ARE YOUR DEVICES SPYING ON YOU? STAYING SECURE IN THE ERA OF CYBER RISK – ADV. PUNEET BHASIN, HONORARY ADVISOR FOR UNITED NATIONS DPG ALLIANCE, ADDRESSES THE CLUB
- Good afternoon to everyone here. Thank you for the very gracious introduction.
How many of you don’t use smartphones? Not a single hand, right?
OK, so how many of you are worried whether someone will look into what you’re doing on your device? How many of you may be concerned that someone may know what’s going on? Anyone worried about that? Everybody. Do you think people already know?
From the moment you enter the world of the Internet, for children these days, it is from the point they are born, but in the past, it was much later. For me, it was almost college as smartphone penetration was not there. Now you see it from a very, very young age. You see artificial intelligence coupled with multiple other features of the Internet.
To give you a broad spectrum, now, everybody’s aware of the new data protection law. In the year 2023, the Indian Government enacted the Indian Data Protection Act which mandated that anywhere you handle any form of Indian data, user data, data which somehow or the other belongs to an Indian national — be it social media providers or any other platform, including companies with Indian employees — protection under the Data Protection Act becomes mandatory, and compliance for data protection becomes mandatory for those organisations.
Penalties are up to ₹250 crores. If you’re wondering why an organisation has not been penalised till now — it was enacted in 2023, however, the rules are still pending, and the formation of the body, there have been multiple dynamics that have changed in our nation in this entire period — multiple crucial issues have come up. Because of this entire situation and lobbying against data sovereignty, one of the most crucial aspects of this particular law in its draft stage before it was enacted in 2023 was data sovereignty — “My nation’s data remains within the confines of my nation.”
Obviously, you have a lot of big-ticket companies lobbying against that.
In the final version of the Act which was enacted, data sovereignty doesn’t exist in its absolute form. But yes, it gives the government the power to blacklist certain countries where data cannot be transferred — certain countries where processing of data cannot be done. A copy of the data has to be maintained in India. The office of the organisation has to be in India.
You cannot say, “I’m governed by the laws of XYZ country, but I will take your national data, your citizens’ data, and do whatever I want.” That option is not there. So, they need to have somebody answerable sitting right here — in India. This law is already enacted. What’s awaited is the formation of the Data Protection Authority, which will enforce — obviously in the form of legal proceedings that are bound to happen. Any individual can file a complaint under this Act.
It also happens to me — the moment I book a flight ticket; I start getting messages about different hotels. I get messages about taxi service providers. I’m like, “I have not reached out to any person.” So, data travels faster than lightning speed. Today, you just book your ticket, and your data is out there.
In such situations wherein, as an individual, your data is lost — as an organisation, there is a breach of your data that takes place — you can raise a complaint to the Data Protection Authority. Thereafter, the Data Protection Authority summons the organisation to answer:
- What is the data trail?
- What is the compliance that they have in their organisation?
- How has this data set moved out?
What are the data sets it covers? PI and PII. PI is anything that identifies me – that would mean my name. It would mean anything that you associate with me at that point of time.
PII – that’s Personally Identifiable Information. Let’s say I have your email ID, I have a mobile number, I have an address, and I have certain other pieces of information. I don’t have your name. I don’t have exactly who you are, but by piecing together these other pieces of information, I would know exactly whom it pertains to. That’s called profiling.
So, the Act is as comprehensive — and, as a matter of fact, much better than the EU GDPR and multiple other legislations across the globe as it covers PI and PII. So, anything that may identify me as me is also covered in this.
As an individual, if you raise a complaint with the Data Protection Authority, accordingly, the organisation is summoned to give answers.
There are multiple offences under the Act — from ₹50 crores onwards till ₹250 crores in penalties, and all of that goes to the Consolidated Fund of India; it does not come to the individual.
An individual has other options. Apart from prosecuting before the Data Protection Authority, there is also the criminal remedy, that is, the data breach litigation, which occurs in the criminal forums — that is, BNS, registering the police complaint — retributive methodology, wherein basically you’re trying to bring them to book.
Compensatory methodology is under the Information Technology Act, wherein you can seek compensation up to ₹1 crore. It used to be up to ₹5 crores, and now, with the Data Protection Act, the ₹5 crores part is set aside — it’s only up to ₹1, crore.
You can do all three things together.
Why is it that suddenly so much power is being given to you? The threat to you is that much. So, the Data Protection Act also got enacted with a great amount of difficulty. I’m quite certain everyone would be aware of the level of opposition that was there against this Act, not just from the opposition parties, but the kind of media — you could say common knowledge — being created about it: “The government is going to misuse your data, so-and-so person is going to misuse your data.”
