DISCLAIMER:
This is an extend version of PrivacyGuides specially tailored for Indian needs which is not in affiliate with privacyguides.org in any way.
Tools and services mentioned in this guide are not affiliated with anyone. They're mentioned here solely based on the author's interest and experience. The author is not responsible for any damage caused by the tools and services mentioned in this guide.
Without the involvement of Politics in this Privacy Guide, it is not possible to give clear context or information to achieve privacy in India. This guide is not meant to be a political guide but rather a guide to help people understand the importance of privacy and how to achieve it.
- Privacy Guides - India
- Index
- CHAPTER 1: Introduction
- CHAPTER 2: Privacy in India
- CHAPTER 3: How to protect your privacy then?
Privacy Guides - India only exists to spread privacy to the masses to Crores of Indians who are living in denial of their privacy. This is a community effort to educate people about privacy and how to protect it. We are not affiliated with any organization or company. We are not here to sell you anything. We are here to help you protect your privacy.
Many people get the concepts of privacy, security, and anonymity confused. You'll see people criticize various products as "not private" when really they mean it doesn't provide anonymity, for example. On this website, we cover all three of these topics, but it is important you understand the difference between them, and when each one comes into play.
Privacy is the assurance that your data is only seen by the parties you intend to view it. In the context of an instant messenger, for example, end-to-end encryption provides privacy by keeping your message visible only to yourself and the recipient.
Security is the ability to trust the applications you use—that the parties involved are who they say they are—and keep those applications safe. In the context of browsing the web, for example, security can be provided by HTTPS certificates.
Anonymity is the ability to act without a persistent identifier. You might achieve this online with Tor, which allows you to browse the internet with a random IP address and network connection instead of your own.
Pseudonymity is a similar concept, but it allows you to have a persistent identifier without it being tied to your real identity. If everybody knows you as @GamerGuy12 online, but nobody knows your real name, that is your pseudonym.
All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where threat modeling comes into play, allowing you to make informed decisions about the software and services you use.
In short - Privacy is about data, Security is about trust, and Anonymity is about identity.
Example: You close the door when you go to bathroom, that's privacy. You lock the door when you leave home, that's security. You wear a mask when you go to a protest, that's anonymity.
More about privacy here.
In the modern age of digital data exploitation, your privacy has never been more critical, and yet many believe it is already a lost cause. It is not. Your privacy is up for grabs, and you need to care about it. Privacy is about power, and it is so important that this power ends up in the right hands.
Privacy in India has been a mixture of privacy itself, denials, ignorance and politics.
The Indian constitution does not explicitly mention the word "privacy", but with the Puttaswamy judgement that rolled on August 24, 2017 grants Indian the right to privacy (on paper, of course). The Information Technology Act 2000 and the Reasonable Restrictions on Right to Privacy Act 2017 are two key privacy-related laws enacted by the Parliament of India.
PDF to access the judgement can be accessed here Analysis of the same can be accessed here
Privacy is a fundamental right, but it is not absolute. The Indian constitution allows the government to impose reasonable restrictions on the right to privacy in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence.
Violation of privacy has become a norm in India to an extent that people are living in denial of their privacy and are not aware of the consequences of the same. This is normal in a country where the government is trying to impose a surveillance state on its citizens and privacy is not an end point but rather a journey. With less people opting in due to lack of awareness, journey in the world of privacy has been quite difficult. With the necessary tools and knowledge, you can protect your privacy and take back control of your data.
One cannot blame on people snooping into other's privacy when they themselves are not aware of their own privacy. The mindset of people in India is that they have nothing to hide and they are not doing anything wrong. This is a very dangerous mindset to have. Privacy is not about hiding something, it is about protecting something. Privacy is not about doing something wrong, it is about doing something right. Privacy is not about being suspicious, it is about being safe. Privacy is not about being a criminal, it is about being a citizen.
Aadhaar is a unique identity number for every citizen of India issued by the Unique Identification Authority of India (UIDAI). It is a 12-digit number that serves as proof of identity and address, anywhere in India. Aadhaar is a biometric database (Iris, fingerprints, face) of Indian citizens, collected by the Unique Identification Authority of India (UIDAI) and stored in a centralised database.
