Privacy Advisor

Privacy in India

November 1, 2005

Ponnurangam Kumaraguru

As India becomes a leader in Business Process Outsourcing (BPO), increasing amounts of personal information from other countries are flowing into India. Questions have been raised about the ability of Indian companies to adequately protect this information. Unfortunately, employees of BPO organizations have misused customers' personal information repeatedly. As more and more companies from other countries are conducting business in India, there is increased concern about India's lack of privacy laws. To address these concerns, government officials, organizations and lawmakers are discussing the creation of privacy laws in India that would mandate privacy protections for data from other countries handled by India's outsourcing industry.

As a first step, it is necessary to understand the attitudes toward privacy among Indians.

Under the guidance of Dr. Lorrie Cranor, I conducted an exploratory study during the summer of 2004 to gain an initial understanding of attitudes toward privacy among the Indian high-tech workforce. We carried out a written survey and one-on-one interviews to assess the level of awareness about privacy-related issues and concerns about privacy among a sample of educated people in India. We used the protocol designed by Elaine Newton and Dr. Granger Morgan, also from Carnegie Mellon University, for the one-on-one interviews. We surveyed a total of 407 respondents and the interviews were conducted with 29 subjects.

Our results demonstrate an overall lack of awareness of privacy issues and less concern about privacy in India than in similar studies conducted in the U.S. We summarize our results in the following sections:

General Understanding and Concerns about Privacy
Overall, Indians discussed privacy in terms of only personal space. The survey found that 48 percent of those surveyed related privacy to physical, home and living space. U.S. studies indicate that Americans relate privacy to health and financial information. Typical responses of Indian subjects when asked about privacy were: "Privacy for me is my personal territory" and "personal privacy." One survey question asked subjects to report their level of concern about personal privacy, and another asked subjects to report the level of concern about personal privacy on the Internet. Seventy-six percent of Indian respondents were "very" or "somewhat concerned" about personal privacy and 8 percent were "very" or "somewhat concerned" about personal privacy on the Internet. Comparing our results with other studies conducted in the U.S., we found a lower level of concern among the Indian sample than among Americans.

Awareness of and Concerns about Privacy and Technology
In general, the subjects in India were less aware about privacy related to technologies. Only 17 percent of the subjects mentioned any privacy concerns related to computers. A typical Indian response regarding computerization of data was, "No I don't have any concerns. In fact I feel like you should computerize everything." Many U.S. studies have shown that Americans are wary about computerization of data and unauthorized people accessing their data. Most of the respondents in our studies were unaware about the concept of changing the browser's cookie settings. Similarly, no subject in India mentioned about threats from biometrics and concerns related to Internet privacy. Few subjects mentioned the threat of mobile phones with cameras, which may be attributable to recent incidents related to video voyeurism in India. Overall the behavior of subjects in India can be attributable to the limited technological growth as compared to other developed countries.

Comfort Level of Sharing Different Types of Data
We found significant differences in comfort level across the nine types of personal information surveyed (postal mail address, email address, phone number, age, health and medical history, passport number, annual household income, credit card number and passwords of email/ATM). Respondents were most comfortable sharing their age, email address, and health information with Web sites, in contrast with U.S. attitudes. We suspect this view in India might be because of less discrimination in the professional and social lives on the basis of health information. Medical insurance is not very popular in India among individuals and employers. They were least comfortable sharing credit card numbers, passport numbers, email and ATM passwords and annual income. A common reaction of the subjects in India was, "As an Indian mentality, we always like to share things." Another subject mentioned "my friends and family members know most of my information including financial and medical information." This shows that subjects have different concerns and comfort level for specific data types in both countries. 

Trust in Businesses and Government
Overall, we found large differences in willingness to trust organizations and the government with personal information. Researchers have found that privacy-concern levels tend to be correlated with distrust in companies and government. Most of our subjects (86 percent for businesses, 81 percent for governments) were highly trusting, and very few were untrusting (7 percent for businesses, 4 percent for governments). A 2001 Harris Interactive study found that only 10 percent of people in the U.S. have high levels of trust for businesses and 15 percent have high levels of trust for the government. A typical response of an Indian subject was, "I believe in government, 100 percent they will not abuse it." These results suggest that the level of privacy concern among our interview subjects in India was fairly low.

Posting Personal Information
One of the common practices in India is posting personal information publicly. Universities post students' full name and grades on public notice boards on campuses. We found that about half of the respondents were concerned about university grades being posted publicly. Another common practice is publicly posting personal information of travelers at Indian railway stations and in train compartments. The posted information includes last name, first name, age, gender, boarding station, destination, seat number, and a passenger-name record number. We found even lower levels of concern about this practice than of the public posting of grades.

This information is gleaned from an exploratory study to understand the attitudes of Indians toward privacy. We found less concern and awareness about privacy issues among Indians. As discussed by various other studies, we attribute most of this behavior to the cultural aspect in India. Concerns have been raised whether the Indian outsourcing industry can properly protect personal data. Our results suggest that the Indian high-tech workforce may not be sufficiently aware of privacy issues, and that the outsourcing industry and international businesses may need to provide privacy training to their employees. This training could also be a part of the Indian undergraduate education. We see a basic difference in privacy perceptions among Indians and Americans. Indian lawmakers are looking at privacy laws and regulatory programs from different countries. It is important to realize that U.S. laws and programs may not have the same effect if introduced in India.

We believe that a comparison of our results with data from a similar study conducted in the U.S. during the same time would give a better understanding of the differences in the attitudes and awareness in both countries. Although we obtained some interesting results consistent with studies of Indian cultural values, it is important to recognize the limitations of our samples. The results we obtained cannot be generalized to the entire Indian population.

