Consent and the free Net

Mitchell Baker, head of the Mozilla Foundation, talks about the ever-changing contours of the personal and the public on the Internet, and the vulnerabilities of Aadhaar.

On February 9, 2018, a full-page open letter appeared on the front page of major Indian newspapers. In this letter addressed to Justice Srikrishna and other members of the committee tasked with formulating a data protection law for the country, Mitchell Baker, head of Mozilla, spelt out the lacunae in the committee’s recommendations.

Ripping into Aadhaar programme and its ever expanding offshoots Baker wrote:

‘In the vacuum created by India’s lack of a comprehensive data protection law, the Government of India continues its relentless push to make Aadhaar mandatory for ever more government programs and private sector services, in contravention of the directives of the Supreme Court.’

The Justice Srikrishna Committee, she said, needed to address the following lacunae:

‘The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can’t be “reset” like a password.

The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.

Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.

Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.”

It was quite a rebuke coming from Baker, the original activist for privacy and freedom on the Internet and champion of the open source movement. Baker, who once headed the company that created the iconic browser Netscape, now leads the corporation that runs the browser Firefox, and remains as trenchant as ever in her efforts to ensure that the Internet remains a free and open space.

Baker has been managing Mozilla’s operations since 1999. She’s a board member of OpenMRS, a big open-source electronic medical record management platform, works with MIT’s Open Agriculture Initiative and has been a member of the ICANN High Level Panel on Global Internet Cooperation and Governance Mechanisms.

Firefox is completely open-source, “dedicated to putting individuals in control online”. Mozilla runs numerous programmes across the world some of which are devoted to widening access to the Internet, countering fake news, creating open-source voice recognition software and ensuring that comments sections and discussion boards on the Internet stay democratic and free of threats of violence.

India is a very important contributor to this project— it has 11,000 Mozillians—individuals who collaborate on them. In contrast the US, Brazil and Bangladesh have just 2,000 each.

Online privacy is one of Mozilla’s focus areas in India.

Mitchell Baker spoke on the challenges of dealing with big data.

You issued a full page ad on Aadhar recently. What was the response to this letter?

There has been no response from the government on this. In terms of a more general response, we don’t know yet.

In your letter you critiqued Aadhaar on many points. Do you think it is even feasible to modify Aadhar without severely curtailing the grand plans this government has for it?

I think it’s difficult to impossible to continue extending Aadhaar to more and more services without compromising security. There have already been security problems, which haven’t been dealt with.

I think Aadhaar has already been extended too far from its original description. There are some aspects of it—like giving identities to poorly informed villagers—that have made their lives more difficult rather than easier.

In this era having an ever expanding vision of a single centralised system through which everything is processed, and which is somehow going to be safe, is unlikely. It’s even more unlikely given the past of this particular programme. One of the things that you flag for the security of your most precious data is the attack surface—the places from which someone can attack your programme. You want to reduce the attack surface, but as you go on adding more and more programmes some of which aren’t even important yet have access to critical data, programmes that aren’t designed for that nature of security—you increase the attack surface. There are a few aspects of Aadhaar that can do well if they’re not mandatory.

The government plans to use biometrics in everything—from the public distribution system to verifying mobile phone connections. Isn’t this widespread use of sensitive information an invitation to compromising it?

Any ID system is by definition pretty widespread. Using biometrics however clearly raises the stakes beyond anything we’ve seen before. Biometrics makes things easier—the person can just use their fingerprints but it comes with its own sets of problems. It’s also only easier to use when you have a system—equipment, electricity, etc.—that works most of the time. If your system is sporadic it only makes things worse.

In every system the most critical information, which needs to be kept secure, should be in a box in the centre. It should only be accessed when absolutely necessary. That’s how we build browsers—every browser has a secure sandbox where the most critical things happen. As you allow more things to access this critical information the risk goes up.

Rolling out a system this large and complex is challenging in itself; and when you’re using it to access biometric information that can’t be reset you’re raising the stakes incredibly high. Every system has faults. It is unlikely that this is the only system in the world that will not have a fault.

Isn’t there a fundamental flaw in how this project was conceived? How does a project like this get operational without a data protection law in place?

(Laughs) Well, yes. However our notion of data, and what could be done with it was very different even a few years ago. Today having a data protection law is critical, so the question is, what do we do?

There needs to be a movement of citizens who want a clear description of their constitutional rights where data is concerned.

The Internet once held this promise of being this vast democratic space where information was easily available and everyone could voice their opinion. But in some ways it has become the opposite—the space companies and governments turn to to track people. How should the Internet be governed to prevent this? And if such a system of governance is put in place, how do you ensure that it is not misused?

When the Internet first arrived, when I was at Netscape, all of us could see a world of potential ahead. In hindsight it’s obvious that when you have a system that connects everybody you’re likely to see all aspects of human nature. People do really horrific things to each other; governments also use their powers to do horrific things.

We’re now in the middle of seeing this range of human nature and government powers—which are sometimes citizen centric and at others the opposite. We’re seeing all of this but we don’t have accountability systems online. So I do think that we need accountability systems, but at the same time we don’t solve anything by sending people off to jail.

Accountability is one part of governance. We also need to develop some way of dealing with threats like the online threats of torture and violence that underrepresented groups and women face. These kinds of threats are not okay.

The question then is—how do we translate societal rules in the online world? Each society makes different rules about what one can say and do; and how nasty speech can be. The rules in France are different from those in Germany, which are different from those in the US. Then we have the challenge of balancing these systems with freedom, another key value.

The big question at this point of time is—how much data do you want to put in a network where anyone can access it? I think we’re going to see more and more private pages on the Internet.

None of these systems are perfect, neither are they translated easily into the online world. But I think looking at how societies balance things in the offline world might give us a sense of how things can be done online.

Also looks like freedom of speech on the Internet is under threat. Governments, like the Indian government, have increasingly started policing the Internet—charging people with sedition, defamation, etc. on the basis of social media posts. How do you define what is public and what is private on the Internet. Is a Facebook post shared by a closed but large group of people public or private?

I think defining public and private is complex even offline, so translating that becomes even more difficult. We’re still in early days, especially when it comes to social media. I’m not sure whether things will look the same in five years.

The big question at this point of time is—how much data do you want to put in a network where anyone can access it? I think we’re going to see more and more private pages on the Internet.

But yes, I think definitions of public and private don’t translate well. That is probably at the heart of a fair number of issues. We should also remember though that the demarcation of public and private is not that clear in the real world either. Is the proverbial soapbox in the town square public or private? What if no one’s listening?

What about my yelling from my front porch—is what I’m saying still private? And what if I decide to use a microphone? We have a long way ahead of us in figuring this stuff out. How you and I think about public and private is also very different from how a 15-year old thinks of them. So I don’t really think we have the answers right now, but we do have pointers that tell us how to think about these things.

How do you prevent centralisation (and monopolies) on the Internet—services like WeChat in China are used for everything—from dating to banking and booking taxis.

I’m not sure what we can do about it. Should governments intervene? I’m not sure that’s what you want. Some places, Europe for example, are fairly active in ensuring that companies like Google don’t abuse their scale.

What impact do you think artificial intelligence is going to have?

Hmmm. I’m trying to find an answer that will extend across the Internet. We are of course going to see the automation of things that people were doing. Bots are the first step of this process. You will see more attempts to take information, process it and make it useful; some of which will be pretty interesting. I think there will be efforts to build data sets as public assets.

This is important because technologies like voice recognition are soon going to be open source, no longer confined to big corporations. Mozilla has been working on DeepSpeech, one such open source platform. These technologies will require data sets to train them.