There was so much of a narrative created around it, because this was going to disrupt — and it already is disrupting — a large number of industries like your digital marketing industries, wherein, today, technically, marketing is only focussed on stealing your data and thereafter selling you things, profiling you. It disrupts all of those industries. And the biggest industry that it disrupts is the cybercrime industry which has surpassed any other form of illegal business that takes place globally. The cybercrime industry has crossed all those different barricades. It’s the highest-grossing industry in terms of turnover.
So, you are profiled, and then you are targeted. There are multiple such instances wherein offences, whether financial or physical crimes, are being linked to the Internet.
Before I delve into the ‘why’ and ‘what’ of this entire subject…
All of you go to different hospitals for treatment, correct?
Have you ever wondered what the data security in a hospital is like? No one has wondered. When you go back, I would want you to Google and see — one very high-level national leader in a country (again, I will not name) was targeted, and an attempt to murder him was made, by breaching the database of the hospital in which he was hospitalised. Tampering with the medications, etc. So, as a matter of fact, cyber murder is also very common. Unfortunately, tracing it is not that easy. Figuring that out is not that easy. So many times, something that may occur as a natural demise may not be as natural as it appears to be.
Everything that’s negligence may not be negligence. There are a lot of other things that come up. So, you can Google — I would not take the names of those actors — but you’ll get a very fair idea of what these particular cases were. There have been cases where your hospitals are there, banks are there. How many of you believe your banks are secure? No one’s bank is secure. So, imagine your entire money is in your bank. More than money, what you spend money on is known by the bank. Now, honestly, you may want to spend money on anything. More than the money, the privacy of what you choose to spend on is very clearly known by the credit card companies, is known by the banks, all of which can be used against you.
It is in light of this entire situation that, to a great extent, Indians became data guinea pigs. They are data guinea pigs. I’m sure you would have heard another very well-known interview also, of another very well-known personality, which referred to India as a nation with varied data that can be used for a large amount of research. So, India, in a way, is a data guinea pig and has been for the last 12–15 years. Where you believe there has been a lot of generous technology handed down into our country — it’s not actually a technology hand-down. It is actually the level of data, the variety of data, the demographic data. You know, here in India, you have a large population coupled with a variety of tastes, large distinction of different preferences, religions, etc., which makes it a very, very rich area to collect data from. So, it’s not that tech companies have given it to you for free in the form of technology to uplift Indians. It’s meant to — how to put it — milk Indians, to a great extent.
That’s exactly how the whole process has been.
With respect to different platforms, I would just ask where does the funding for Google and Meta come from? Nation-state actors are openly funding it. Please study and you will come to know which nation-state actor openly funds it. So, before you worry that the Data Protection Act means the government is going to have access to your data, believe me, the last 30 years of your data is there — with another nation-state actor.
Who is the largest investor in Google? The largest investor in Meta? The same organisation. And which is the backing of that organisation? I will not name. I will not name. Some level of research should be done by individuals themselves.
So, this research, when you do it, just go back up the chain: Google, where does Google get its funding? Who are the investors? Which are the organisations backing those investors? You will get your answer very, very clearly: who backs Google, who backs Meta, and where your data goes. Why exactly the Data Protection Act was very hurriedly enacted is because the backing increased all the more in that particular period. The collection of the data increased all the more in that particular period. So it obviously became a form of a data threat for India to a great extent.
That’s exactly the situation in which the organisation, the nation, currently remains — and different organisations are being pulled up for accountability in this situation.
As a nation, why do we need to worry about this? As an individual, why do we need to worry about this? There are two parts to it. As a nation: warfare. As you know, currently, also, the strained relations between different nations, the cyber warfare has already begun. Multiple websites have been defaced with different forms of slogans, different forms of things — attacks being made. That’s called cyber warfare.
The more the data, the more the misuse of that data can happen. So a lot of times when we are talking of warfare, we are not just talking of physical warfare. Data warfare can be even worse.
The next part of it is as an individual. How does it impact you if your data is being utilised in a wrongful fashion? It’s enormous — the level of impact that can happen. As an individual, you may not be aware of the same. But I will just give you one case — a very interesting case. It was almost 14-15 years ago, when smartphones were new. There was an individual, a very reputed professor, who had a smartphone. And it was a good smartphone. He was in a relationship with a student. That’s a very common situation that does happen. And they had their moments captured on the phone. Not many people thought about so many things in those days, and it was captured. Their marriage was fixed. It was to happen in a month or two. The families were all okay with it. Everything went well.