Ponnurangam Kumaraguru is a PhD. student in the COS (Computation Organization and Society) program with the School of Computer Science at Carnegie Mellon University. His research interests range from modeling trust, representing privacy policies in machine readable format, electronic voting, privacy issues related to RFID and to cross-cultural privacy issues. He can be reached at ponguru@cs.cmu.edu. Complete reports of the studies may be reviewed at http://www.cs.cmu.edu/~ponguru/PET_2005.pdf.This e-mail address is being protected from spam bots, you need JavaScript enabled to view it  

Awareness of and Concerns about Privacy and Technology
In general, the subjects in India were less aware about privacy related to technologies. Only 17 percent of the subjects mentioned any privacy concerns related to computers. A typical Indian response regarding computerization of data was, "No I don't have any concerns. In fact I feel like you should computerize everything." Many U.S. studies have shown that Americans are wary about computerization of data and unauthorized people accessing their data. Most of the respondents in our studies were unaware about the concept of changing the browser's cookie settings. Similarly, no subject in India mentioned about threats from biometrics and concerns related to Internet privacy. Few subjects mentioned the threat of mobile phones with cameras, which may be attributable to recent incidents related to video voyeurism in India. Overall the behavior of subjects in India can be at-tributable to the limited technological growth as compared to other developed countries.

Comfort Level of Sharing Different Types of Data
We found significant differences in comfort level across the nine types of personal information surveyed (postal mail address, email address, phone number, age, health & medical history, passport number, annual household income, credit card number and passwords of email/ATM). Respondents were most comfortable sharing their age, email address, and health information with Web sites, in contrast with U.S. attitudes. We suspect this view in India might be because of less discrimination in the professional and social lives on the basis of health information. Medical insurance is not very popular in India among individuals and employers. They were least comfortable sharing credit card numbers, passport numbers, email and ATM passwords and annual income. A common reaction of the subjects in India was, "As an Indian mentality, we always like to share things." Another subject mentioned "my friends and family members know most of my information including financial and medical information." This shows that subjects have different concerns and comfort level for specific data types in both countries.
 
Trust in Businesses and Government
Overall, we found large differences in willingness to trust organizations and the government with personal information. Researchers have found that privacy-concern levels tend to be correlated with distrust in companies and government. Most of our subjects (86 percent for businesses, 81 percent for governments) were highly trusting, and very few were untrusting (7 percent for businesses, 4 percent for governments). A 2001 Harris Interactive study found that only 10 percent of people in the U.S. have high levels of trust for businesses and 15 percent have high levels of trust for the government. A typical response of an Indian subject was, "I believe in government, 100 percent they will not abuse it." These results suggest that the level of privacy concern among our interview subjects in India was fairly low.

Posting Personal Information

One of the common practices in India is posting personal information publicly. Universities post students' full name and grades on public notice boards on campuses. We found that about half of the respondents were concerned about university grades being posted publicly. Another common practice is publicly posting personal information of travelers at Indian railway stations and in train compartments. The posted information includes last name, first name, age, gender, boarding station, destination, seat number, and a passenger-name record number. We found even lower levels of concern about this practice than of the public posting of grades.

This information is gleaned from an exploratory study to understand the attitudes of Indians toward privacy. We found less concern and awareness about privacy issues among Indians. As discussed by various other studies, we attribute most of this behavior to the cultural aspect in India.

Concerns have been raised whether the Indian outsourcing industry can properly protect personal data. Our results suggest that the Indian high-tech workforce may not be sufficiently aware of privacy issues, and that the outsourcing industry and international businesses may need to provide privacy training to their employees. This training could also be a part of the Indian undergraduate education. We see a basic difference in privacy perceptions among Indians and Americans. Indian lawmakers are looking at privacy laws and regulatory programs from different countries. It is important to realize that U.S. laws and programs may not have the same effect if introduced in India. 

We believe that a comparison of our results with data from a similar study conducted in the U.S. during the same time would give a better understanding of the differences in the attitudes and awareness in both countries. Although we obtained some interesting results consistent with studies of Indian cultural values, it is important to recognize the limitations of our samples. The results we obtained cannot be generalized to the entire Indian population.

Ponnurangam Kumaraguru is a PhD. student in the COS (Computation Organization and Society) program with the School of Computer Science at Carnegie Mellon University. His research interests range from modeling trust, representing privacy policies in machine readable format, electronic voting, privacy issues related to RFID and to cross-cultural privacy issues (specifically in the third world countries like India). He can be reached at ponguru@cs.cmu.edu. Complete reports of the studies may be reviewed at http://www.cs.cmu.edu/~ponguru/PET_2005.pdf. nation. Companies at the stage of seeking authorization from CNIL must be prepared that data protection officials could deny the request.
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it 

Conclusion

These suggested adjustments will not solve all conflicting issues between SOX and CNIL decisions. However, both sides of the Atlantic may find grounds for a compromise. The CNIL acknowledged that businesses cannot solve conflict of laws alone and therefore brought this conflict to the attention of the SEC, the French government and the European Commission. A dialogue started recently among the CNIL President, Alex Türk, and SEC representatives, to define an acceptable system under the two regimes, including a solution to preserve the confidentiality or anonymity of whistle-blowers. It is evident that this conflict is not solely a "French issue." Very recently, the Belgian data protection authority received a complaint from trade unions against Fortis AG. And that's not all. The issue will likely receive pan-European attention, as the article 29 Working Party (gathering representatives of all EU data protection authorities) is considering the topic.

Chief privacy officers would be well-advised to take a strong look at the internal compliance mechanisms of their groups, while following closely the evolving international debate.

Pascale E. Gelly is an attorney registered with the Paris Bar specializing in Data Protection legal issues, as well as New Technologies and Intellectual Property Law. Gelly can be reached at +33.1.44.77.88.11 or at pg@pascalegelly.com.