It is claimed that Aadhaar database is stored securely behind 11ft height 5ft wide wall. However, there are 100+ incidents that prove that wall has a large hole in it allowing mass data surveillance, data and identity thefts. Here are some recent incidents that holds good:
- Recently, 100+ crore people's CoWIN data got breached and all the data was available on Telegram. Government of India, as usual, denied the breach.
- On filing RTI, public learnt that the government have no data about the developers of CoWIN
Aarogya Setu claims that the data has been deleted
- For a person to execute his/her rights to privacy, he/she should should be allowed to delete their data in a way that EU does (Right to be forgotten). However, the government of India is not interested in allowing the same.
- On filing RTI, public learnt that the government have no data about the developers of CoWIN
- It is known that all the data collected through CoWIN and other platforms as such, are used to mass surveil the citizens of India.
- How Indian farmer's personal data got leaked through PM-Kisaan
- Read the story of Pushpendra Singh who got their bank emptied because of Identity theft through Aadhaar
Aadhaar, despite being known to be insecure and highly prone to data breaches, the government continues to push that in everyway possible.
It is people's responsibility to resist themselves from Aadhaar even though it provides some conveniences like Government monetary benefits for your own good that helps you escape from the Government 360 degree profiling and surveillance of you. Here are some implementations of Aadhaar that promotes mass surveillance and profiling and people are okay with that for no reason:
- Aadhaar enabled biometrics attendance system for all Government employees
- Karnataka State to use Aadhaar to track every pregnancy
- Karnataka State okays the sue of Aadhaar for land property deals
- Karnataka Government to mandate SIM card and Aadhaar linking
- Karnataka Government to not only collected Aadhaar of students, but also shared them with other departments without consent
-
- Government of India shared Aadhaar database with private entities even though Supreme Court of India had prohibited the Government from doing so in 2019.
GOI have opened up a separate website that allows private entities to access Aadhaar database for a fee by mean of Aadhaar APIs. This is a clear violation of Supreme Court's order.
- Every citizen who had got vaccinated against COVID-19 twice, were all automatically enrolled for ABHA ID with no consent asked.
To know whether you've been enrolled for ABHA ID, check your second vaccine certificate. If you see a 14 digit number under a name called as "Unique Identifier ID" or something similar, you've been enrolled for ABHA ID.
Apple running 'health data is private' ads in a country where citizens nonchalantly linked their Aadhaar with vaccine certificate to be automatically enrolled for government's ABHA ID.
— Abhishek Baxi (@baxiabhishek) June 10, 2023
More about implications of Aadhaar here
In September 2022, Government of India took a step further to crack down on privacy by asking all the VPN providers in India to collect logs and other personal data of their users and share them with the government. Adding to this, VPN providers were asked to retent the data for 5+ years. Sources attached below:
- VPN Providers Flee India as a New Data Law Takes Hold
- India’s VPN Data Law & VPN Ban: Are VPNs Safe to Use in 2023?
- We replaced VPN servers in India to keep your data private
Government overreach and obssession with mass surveillance and profiling is not new. It has been happening for a long time now. Those who criticize teh government for its instance and ideology are threatened to hide the facts from the public or be jailed. For context, recently, Jack Dorsey, former CEO of Twitter, claimed that they were threatened to shut Twitter and raid employees for which he received a lot of criticism from the Indian Government and its officials. Within weeks, Elon Musk, who's the Chief of Twitter, acknowledged that
"Twitter doesn't have a choice but to obey local governments. If we don't, we get shut down," says Elon Musk. pic.twitter.com/BBQGptJL4v
— Press Trust of India (@PTI_News) June 21, 2023
With the parliament passing bills like a bullet train with NO discussions done, one can expect how bad the situation is for citizens within the nation.