Suddenly, a few weeks before the marriage, some videos of them together surfaced on some sites, intimate moments together. At the time, this kind of scandal was a huge thing. And the girl’s family raised accusations against this professor that he took it from his phone. They fought. He was arrested. He was inside for two years. He was not given bail.
Eventually, when this matter came up, and when I saw, in a very, very candid discussion with the accused himself, the professor, he said, “I’m marrying this girl, why would I do something like this just before the wedding? I’m a reputable man. She comes from a reputed family. There’s no reason I would do something like this. Our families have agreed to everything. It’s not that we are breaking up for me to need to do something of this nature. But everyone is hell-bent on proving I did it because yes, the video is from my device. It was there in my device. But I have not done anything. I would not do this to this lady.”
Next steps, what can we do? Thankfully, his device had been confiscated by the police, so, it was there. They had taken a backup. They had taken a mirror image of his mobile phone device. What we did was request specific forensics on it. The specific forensics that — OK, if you are referring to this particular video, it is there on the device, and he is not disputing, we are not disputing it — but has the upload of it happened from this device? Where has the video gone from this device? Forensics about that. Thankfully, the log files were there. Within up to two to three years, log files are maintained. So, just about in the timeline of having those logs, it came to be known that this particular video was shared with a third party.
The third party who received the video did not receive it from the professor. His device was infected with a Trojan. Many times, when you are utilising different applications on your phone or visiting multiple sites, there are Trojans that are associated with it, embedded. So, a Trojan can control your device remotely, it can send messages. Basically, you are not in control of your device. A Trojan — if there is a third party — is in control of your device. And it’s very common. Many of your devices will have Trojans. It’s not at that point in time — it was something, you know, globally, Trojans were known. In India, because the smartphone penetration was increasing at that point in time, a few cases were coming to light.
So, forensics also ended up showing the presence of the Trojan. The upload of the file. The chain in the log was visible — the device log, coupled with the log files of the file transfer. Finally, this led to his acquittal. But imagine such a situation, where an individual has not done anything at all, and despite that is facing prosecution, facing all of this.
Today, many of you have spyware. Believe me. About three months back, I just ran an anti-spyware check. And close to around 20,000 sites in one month were basically spying on my activities. And I have spyware. I have anti-spyware. I have everything. So, every single individual is exposed to that extent today.
In such a situation, whatever private moments you may have on your devices — if you’re using any of the devices connected to the internet, whether it’s your iPads, whether it’s your laptops, whether it’s your mobile phones — everything, in a way, is accessible to a third party. Now, you may or may not know it, but it is accessible.
What’s the way out?
So simple, as it is said, even the walls have ears. Even your smartphones have developed ears, your TVs. You know, I would want you to Google — I will again not take the name of the brand — but a very well-known brand of televisions. Their production was stopped because they were spying on the individuals watching the TV. So many times, the camera right in front is spying on you. As a matter of fact, the production of that particular television was discontinued because of that. If you Google “which particular TV was spying on individuals”, you will get a lot of information on what had occurred in that case.
When you are watching TV, you can very well know that the TV is also watching you. The same thing with your mobile phone devices. How many of you keep your mobile phones in your bedrooms? Do you know that your mobile phone can also watch you and hear you?
Interestingly, AI which is utilised by most of these mobile phones recognise your voice, which means they’re listening to you, correct? That’s why they’re responding. So, what makes you think they’re not listening otherwise?
You know the case against iPhone, which is a lawsuit, so I can talk about it. iPhone was held liable for its privacy breach very recently, concerning its listening.
One and a half years ago, you would also be able to read this entire case against WhatsApp, where an individual realised that when he was sleeping at night, his microphone was getting switched on by WhatsApp. This led him to further study what was going on. He filed a suit and case, and thereafter, WhatsApp came clear, saying it’s a technical glitch. But the microphone always remains on.
Even at this point of time, you’re talking to me, you’re listening to me here — there are multiple entities who know what’s going on here. You are always being listened to. That’s why the whole concept: Deewaron ke bhi kaan hote hai. Your mobile phone is like your third arm, and that’s the tool which is constantly listening to you. Your TV is listening to you. Any smart device that you’re using is listening to you.
With respect to CCTVs, everybody uses CCTVs, one of the most disastrous situations: How many of you really check what is the security deployed on the CCTV? Nobody. So just the way when you have a mobile application, you can view the CCTV data. There have been multiple instances of hackers viewing whatever you are doing via CCTV. As long as you were ignorant, you’re happy. But your data being misused — left, right, and centre — is the biggest threat to any individual. They know you better than you may know yourself, better than your spouse may know you.
