An oft-invoked adage of the digital age is that if something is free, you are the product. Global technology giants like Facebook and Google have been under public scrutiny for their privacy and advertising policies; however, they are by no means the only purveyors of free online services that engage in these practices. Beijing has reportedly leveraged free-to-use apps like WeChat for intelligence gathering and has instituted cybersecurity and data laws that facilitate surveillance. India’s Personal Data Protection Bill, a revised draft of which was circulated on December 11, presents a deeply flawed solution, leaving Indian users in the lurch.
China’s Domination of the App Economy
Chinese apps are dominating the app economy in India. In 2017, only 18 of the top 100 apps listed on Google Play were Chinese. By 2018, this number had grown to 44. Most of these apps are free: from usual suspects such as Tik Tok, to games like PUBG and Clash of Kings, as well as e-commerce platforms like Club Factory.
Table 1: Abridged List of Popular Chinese Apps in India with 1 million+ Downloads
India is thus a major market for Chinese apps and allied services. In addition to marketing apps, Chinese technology companies have invested heavily in Indian technology startups as well: in 2018 alone, Chinese VCs invested $5.6 billion in Indian startups.
Chinese apps have come under the Indian government’s radar a number of times, most notably in the wake of the Doklam incident in 2017 and the 2019 General Elections. In December 2017, the Indian Ministry of Defence directed the armed forces to uninstall 42 Chinese apps that “reliable reports” stated are likely riddled with spyware and/or malware. In April 2019, Bytedance came under fire for hosting falsified information and for their inaction on the rampant use of their platforms by child predators.
From Beijing, With Love
While Chinese social media and video sharing apps have been repeatedly criticised for their weak moderation and resultant misuse, the broader Chinese app ecosystem suffers from a host of accountability and privacy issues.
In November 2019, there were two major, unprecedented leaks from Beijing detailing the internment and “re-education” of Uyghurs. The documents show that the CCP allegedly used two popular apps — Zapya and WeChat (Weixin in China) — to identify and target Uyghurs.
Chinese unicorn Megvii made headlines earlier the same year when the US Commerce Department blacklisted the company alleging that their facial recognition technology Face++ was being used by the Chinese government to persecute Uyghurs. Face++ customers include popular photo editing apps like Camera 360 and Meitu’s Beauty Plus.
Chinese technology giants also score poorly on corporate accountability and transparency. While Tencent (the company behind WeChat) and Baidu have made some improvements on these parameters in response to the Personal Information Security Specification (2018), the Specification itself gives the Chinese government considerable leeway through exemptions under the categories of “national security and national defense” as well as “public safety, public health, and significant public interests”. Weixin and Zapya both include provisos on these grounds that facilitate disclosure of personal information to government agencies.
Personal Data: Unpeeling the Onion
China’s Specification, in conjunction with Multi-Level Protection Scheme (MLPS 2.0), mirrors India’s Personal Data Protection (PDP) Bill in many ways: both identify obligations of data fiduciaries/personal information controllers, both institute data auditing bodies and restrict certain cross-border data flows.
What do these guidelines and regulations mean for the plethora of Chinese apps in the Indian market? The newest draft of the PDP Bill has relaxed data localisation requirements [Chapter VII) vis-a-vis previous drafts: “sensitive” personal data must be stored in India, but can be transferred after obtaining user consent; “critical” personal data needs to be processed — but not stored — in India. Chinese tech giants, such as Alibaba and Tencent, have already opened data centers in India, with other players like Bytedance announcing plans to do the same as well.
Localisation provisions under Chapter VII therefore help bring the data of Indian users under the aegis of Indian laws. However, this is where Indian law has substantial ground to cover. While the PDP Bill is robust in terms of the obligations of privately-owned data fiduciaries and has even incorporated the concept of the right to be forgotten, it has been widely criticised for the creation of broad exemptions based on national security and law enforcement, granting government agencies virtual immunity to this legislation. In sum, all personal and critical data can be accessed by government agencies under a wide gamut of reasons, including the omnipresent yet vague categories “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, and public order”.
Indian users are caught between a rock and a hard place: wherever their data goes, it is afforded little protection from the overbearing state.
In Search of Alternatives
China’s domination of India’s app economy rides on the aversion of users to pay for online services. This problem is by no means unique to India: surveys in the aftermath of the Cambridge Analytica scandal found that a majority of users would continue to use these apps free, rather than pay a modest fee. Furthermore, the privacy paradox points to the skewed perception of the actual tradeoff between convenience and privacy: users seem to place very little value in the protection of their data.
It is therefore crucial that users be aware of exactly where their data is going, and consider whether the allure of a “free” service is worth the long-term costs of the erosion of privacy and eventual loss of autonomy.
This copy was originally published in ORF.