Digitalization and Privacy
Semester: Monsoon 2024 | CS-2384-1
Course Instructor– Professor Subhasis Banerjee
Overview– India is arguably the biggest deployer of Digital Public Goods (DPG, digital systems in public life) with large public service applications (in-use or contemplated) like national identity, phone-based payment systems, electronic voting, national-level health registry, national population and voter registries, public credit registry, income and other tax registries, face recognition based access control at airports and other facilities, Bluetooth based contact tracing and a national intelligence grid. It is undeniable that the DPGs have had a huge impact on public life in the last decade.
However, these systems also come with risks of exclusion increased cost of transactions, and increased risks of privacy violations, especially for a population in which digital literacy is low. The privacy judgement of the Supreme Court of India read all such risks into Articles 14, 19 and 21 of the Indian constitution and broadly classified them as `privacy’. However, the technical and operational standards for such privacy protection are not yet well developed. This has led to constant tension between the state and the civil society and privacy activists resulting in several constitutional cases in the Supreme Court and various High Courts. The possibilities of inferential privacy and other human rights violations with modern machine learning — whether deliberate or inadvertent — or unfair and discriminatory processing of data, compound the problem.
In this course, we will unpack the privacy and other human rights requirements in such applications from both legal and technical points of view. We will investigate the possibilities of early alignment of the two and examine if it is possible to outline the necessary and sufficient conditions for privacy protection, as envisaged by the privacy judgement of the Supreme Court of India. We will review the privacy enhancement techniques in computer science, ranging from encryption and applied cryptography, electronic voting, database and network security, trusted execution environments, blockchains, anonymization and other data minimisation techniques, and evaluate their suitability and efficacy for privacy protection. In the final part of the course we will investigate the architectural possibilities for privacy protection – from both legal and technical perspectives – that may help not only in design but also in assessing vulnerabilities and omissions.
Learning Outcomes
In this course, we will unpack the privacy and other human rights requirements in such applications from both legal and technical points of view. We will investigate the possibilities of early alignment of the two and examine if it is possible to outline the necessary and sufficient conditions for privacy protection, as envisaged by the privacy judgement of the Supreme Court of India. We will review the privacy enhancement techniques in computer science, ranging from encryption and applied cryptography, electronic voting, database and network security, trusted execution environments, blockchains, anonymization and other data minimisation techniques, and evaluate their suitability and efficacy for privacy protection. In the final part of the course we will investigate the architectural possibilities for privacy protection – from both legal and technical perspectives – that may help not only in design but also in assessing vulnerabilities and omissions.