The ban on 59 China-based apps - Some questions to ponder

Background

Last week, the Information Technology Ministry of the Central Government banned 59 China-based mobile apps. This list includes popular apps such as TikTok, UC Browser, CamScanner and ShareIt. This ban was undertaken by invoking Section 69A of the Information Technology Act (‘IT Act’), and the Website Blocking Rules of 2009. Section 69A of the IT Act confers the Central Government the power to block public access to any kind of online information, for safeguarding the sovereignty and integrity of India, and the security of the State. The procedure for this blocking of public access is prescribed in the Website Blocking Rules of 2009, which state that in a situation of ‘emergency’, an interim ban on public access can be directed, without giving a hearing to the aggrieved party.

The IT Ministry also issued a Press Release, which enlisted the reasons for the ban. The main reason mentioned in the Press Release is that the enlisted mobile apps were compromising on aspects of privacy and data security - by transmitting user data to servers located outside India. Such a compromise of privacy and data security, was, according to the Press Release, prejudicial to the sovereignty and integrity of India. The Press Release only states that the ‘relevant provisions’ of the Website Blocking Rules of 2009 have been invoked, and does not precisely state the ‘emergency’ which justified banning the mobile apps without giving a hearing to their developers.

However, the ostensible reason for invoking the ‘emergency’ provision is the tense situation with China, at the Ladakh border. While the IT Ministry does not explicitly mention China in the Press Release, its intention to send a strong political message to Xi Jinping and the Chinese Communist Party establishment is but obvious. More significantly, the Central Government would also want to ensure that during a tense military situation at the border, the Chinese establishment does not resort to espionage, or cyberattacks against Indian computer networks.

Such a worry is legitimate in light of recent events across the globe - as a Chinese State-backed hacker group is suspected to be behind a major cyber attack that hit Australia in June. As the concerns over data security and privacy are based on solid grounds, it is important for the Central Government to precisely clarify whether its order is interim or permanent in nature.  As of now, it has only been reported in the media that the order is interim in nature, and that a Secretary-level panel of the Central Government shall hear clarifications from representatives of the app developers. At this juncture, let us refer to the stand taken by the Chief Executive of TikTok.

While the Chief Executive of Tiktok has stated that TikTok shall not honor any request by the Chinese establishment to share user data of Indians, such an assurance cannot be taken at face value. This is because China’s National Intelligence Law of 2017 requires all companies of Chinese origin to share data with China’s intelligence agencies, irrespective of whether they operate within or outside the country. To illustrate - TikTok, as a Chinese-origin company shall be bound to share all data demanded by Chinese intelligence agencies, even though it does not have operations in China. This National Intelligence Law is just one among the many methods through which user data can be transferred across the border.

This example highlights that the scope for unauthorized transfer of data to foreign servers existed even before the military stand-off at Ladakh broke out, and the Government’s response of raising questions of privacy and data security has been belated. Keeping this background in mind, I would like to raise two questions while this situation develops.

Two Questions

[1]. As the possibility of unauthorized data transfer to foreign servers existed even before the border standoff, what about personal data that has already been transferred? It is important for us to have an answer to this, as apps such as TikTok, Cam Scanner, and UC Browser were hugely popular, and downloaded by a majority of smartphone users. These apps may collect sensitive personal data of various kinds, such as data relating to religious and political beliefs, financial status, sexual orientation, etc. 

[2]. Along with Chinese-origin apps, there may also be a case of unauthorized data transfer by apps which have significant Chinese investment. Some popular apps which have a significant investment by Chinese companies are Swiggy, Zomato, Big Basket, Paytm and Ola Cabs. Some of these apps also have common investors. To illustrate, Chinese tech giant Alibaba has made significant investments in Paytm, Zomato and BigBasket. 

*(Incidentally, Alibaba also owns UC Browser, which is one of the 59 apps that have been banned.)

Most of us would have linked our Paytm ID in our Zomato account, which in turn would also have our bank account details. While we link this under an expectation of privacy, there does exist a definite possibility of unauthorized sharing of sensitive information of this nature. Hence, it is important to know whether apps that are backed by Chinese investment are engaging in unauthorized transfer of data to their investor companies. An answer to this question shall highlight whether the list of 59 apps chosen by the IT Ministry is exhaustive, and whether other apps that are engaging in unauthorized transfer of data have been excluded.

Along with this, there is also a larger issue that we need to address, relating to privacy and security of the data that is collected by smartphones. Our smartphones store a plethora of personal data, ranging from our fingerprints to bank account details. The Government must examine whether there exist backdoors through which sensitive personal data stored in our smartphones is being transferred and accessed in an unauthorized manner. This issue assumes significance as more than 70% of the Indian smartphone market share is held by companies such as Xiaomi and Oppo, which have their roots in China. Hence, while we focus on mobile apps, let us not forget the smartphone ecosystem as a whole.

Some of these issues shall be partly addressed once the draft Personal Data Protection Bill, 2019 is enacted into law – as the Bill lays down conditions of processing and foreign transfer of personal data. While we push for our long overdue data protection law (irrespective of its shortcomings), let us hold the Government to account on all matters of privacy and data security. The IT Ministry’s approach here can be contrasted with the approach it adopted after launching the Arogya Setu app, which was coercively pushed even before a robust data security infrastructure was created. The ban on 59 apps should be seen in this context, and must be supplemented by addressing other equally pressing concerns of privacy and data security.
-------------------------------------------------------------------------------------------------------------
Update: On 27th July, the Central Government banned 47 additional apps - which were operating as clones or 'lite' versions of the 59 Chinese apps that had been banned earlier.