An ongoing investigation by The Indian Express has lifted the veil over a concerted attempt to track thousands of Indian citizens by a big data Chinese firm with ties to the Chinese government. According to the cross-country investigation — joint investigations were carried out by news organisations in several countries — over 10,000 Indians in the fields of politics, government, business, technology, media and civil society, have been tracked by a Shenzhen-based information technology firm, Zhenhua Data Information Technology Co. While the scale of the profiling being undertaken is staggering, the targeted approach being adopted to specifically track key personnel is equally worrying. This level of strategic targeting raises vital questions: Is the Indian government vigilant about a monitoring of its citizens that goes far beyond the traditional methods? What are the norms of cyber hygiene for its staff? What purpose is the data being put to? Does this present a security risk? What should the Indian response be?
The investigation has revealed that the Chinese firm monitors the digital footprint of its targets across social media platforms, including keeping a tab on content from news sources, papers, and forums, to build a “relational database” which tracks associations between individuals, institutions and information. What would otherwise have been considered innocuous information is being pieced together in a broader framework. Such granular profiling and targeting of individuals has the potential of being misused and exploited — data, after all, can be used for spreading disinformation or for serving particular interests at both the national and international level. This also lies at the heart of what is called “hybrid warfare”, a strategy that seeks to create social discord, disrupt economic activities, undermine institutions, and discredit political leadership by engaging in targeted cyberattacks and disinformation campaigns.
With a series of recent reports exposing China’s attempts to obtain sensitive information, the Indian government will have to be prepared to respond across multiple platforms. The urgency of putting in place a robust personal data protection framework in India cannot be emphasised enough. While enforcing privacy laws in foreign jurisdictions may well be impossible, at the very least, provisions for asking for explicit consent, and for examining/monitoring the flow of information to third parties, will have to be provided. Indeed, firms like Zhenhua, working in opaque authoritarian systems, will use big-data to mine information in more open democratic environments and remain off the regulatory radar. More so when the absence of consent for third party data sharing makes matters difficult. Unlike apps that can be banned, what Zhenhua has — or can collect — cannot. These scraps of information become an invaluable asset with scale and time and given how they are harvested and who does it. This understanding should be key in framing any response and the government must carefully weigh the costs and benefits of the various options before deciding on it.