- IPC and CrPC bills were retired. Instead the government bought in more draconian bills named Bharatiya Nyay Sanhita and Bharatiya Nagarika Suraksha Sanhita respectively. These arejust rename but what's concerning here is that the sedition law. The Government orally claimed that Sedition laws are removed but what they did not tell is they renamed the sedition law and made it even more scary! Go through the below attached articles to know more about them:
- https://www.thehindu.com/news/national/bills-seeking-to-replace-ipc-crpc-indian-evidence-act-referred-to-standing-committee/article67210670.ece
- https://thewire.in/government/sedition-law-repealed-three-new-bills-tabled-in-parliament-to-replace-criminal-laws
- https://www.bbc.com/news/world-asia-india-66495428
- https://indianexpress.com/article/india/amit-shah-bills-reforming-indias-criminal-justice-system-8887532/
- https://www.newindianexpress.com/nation/2023/aug/11/three-bills-to-replace-ipc-crpc-indian-evidence-act-introduced-in-lok-sabha-2604246.html
- Registrations of Births and Death. With the RBD bill passing in, one can expect 24/7 * 365 days realtime surveillance from birth to death of every citizen of India. What makes it even more scarier is that this pushes Aadhaar on to the population thereby ignoring the protection given by the Supreme Court of India to its citizens.
This not only makes your life harder, but can also hold you back forcefully fro buying prperties in the country if you do not furnish Aadhaar. This is nothing but a civil death. We highly suggest you to go through this link to know more!
- https://www.insightsonindia.com/2023/07/28/registration-of-births-and-deaths-rbd-amendment-bill-2023/
- https://prsindia.org/billtrack/the-registration-of-births-and-deaths-amendment-bill-2023
- https://thewire.in/tech/registration-of-births-deaths-aadhaar-voter-id
- https://www.thehindu.com/news/national/explained-proposed-amendments-to-the-registration-of-births-and-deaths-act/article67115609.ece
- https://www.thehindu.com/news/national/lok-sabha-passes-bill-that-will-enable-digital-birth-certificates/article67146898.ece
- https://www.thehindu.com/news/national/all-reported-births-and-deaths-to-be-digitally-registered-on-centres-portal-from-october-1/article67307282.ece
- DPDPB - 2023. A bill that does not protect its citizens' privacy from anyone but rather legalise this data collection by forcing citizens to be completely transparent to the Government while the Government safeguards itself by making itself more and more opaque.
In addition to the above, this will also give the Government un-conditional un-guided powers over everyone else. At the same time, it will also weaken RTI by means of amendment. This will not only weaken your (citizen's) power but also stop you from getting the information from the Government. We highly suggest you to go through this article to learn why the bill is really a concern. Refer the below attached articles to know more:
- https://dpdpb.in/
- https://www.thehindu.com/news/national/explained-what-is-the-data-protection-bill-of-2023/article67162906.ece
- https://www.hindustantimes.com/technology/data-protection-bill-2023-what-will-change-for-a-normal-user-explained-101691131011821.html
- https://internetfreedom.in/dpdpb-2023-in-the-parliament/
- https://thewire.in/tech/data-protection-bull-proliferation-digital-india
- https://thewire.in/tech/experts-comment-on-new-data-protection-bill
- https://www.barandbench.com/law-firms/view-point/digital-personal-data-protection-act-2023-a-brief-analysis
With no Bills exist in the country to protect citizens from cybercrimes, digital exploitation, surveillance, profileration and abuse from scammers and extortionists. Companies have been taking advantage of the situation and collecting data about you and selling them to third parties for profit. The Government, on the other hand, is busy with its mass surveillance and profiling of citizens while trying to pass a bill that will allow them to collect data from private companies and use them for their own purposes. Here are some incidents:
- Very recently some users reported on the internet that Chinese company Realme having collecting excessive amount of user data without their consent in the name of Enhanced user experience and the option was turned on by default. The company later pushed a patch that turned it off user's devices after the news spread like wild fire. But, the damage was already done. The same kind of data collection is still being done other companies owned by BBK Electronics viz., Oppo, Vivo, OnePlus, iQOO, etc.
- On the other hand, some bank's like Bank of Maharashtra have been enrolling it's customers/account holders into insurance schemes like
PMJJBYandPMSBYsilently. They initially cut the money from your bank account and then send you a message after some 4 - 5 days, you're eligible for the scheme and you can opt out if you want. But, the money is already gone. This is a clear violation of privacy and data protection. The bank has no right to enroll you into any scheme without your consent. But, they do it anyway. Author of this guide has been a victim of this. - Author's friends have reported that their SIM operator Jio, had been blocking GRE ports (GRE ports help you connect to the VPN network) on their network which actually violates net neutrality and upon asking on Twitter, Jio put up a vague reply stating:
Hi, we are here to help you. Please be informed that as per the global standards ports are blocked in the RIL network - Nausheen
— JioCare (@JioCare) June 16, 2023 - MLA's in Karnataka illegally sent voter slips to voters with their personal details like name, address, phone number, etc. on WhatsApp tha tsparked controversy. Read more here.