Today, do you think your mobile knows you better, or your spouse? So, where does the biggest risk lie? The real, real threats are what need to be identified. Don’t see the threats in your family, extended family, your spouses. The real threats are right with you — those whom you trust the most. They are the ones collecting data. Cybercriminals harness this data. It is sold on the dark web openly. You are profiled and sold. That is exactly how a cybercriminal knows what ticks you — what works and what does not. He knows exactly how to target you and in what way.
There are multiple forms of cybercrimes: AI, voice modulation, video AI crimes. How is it that a criminal knows your voice samples and is able to train AI so well to create fake calls? Let’s say Manish’s wife receives a call — apparently from Manish — saying, “I’ve had an accident, I’m on the road…” and the voice is Manish’s. She’s known him for years, so it’s not going to sound wrong to her. She will think the person calling is Manish. She identifies the voice and immediately gets a request: “Please transfer money. I’m getting hospitalised here,” etc. She goes ahead and makes the transfer. But it turns out the call was never from Manish.
For AI to train on your voice so well — the way you pronounce vowels, the way you communicate, the pauses you take — every person has a very unique method of communication. That entire thing has to be traced, studied, and trained into an AI system. And that’s exactly what is happening. Your voice samples are also being collected. That’s why your microphone is always on. Everything you speak is used to profile you, and a large number of crimes are targeted at you in such a fashion.
Many cases nowadays involve online financial frauds. Individuals say, “I never gave my OTP, yet the money went out.” How did that happen? Any ideas? Criminals have very new methods of doing this. It changes every few days. All the different applications you download on your phone, many of them actually take screenshots of your screen at every point in time. That’s called “screening”. Very well-known travel apps do this. So, when you are using one travel app and searching for something, the other travel app starts giving you discount offers for the same. That’s how they know what you’re doing on your screen.
Every app is screening you. That’s how they know what SMS has come in, if you opened the SMS, and so on. Many applications you grant permission to read your SMS when you give app permissions. Have you ever observed that? They know what message has arrived — they don’t need you to tell them the OTP. They can read your OTP, they can read your screen.
So, it’s not some unique technology that hackers are using. It’s already there on your phone. Multiple applications have already taken those permissions. Many times, even legitimate-looking applications have these kinds of backgrounds. Just to give you one example of a case: there was a very well-known music application. It’s no longer around — it was taken over by someone else, etc. This was quite a few years back when music apps were new in India. It was very popular at the time.
There was a lady journalist at that time — again, when technology penetration was not so high in India — who used a webcam. She was chatting online with someone she met through a platform. She was doing some research on dating and decided to speak to him. Very generic conversations, perhaps only chats. But her computer had a webcam attached. This was in Bangalore.
She started noticing strange things. She lived in a one-room studio, and the camera would blink randomly. She found it odd, investigated further, and realised that the camera was switching on by itself and recording her. She approached the police. A detailed investigation revealed that the developer of the music app — the same one she had downloaded — was the guy she was communicating with. He had made her install the app on her phone and open it on her computer. Through that, he was controlling her webcam and recording her at all times.
That was a major case. It was suppressed, the platform disappeared, and a lot happened. The back-end developer was involved; the app owners were not directly responsible. But when you hire developers, who knows what they may turn out to be, or what back doors they might leave. Many such issues exist.
Technology comes with multiple other issues. Like roses have thorns, there are many thorns with technology. It needs to be handled with extreme care. So, what can you do about devices spying on you? Every app is like this…
BlackBerry was really good. I’m still a fan of BlackBerry. If anyone still gave me one that still had service, I would use it. The reason BlackBerry wasn’t the “happening” mobile phone at the time is because it disallowed apps that were invasive of privacy. If you had a BlackBerry, you couldn’t use multiple apps or download them freely. That was actually a good thing. I really felt bad when I had to let go of my BlackBerry eventually, because of no service providers. It got damaged, and so on. The company had made an amazing product, a really good phone, but it was abandoned for something flimsy — just because it offered more apps. Apps that steal your data.
So, what are the methods you can use to keep your devices safe? Having the knowledge of what kind of actors are out there who can act against you is important. Apart from that — even switching off all through the day, you can’t switch off your phone. But when you sleep, switch it off. I don’t think it makes a difference — when you’re sleeping, someone might hear you snore or sleep-talk — but it’s during your productive hours that the main concerns arise.
Anti-malware, anti-spyware — there are multiple applications that were earlier meant only for organisational use to secure infrastructure. Today, for individuals, it is very, very important to secure your infrastructure. Eventually, it is at higher risk. Individual infrastructure security apps — at least they give you a diagnostic: “This malware or spyware is present.” Whether you want to block it or not, format your device, etc., is your call. But otherwise, there’s no way to know something is wrong. You’ll just continue to use your device without any knowledge.
