Conversations around privacy and data security are increasing everyday. The government has tabled a Personal Data Protection bill in the parliament, and a Joint Parliamentary Committee has presented its report on the potential and concerns regarding privacy and personal data.
There is a need to do data privacy across domains and at scale, especially around the following themes:
- Data protection/security practices.
- Consent frameworks tied to purpose use limitations.
- Data rights.
- Encryption practices.
The Privacy Mode Fellowship programme is set in this context. The goal of the programme is to work with practitioners to document practices that can be widely adopted across the industry, and innovated upon. The programme is particularly interested in showcasing:
- Privacy-related challenges that practitioners are solving, and the context around these.
- Solutions, and evidence of how these solutions have been implemented in different organizations.
- Results achieved through the solutions - a before and after explanation of what changed, and metrics achieved.
Check out the Best Practices Guides to understand the type of topics that the Fellowship is looking at.
If this is you, apply to be a Privacy Mode fellow today.
Duration of the fellowship programme: 3 months - from February to 30 April. Applications can be submitted till 21 February.
Time commitment involved: Part-time. As a Fellow, you will do your Fellowship projects alongside your day job. The programme will require between one and four hours time commitment per week to produce the output. The editorial desk will work with Fellows to set milestones and deadlines.
a. A detailed article of 1,000 to 2,000 words - with illustrations, OR
b. 2-3 videos explaining practice and learnings in sequence.
Compensation: Rs. 1,50,000 - paid in three tranches, upon completion of milestones during the Fellowship period.
Feedback and mentorship from jury: A three-member jury of experts will guide selected applicants through conceptualization and documentation stages. The jury members for the fellowship programme are:
1. Uzma Barlaskar, Head of privacy and growth at WhatsApp.
2. Anand Venkatanarayanan, Independent cybersecurity researcher.
3. Sankarshan Mukhopadhyay, Editor at Privacy Mode.
Other benefits: As a Fellow, you will receive the following infrastructure and support:
- Editorial desk with copy-editing, proof reading and graphic design resources to help you complete your outputs.
- Distribution and elevation of final outputs.
Who can apply:
1. Tech practitioners - senior engineer, product manager, engineering manager, privacy officer - who work on data governance and privacy in their organizations.
2. Individuals from academia who work on data privacy.
3. Individuals working on social impact via data privacy.
Five applicants will be selected to participate in the first batch of the Fellowship Programme.
To apply for the Fellowship, submit the following here:
- A statement of intent and purpose, detailing the following-
- What problem area are you solving and the context around this? As mentioned above, the Fellowship programme will cover the following themes:
A. Data protection/security practices
B. Consent frameworks tied to purpose use limitations
C. Data rights
D. Encryption practices
- A description of the solution and evidence of how it was implemented at your company.
- Results achieved through this.
- The form in which you see the knowledge finally shaping up as - as an article or as a series of two-three explainer videos.
- Two samples of work - written or video.
- Your bio.
Fellows’ will be selected on the basis of innovative approaches and solutions implemented for privacy.
The following criteria will also be applied for selecting fellows:
- Diversity - women, trans and gender non conforming persons and individuals from marginalised social contexts will be given preference.
- Candidates with prior speaking/writing experience.
- Candidates with mid to senior engineering and product leadership roles will be given preference.
Data Protection and Security Practices at Doosra
Statement of Purpose
The problem that we at Doosra are trying to solve is simple, with a wide ambit of uses across multiple platforms. We are solving the issue that plagues people daily - is it is prudent to share our number on XYZ platform and what can be the ramifications of doing so? When was the last time any of us had to share our number on a website and had to think twice if it is safe to do so? We have most likely lost count of such instances.
Let's take a step back and look at the reason for us thinking this way. Why do people (or at least most people) hesitate to share their phone numbers anywhere and everywhere? Here are 2 primary reasons:
- Calls and Messages from completely unwarranted sources
- The phone number is a mandatory requirement for nearly every important service - Banking, Aadhar linking, 2FA for various platforms we use
The first problem is that it adds to the mental burden that we already face in this highly connected world. Precious minutes of our time and focus is taken away due to communication that holds no value. Then there are things like prank calls, scam calls, incessant follow-ups from some service providers.