- Here comes the big part. The UPI that you use to do transactions is not safe either. It has added convenience to Indians in making digital payments, it is not privacy friendly, experts warn.
- TL;DR: When you make a payment through UPI, not only the UPI ID and transaction ID is shared but rather a lot of personal data that includes your phone number, name and physical address is also shared with the merchant.
When crony capitalism and Billionaires rule the country, you can't expect privacy to be a thing.
So, one can say that a data protection bill in India is no where to be expected to come. Even if it comes into force some day in future, it will only legalise data collection and nothing else.
To know more about the state of privacy in India, follow here
Some important links to know more about the state of privacy in India:
- https://internetfreedom.in/we-wrote-to-the-election-commissioner-of-india-on-the-use-of-facial-recognition-technology-for-voter-verification/
- https://internetfreedom.in/meta-agm-proposal-7-voting-outcome/
- https://internetfreedom.in/transparency-report-may-2023/
- https://internetfreedom.in/gac-rti-response/
- https://sflc.in/defending-digital-rights-sflc-in-assists-in-challenging-ban-on-apps/
- https://internetfreedom.in/it-rules-2023-aim-bombayhc/
It is too hard for you to protect your privacy in India. You're being tracked 24/7, 365 days. Your profiling was started when you were in your mother's womb, and you'll be tracked until your death. But, there are some ways to protect your privacy to some extent. This chapter will guide you through some of the ways to protect your privacy.
NEVER put all your eggs in a single basket. Use multiple services for multiple purposes. This will help you protect your privacy to some extent.
A VPN is a Virtual Private Network that helps you connect to a remote server and route your internet traffic through it. This helps you hide your IP address and location from the websites you visit. It also helps you bypass censorship and geo-restrictions. It also helps you protect your data from hackers and other malicious actors.
Telecom companies like Jio and Airtel do deep packet inspection and it is recommended that you use a VPN from trust worthy provider.
VPNs DO NOT provide anonymity. They only provide privacy, to some extent. If you want anonymity, use Tor.
To learn which VPNs are trust worthy, take a look here
Proprietary services are those services that are owned by a company or an individual. They are not open source and you cannot see what's happening behind the scenes. They can be used to track you and collect your data. It is recommended that you refrain from using proprietary services as much as possible.
Services offered by Google, Microsoft, Apple, Amazon are proprietary. Government apps like Aarogya Setu, CoWIN, mAadhaar, mParivaahan etc. are proprietary and are not open source to review the code or to trust.
To learn about some of the open source alternatives to proprietary services, follow:
- Tools recommended by Privacy Guides
- DivestOS recommended apps
Yes, the service that you use should be trustable and should allow deletion of account and data.
This is because, if you want to stop using a service, you can delete your account and all your data will be deleted from the service provider's servers. This will help you protect your privacy to some extent and have control over your data and life.
In case you've already enrolled for Aadhaar, by mistake or by force, you cannot delete your Aadhaar. But, you can lock your Aadhaar so that no one can use it for authentication purposes [not even for verification in background, it just throws 500 -- Internal Server Error (as the developers are not paid well enough to handle errors properly even after 10+ years of its existence)].
Make sure you that you lock biometrics so that, even if some one who gains access to your Aadhaar by any means, they cannot use your biometrics for authentication purposes. By visiting this link, you can lock your Aadhaar overall so that no one can use it (assumed). This will prevent anyone from using your Aadhaar for authentication purposes. You can unlock it whenever you want to use it for authentication purposes. Make sure that you write down your Virtual Aadhaar number or store it in your password manager. If you trust government, even after reading the Chapter 2, you can proceed and install Government app mAadhaar to lock/unlock your Aadhaar from there.
Here, it is mentioned that you can update your data sharing consent. However, data sharing consent option is available no where on Aadhaar website.
As of now, you can opt out of Ayushman Bharat Health Account (ABHA) and the same is mentioned in their fundamentals. Delete when you can.
