In recent years, waves of shocking privacy abuse, data breaches and abuse have crashed on the world’s largest companies and billions of users. At the same time, many countries have strengthened their data protection rules. Europe set the tone in 2016 with the General Data Protection Regulation, which offers strong guarantees for transparency, security and privacy. Last month, Californians received new privacy guarantees, such as the right to request removal of collected data, and other states will follow.

The response from India, the world’s largest democracy, was curious and introduced potential dangers. An emerging technical powerhouse, India has an impact on all of us, and the maneuvers of cyber security or data protection deserve our careful attention. At first glance, the proposed Indian Data Protection Act of 2019 seems to pursue new global standards, such as the right to be forgotten. Other requirements, such as having to store sensitive data in systems located within the subcontinent, may impose restrictions on certain business practices and are considered by some to be more controversial.

Dr. Lukasz Olejnik (@lukOlejnik) is an independent researcher and consultant for cyber security and privacy.

A feature of the bill that has received less inspection, but is perhaps the most alarming, is that it would make illegal re-identification of user data punishable. Although it seems to be wise, this can quickly put our connected world at greater risk.

What is re-identification? When user data is processed at a company, special algorithms disconnect sensitive information such as location tracks and medical data from identification data such as e-mail addresses and passport numbers. This is called de-identification. It can be reversed so that organizations can restore the link between the user’s identity and their data when needed. Such controlled re-identification by legitimate parties is done routinely and is perfectly suitable, as long as the technical design is safe and sound.

On the other hand, if a malicious attacker were to obtain the anonymized database and to re-identify the data, the cyber criminals would receive an extremely valuable loot. As we see in constant data leaks, leaks or cyber espionage, our world is full of potential opponents who want to exploit weaknesses in information systems.

India, perhaps in direct response to such threats, intends to prohibit unauthorized re-identification (aka illegal re-identification) and to subject it to financial sanctions or imprisonment. While banning potentially malicious actions may sound attractive, our technological reality is much more complicated.

Researchers have demonstrated the risks of re-identification through careless design. Take the recent prominent example in Australia. In 2018, Victoria’s public transport authority shared the usage data patterns of its contactless commuter cards with participants in a data science competition. The data has been effectively made publicly accessible. The following year a group of scientists discovered that poor data protection measures made it possible for everyone to link the data to individual commuters.

Fortunately, there are ways to reduce such risks with the right use of technology. To determine the security quality of the system, companies can also carry out strict tests of cyber security and privacy guarantees. Such tests are usually conducted by experts, in collaboration with the organization that manages the data. Researchers can sometimes resort to testing without the knowledge or permission of the organization, but nevertheless in good faith and with the public interest in mind.

When data protection or security weaknesses are found in such tests, the perpetrator does not always need to be addressed immediately. Worse still, the new bill may even tempt software vendors or system owners to take legal action against security and privacy investigators, which completely hinders investigation. When research is prohibited, the personal risk assessment changes: faced with a risk of fines or even imprisonment, who would participate in such a socially useful activity?

Today, companies and governments are increasingly recognizing the need for independent testing of the security or privacy protection layer and providing ways for honest individuals to identify the risk. I have expressed similar concerns when in 2016 the British Department of Digital, Culture, Media and Sport planned to prohibit re-identification. Fortunately, the definitive law recognizes by introducing special exceptions that researchers must work with the public interest in mind.

Such a universal and outright ban on re-identification can even increase the risk of data breaches, because owners feel less encouraged to make their systems privacy-proof. It is in the clear interest of policymakers, organizations and the public to receive direct feedback from security investigators, rather than running the risk of the information reaching other potentially malicious parties. The law must enable researchers to honestly report any weaknesses or vulnerabilities that they detect. The common goal must be to resolve security issues quickly and efficiently.

Criminalizing crucial parts of investigator jobs can cause unintended damage. Moreover, the standards of an influential country like India run the risk of having negative consequences worldwide. The world as a whole cannot afford the risks arising from obstructing cyber security and privacy research.