The second problem is where a user's data can potentially be compromised. It is well-known that numbers are not safe once shared. They are shared between multiple parties.
Case in point - Enter a number on an online insurance portal and you'll get at least 3 other calls from other providers.
When this happens with an identifier like a mobile number that is used for literally every service we use today, it's not a surprise that there is a rising number of cases of fraudulent activity. A simple SMS with a link can leave our phone compromised which enables the perpetrator to gain access to critical information like your Name, Date of Birth, and other such information. This can now be used to bypass security questions and even get a new SIM issued to them after which they can access anything that needs an OTP. While OTP as an authentication mechanism is quite robust and safe, it no longer is if someone else can get them.
This is where Doosra comes in. We solve both the problems mentioned above. Our virtual number works as a layer above the primary number that helps one share it without thinking twice. We provide a mobile app interface to manage the number and every call is blocked by default. Only numbers that are whitelisted can reach the user, in which case we forward this call to the primary mobile number. Even then the primary number is unknown to the caller. SMSes can be read on the mobile app or can be left untouched basis the user's choice. Notifications are again consent-based, users can give out their Doosra number, switch OFF their app notifications and forget about receiving any unwarranted call or message notifications.
This way users can gradually take back control of their privacy. Now the question is asked about us being an aggregator of these messages and services, and why we wouldn't do the same as others and monetize the data. Well, what we do not have in common with the others is that we are a paid product and have made that decision right at the inception of our service that we will continue to be paid. This allows functioning without having any need to monetize user data and this is a foundation that our product is built on - Privacy.
Data Security Practices
Moving on to the user data security aspect, here's how we safeguard customer data:
- Sensitive Data like credit card or bank information is not stored at all on our servers
- We collect payments via Razorpay and only get certain metadata about the payment like the method used and the last 4 digits of the credit card
- Users mostly interact with Doosra via their mobile app - We make sure to take minimal permissions and any feature that requires extra permissions is completely consent-based
- Example - A certain feature in the app requires access to the user's location, the user can choose to not use that feature but continue to use the app as usual
- We are a completely ad-free platform and do not collect any personally-identifiable user data on the mobile app
- SMSes are encrypted with unique encryption keys for each user
- User-level data is never shared with any third party whatsoever the case
- Data Analysis is limited to aggregate data and any data provided in reports is based on a unique internal identifier which limits the scope of any number (Primary or Doosra) from being leaked
- When a user chooses to not renew their subscription, their entire messages and calls data is automatically purged 18 months after their account termination
- Periodic cybersecurity audits to figure out any major chinks in our security practices
Furthermore, over the next few months, we are planning on an architectural change wherein:
- User data is pseudonymized where any Personal Identifiable Information (PII) is decoupled from all other data
- All the applications will work with these pseudo identifiers as user IDs instead of storing any PII data within their systems
As an organization that values privacy, we are always looking at improving our data security practices and believe it is an ever-evolving scenario where reassessing and improving is the key to ensuring that the user's privacy and data are protected to the best of our ability. Being part of this fellowship can help us learn and understand from other practitioners and mentors to add value not only to our own users but also to anyone looking to shore up on their user privacy and data security practices.
Doosra Till Date
We launched Doosra in September 2020 and have to date associated with close to 8000 users who have collectively received close to 2.2M SMSes of which 41% of SMSes have been identified as spam either by our system or the user. We have also processed 847,000 calls of which 80.2% were auto-blocked i.e. wasn't forwarded to the users.
Going forward we want to be known as a go-to service to protect user anonymity.
I am the Product Lead at Doosra and am part of the founding team. We started work on Doosra in November 2019 and I have since been associated with Doosra. As part of such a young company, I have donned multiple hats over the last two years and have a good understanding of the product and underlying technology.
Previously, I worked with the Jindal group as a Manager in the Corporate Strategy vertical. I worked on a variety of projects from acquisitions to building KPI dashboards. I have done my PGDM in Finance and Marketing from the Indian Institute of Management, Lucknow, and B.Tech from the National Institute of Technology (NITK), Surathkal.