Digilocker is a service offered by Government of India to store your documents digitally on Government server unencrypted. It is not recommended to use Digilocker as it is not open source and you cannot trust it. It is recommended that you delete your Digilocker account and store your documents in your password manager or in your encrypted hard drive.
Once, you create your digilocker account, you cannot delete it. You can request your digilocker account to be deleted if you did not link your Aadhaar to it. Even you did, you can mail them asking them to delete. They'll reject your request initially, but you can mail them again and again until they delete your account. You can mail them at. This is the only way to delete your digilocker account and the author of this guide has done it successfully and you can read the story (it is a story) of the process here.
It is recommended that you refrain from sharing your personal data as much as possible. You can use fake names, fake email addresses, fake phone numbers, etc. to protect your privacy. Some services like mail.tm offer you temporary email addresses that you can use to sign up for services that you don't trust and of course, you need to be cautious while sharing personal info on such platform. Temporary phone numbers in India are really hard to get. Services like Mysudo, do not exist in India as Government do not allow such services to exist in India.
Since it is not really possible to get a phone number alias or temporary Indian phone number, it is not recommended to share your phone numbers without second thought as it is today, tied to your identity and cannot be changed easily unless you make some sacrifices.
You do NOT need to link your Aadhaar everywhere. Aadhaar is optional, not mandatory, said by supreme court of India in 2019. Virtual ID is a joke and cannot be used anywhere other than locking your Aadhaar and its Biometrics.
In most of the place, you're asked to provide your Aadhaar only for proof. That proof is usually address proof. For that, you can give your Driving License, Passport, Voter ID, etc instead. since they cannot be used to obtain your biometrics and other details like your Phone number or your bank details.
Like when you go to buy an electric vehicle in India, they ask for your Aadhaar for
FAME IIsubsidy. For context, FAME II is a scheme by Government of India to promote electric vehicles. You can give your Driving License instead of Aadhaar as proof. They'll accept it as it is a valid proof of address.
When you go to your nearest SIM provider say Jio / Airtel (VI and BSNL are long dead) to buy a new phone number, you do not need to give your Aadhaar as address proof as it will be linked to your Aadhaar. You can give your Driving License, Voter ID or Passport instead. They'll accept it as it is a valid proof of address.
Yes, you do NOT need to link your Bank account with Aadhaar at the time of opeing a bank account. You can simply say no and walk away. If you already have a bank account linked with Aadhaar, you can unlink it by visiting your bank branch.
When you go to shops like retail stores, shopping malls and etc., after you make a purchase, at the time of billing, they ask for your phone number like it is the norm. No, it is not the norm and you need not share that. yes, they'll look at you like a criminal. You can simply say no and walk away. If you really need the product and there exist no other option, you can give them a fake number given that you remember it and no OTP is generated for that number. But, usually, after saying no and couple of times, they'll give you the product without asking for your phone number.
Companies know the fact that you do not care about sharing your phone number and will share it without second thought. They use this to track you and sell your data to third parties. They also use this to send you spam messages and calls like you usually recieve on your phone.
Most of the apps that are developed in India ask for your phone number for authentication purposes. They do this to reduce server costs as it will reduce spam but at the cost of your privacy (why do you care about them?). It is recommended that you refrain from using such apps. If you really need to use them, you can use a fake number or an alias to your original number.
As mentioned above, government itself claims that Aadhaar is neither a proof of citizenship nor date of birth. Altough you can use it as a proof of address, it is not recommended given the security issues mentioned else where in the guide and yes, you might be forced to give your biometrics. You can check this article to learn about the valid documents that you can provide for verifying your physical address.
Aadhaar is voluntary, but without Aadhaar, you'll have to face hard times in your life as most of the government services will be denied. As a prime example, the mandate of linking PAN with Aadhaar forces citiens to enroll for Aadhaar (voluntarily mandatory).
Here are some more references for verification of the claims made in this guide:
- Aadhaar is not a proof of citizenship
- EPFO removes Aadhaar as valid date of birth proof. What should you do?
- Aadhaar
- Aadhar and its Voluntary Use
WhatsApp is a proprietary messaging service owned by Meta (formerly known as Facebook). The app is extremely popular in the country and is used by almost everyone. It is really hard to convince anyone to not use WhatsApp.