Another important thing: don’t store content that can be misused on your devices. Whether it’s private moments or things you don’t want anyone to know — use a pen and paper. Use a book. Use your memory. Those are better methods. Don’t save passwords on your device — that’s the worst thing you can do. Use a physical diary. Go back to what your grandparents and great-grandparents used to do. That’s the best way to keep things away from the prying eyes and ears of technology.
Yes, despite all of this, risks may continue. I’m sure many of you have heard of the Bulli Bai case… Nobody has heard of the Bulli Bai case? So, how many of you put up profile pictures? Everybody puts up profile pictures on different platforms.
So, the Bulli Bai case was basically where women’s pictures were picked up from different profiles and, using AI, they were nudified, and thereafter, there was an online bidding placed on the nude images of all the ladies. The faces were picked up.
Even during COVID, the saree challenge was going on — tag five people, they will also wear a saree. Now, why are all these challenges really going on? Who cares? I found it hilarious even then — like, why are you tagging five people? Why are they wearing a saree and posting a picture? Who cares — but it’s more data, more images of women being collected. And how is that being misused?
So, Bulli Bai case — as a matter of fact, the people behind it were also arrested, wherein they had gone ahead and utilised their photos — the faces of the women — with fake nude bodies, and they had created an app where people were bidding for the nude images of the women and basically, putting a price on the women. That was the kind of application it was.
There were multiple such applications — this is just one example. So, exactly when you’re uploading your pictures here and there or in the public domain, it comes with a lot of risks. To some extent, it is difficult to control those risks — but yes, whatever data you are putting out is what you can control.
So, even in this — since I’m running short of time, I will conclude this discussion with, be safe yourself. Your data is you, eventually. Data — it’s not something separate from you today. Understand: if your data is separated from you and an individual has access to your datasets, he technically has access to you. He can do a lot of things to you.
In that situation, it’s very, very important that you protect yourself and your data — just as you would any other thing precious in your life. Value your privacy. Value your personal information, your identifiable information. Do not post excessively about yourself. It’s very important to know the boundaries of how much should be there on the Internet and how much should not.
And in the end, security for all your personal infrastructure — very important. Personal digital infrastructure. All the very best in your cyber-safe journey.
ROTARIANS ASK
- Your opinion on Alexa? I keep having this argument with my husband. He’s a big fan — everywhere he puts one Alexa — and I keep, you know, switching them off.
I think Alexa knows him more than you also may possibly know him by now.
And if you switch off Alexa, is it still collecting data?
There are multiple allegations that it is.
- Banking apps and all — we have. So, how safe is it?
No, it is not safe. Who told you it’s safe? Go back to writing cheques. The physical NEFT system. Now, I do that. I am a tech lawyer. I advise the government, I advise the United Nations, I advise everybody on this subject. As a matter of fact, I handle my law firm, my trust — NGOs, all of us — we work in this entire space. I write cheques for salary. I do physical NEFTs. I have an account — it’s not that I don’t use UPI or I don’t use net banking — but I have an account which doesn’t have more than, let’s say, a lakh of rupees, which is just meant for these kinds of small transactions. So if I lose, I don’t lose much. That, too, I manually transfer into that account.
- Fascinating exposition. But I think you woke us up by scaring us. I think whoever was going to sleep — I think we got scared. How much does VPN protect? Because what I’ve noticed is when I use a VPN, even the Indian websites or foreign websites tell you what the kind of things are you don’t want to be tracked. Whereas if you don’t use a VPN, I mean, these guys are tracking you. They don’t — at least with a VPN, you can kind of say I don’t want these cookies, I don’t want that. So how good is a VPN to use? Because I can then decide which country the app thinks I am in. 2) Why did the good old DND system go? Why is it that I need to block a number I don’t want to receive?
So, the DND system has never gone. No, no — it’s not gone. It’s just that there is a disregard by telecom service providers to honour the DND. It has never gone. And with respect to the VPN — if you would know, there are directives. And as a matter of fact, there are Internet Service Provider regulations which the government also has in the year 2021, rules were enacted under the intermediary guidelines — under the Information Technology Act, the intermediary rules — very clearly, whether you’re a VPN or anything, the data has to be provided. The data has to be recorded. So, yes — it gives you an illusion. So whatever you may feel — your browsing incognito doesn’t mean it’s incognito. The service provider knows what you are doing. So maybe the other people who see your device may not find the history on that device, but that doesn’t really mean that it is incognito. It gives you that illusion that you feel nobody knows — but your Internet service provider knows everything.