personal data”, such as passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.

Location data

The CUTS survey found that Indians treat location-related data with the same sensitivity as with other personal data – photos and videos – and are careful when sharing it. The survey also showed that Indians are more comfortable sharing location data with online businesses, such as food delivery apps or taxi companies, than with the government. Curiously, respondents seemed to believe that even when they shared such data, they were not disclosing their exact locations with service providers or the government.

In reality, however, it is quite likely that much more location data about individuals is being stored by such entities than users realise. This data is often sold to other firms, which serve up targetted advertisements to users. Last year, Quartz reported that Google was secretly recording the locations of Android phone users even when the location facility was switched off. It isn’t just phones or apps that use location data. Even surfing the internet does that. Web browsers such as Safari or Chrome also collect location data, making it possible for companies to track the movement of users through the day.

Privacy policies

Most online services, like websites or apps, tend to ask for permission before storing cookies or accessing location data. But these requests for permission often come in the form of lengthy, jargon-filled privacy policies, documents that state the how and what company intends to do with users’ personal data.

The CUTS survey showed that 80% of respondents did not read privacy policy agreements before signing them, with the main reason being that they are often too long or complicated to understand.

Data protection tools

Worryingly, many respondents thought they could use anti-virus software to help improve their data privacy. In reality, such software has nothing to do with personal data.

“Anti-virus solves a very different problem: namely, keeping malicious viruses and worms off your computer, said Matthew Green, security technologist and associate professor at John Hopkins University. “It does not clear your personal data, like browsing history, off of your computer.”

While surfing the internet, web browsers routinely store users’ data, usually so that this information about users’ preferences can make surfing easier and quicker. About 40% of the users were unaware of the “incognito mode” on web browsers, a feature to disable browsing history and other surfing data.

Across the board, the CUTS survey found that the most common reason for not using data protection tools was the belief that they would be ineffective. This prompted the organisation to recommend that the draft bill engage with this concern.

“CUTS’ user perception survey pointed out that respondents are mostly aware that ‘right to privacy’ is a fundamental right,” the report said. However, respondents were not in a position to exercise this right since they were neither reading (or were unable to read) the privacy policies of various service providers (government, online and offline businesses), nor were they taking (or were unable to take) appropriate measures to protect their data. Furthermore, it was observed that the lower the education level of consumers, the lower was the possibility of them taking measures.”

As a result, the report, which includes a number of submissions to the government on the draft law, recommends that the legislation is focused on making sure that the law does not just provide a platform for data protection to be implemented, but also ensure public awareness and understanding of these issues.