Messaging apps popularity grow in an exponential manner. People use an app because their friends use it. Their friends use it because their friends use it. This is how it grows. It is not because it is the best app out there. It is because it is popular.
Meta (formerly known as Facebook) is known for its privacy violations and data breaches. WhatsApp is no exception and hence Brian Acton, left Facebook in 2018 to co-found Signal Foundation by investing $50M.
For context, WhatsApp was acquired by Facebook in 2014 for $19B. Brian Acton was one of the co-founders of WhatsApp and he left Facebook in 2018 due to disagreements with Facebook's privacy policies. He co-founded Signal Foundation and invested $50M in it. Signal is an open source messaging app that is recommended by privacy advocates and is used by Edward Snowden, Elon Musk, Jack Dorsey, etc.
WhatsApp is not open-source and it collects a lot of data about you starting from your Profile photo, Contacts that you saved on your phone, your phone number, your IP address, your location, your device information, etc. In short, WhatsApp collects everything about you except the actual content of your messages. However, metadata generated by your messages is collected and used to show you targeted ads on Facebook and Instagram and is more than enough for anyone to get a context of your messages. WhatsApp also shares your data with Facebook and Instagram. You can read more about it here.
You can know more about the data collected from WhatsApp's privacy-policy here and by requesting GDPR from WhatsApp settings within the app.
You talk your doctor on WhatsApp, then you talk to the Cancer Diagnostic Center on WhatsApp, then you send a pdf to your doctor again, and forward the same to Pharmacy along with a photo. Then you talk to your family on WhatsApp. Now, Facebook knows that you might have cancer and will show you ads related to cancer treatment all over the internet as WhatsApp shares all your data with its parent company, Meta.
When you give your phone number to sign up for other proprietary services like Uber, Ola, Myntra, Swiggy, Zomato, Paytm and etc., they start sending automated texts on WhatsApp without your prior consent. This is because they have your phone number and they can send you messages on WhatsApp as you've agreed to their policies. This is how they get around the fact that you did not give them your consent to send you messages on WhatsApp like below:
So done with WhatsApp pic.twitter.com/pEutCg38mI
— Karthikaa.eth ✨ (@designermaybe) May 7, 2023
They do not allow permanent deletion of account either:
We will make sure users have plenty of time to review and understand the terms. Rest assured we never planned to delete any accounts based on this and will not do so in the future.
— WhatsApp (@WhatsApp) January 15, 2021
There has been reports stating WhatsApp has opened backdoor for Indian Government to snoop on its users' private messages. You can read more about it here, here and here but the company has denied the claims. It is not open-source and hence, it is not possible to verify the claims.
Instead of using a proprietary messaging app like WhatsApp, you can use an open source messaging app like Signal. Signal is recommended and endorsed by many due to its stance on protecting privacy of an individual. It has been audited by many security researchers and is considered to be secure. Signal collects the least amount of data i.e., your phone number (which is rumoured to go away soon for usernames), timestamp of you registered to Signal and the last time you connected to the internet and nothing else. There also exist other better apps than Signal like Session and Briar but they are neither as popular as Signal nor as easy to use as Signal. Signal is available on Android, iOS, Windows, macOS, Linux, etc. And hence, we recommend you the same. You can download Signal from here.
Signal is not perfect. It is not the best app out there. It is just better than WhatsApp with more features and better privacy. It is recommended that you use Signal instead of WhatsApp.
You can also look at other options by visiting this link that analyses various messaging apps and their privacy policies.
With WhatsApp rolling out its new features i.e., Channels, it is no more a messaging app but rather a full fledged business tool that is there to help businesses have wider reach to its customers. According to the author, the UI and UX is now completely ruined since the app now focuses more on outsiders rather than insiders i.e., you don't get to see updates from your loved ones or the one who has a close contact with you but rather from an unknown person or a business.
It is high time that you get out of this loop and escape WhatsApp AKA Meta's tentacles.
Although this is really hard than said, especially for the middle -- working class and lower class people, this is the only option for you to escape from this rabbit hole where you're forced to live in. The government is keen on its knee to stop you from questioning and make any significant improvements to protect you, so, this is a viable option and a last resort.