skip to Main Content

If Data were Human: Applying the concept of VISA reciprocity to Data Transfer for India

If you are someone like me, and have travelled to other parts of the world, you might have gone through extensive Visa applications giving away private details about your life (finances, family etc.), cross border examinations and random checks at the airport. This experience can be smooth and easy most of the times, but each time you need to invest time and energy to prepare for the unexpected and keep your calm at all times. Being calm is the key, because if you express any discomfort at any time, you raise the risk of being denied entry and be disappointed at the very least. Well, human beings and their behaviour are easier to understand and regulate, and that’s how our world is designed; a world of checks, balances, control and regulation. And we try to do that with technology as well, which is ever changing like our own selves and worlds we live in. In this world of ours, we have visa or immigration rules that are designed to regulate and control the movement of humans across different sovereign nations. Sovereign nations, who reserve the right to allow access to their own borders to foreign individuals by the powers vested in the visa officers and the border control immigration officers. No matter what country in the world, the immigration rules for each country are well formulated and mature systems are in place to handle this way of life. When I say a mature system my guess is at minimum there is a visa application processing and issuing body and a border check officer that looks at your face, your passport and your visa status and decides to let you in or not in each country.

How humans travel around the world

My very first foreign visa application was for Sri Lanka in 2009 when I was invited as part of the significant contributors to the founding Sahana Foundation conference. That process was relatively easy, all I had to do was include the tickets, bank statements, a picture and the tickets with the letter of invitation from the conference organisers. The flight I took was from Delhi->Chennai->Colombo. My first outbound flight stamp from the Indian immigration said Chennai airport with the date of departure. I remember it was during the time when the local political situation was tensed, which is why my someone (I don’t remember who) had advised me to inform the Indian embassy in Colombo about my arrival and departure dates. My border control experience at Colombo airport was smooth, no questions asked and I was immediately out in a taxi admiring the coconut trees and the smell of the sea on my way to the hotel. It was only later that I realised I am in a land, where I don’t speak the language.

To sum up this experience, the visa application had the following steps:

  1. Decide if I want to go to this foreign country.
  2. Find out the process of application and the requirements of this foreign country.
  3. Gather my personal information as required by the foreign government where I want to go.
  4. Submit application and pay for Visa processing fees.
  5. Wait for their decision on my application.
  6. Upon approval, plan the travel. Head to the airport.
  7. Check-In with the airlines, who check my ticket and VISA’s validity, because they bear the responsibility of onboarding anyone who embarks on the journey on their aircraft.
  8. Transit through my own country’s border control upon their approval.
  9. Hope the plane does not crash and I land safely, and then meet the immigration officer of the Border Control of Foreign Country. Smile and answer questions, if any.
  10. Get your bags and exit the gate.

Here I am a human, society’s basic individual unit, just like data is the basic unit of information. And I transit through two end-points i.e. port of disembarkation (Chennai International Airport, India) and port of entry (Colombo International Airport, Sri Lanka). I have a valid identity document (passport) and authorisation to transit (Sri Lankan Visa) and my intentions of travel were scrutinised by at least three institutional entities; the airlines, the Indian government and the Sri Lankan government. The three institutions also had access to my private information at all times which was also stored on their premises. My intentions, myself and the objects that I was carrying i.e. the collective me, were scrutinised by the security at two airports (at least) to allow me entry and exit. The airport can be considered as a platform where the exchange of entities (objects, information, humans etc.) takes place. All these three institutions follow their own regulations and laws in handling my private information, but I wouldn’t know those because, I never bothered to find out and no one told me how to. But let’s just assume that for the time being. All that private information about individuals is saved on computers on networks and is communicated cross-border as well through end points and country exit nodes, collectively referred as Internet Exchange Points or IXPs (example in Figure 1 below). IXPs might be seen as the airports of data that travels across borders on the internet. (Although the information on all of the world’s IXPs is not really accessible completely, here is a partial list that is publicly shared and for accurate understanding of the internet backbone, BGP etc. follow the article’s trail here.) Just like the airports allow different airline companies to operate from and use their premises, IXPs allow different network operators (private, public or secret) to transit through their nodes following standards and protocols mutually agreed upon. No matter what their status is, each entity in this constellation of actors is physically (or legally) located within the borders of one sovereign nation at all times, and therefore, subject to the nation’s regulatory body. For the purposes of this article, I would like to ignore the politics of the internet and focus on the human who is the individual unit of society or simply, the citizen and the sovereign nation’s autonomy.

How Data travels around the world

When I fill up a form on any website on the internet and enter my first name, the value “fname” embedded in the HTML code of that form is processed and transferred the moment I hit the submit button. The identifier fname containing the value Ajay gets processed on my computer’s browser and, if its an SSL enabled site, gets encrypted during transport from my computer to the ISPs computer and a whole different number of nodes before terminating at the website’s server to process, store and send back the result to my computer following the same process.

Figure 1: Visual trace-route for Sri Lanka visa portal using VPN from Germany on 22.09.2020 that passes through DE-CIX link between Germany and Sri Lanka.

Referring to Figure 1, if I were sitting in Germany and filling up the Visa application on the Sri Lankan government’s website my information will cross through sovereign borders of Germany->Romania->Germany->Sri Lanka where the direct link between Germany and Sri Lanka is facilitated by the DE-CIX network, supposedly the second largest IXP in the world.

Let’s bring the example a little closer to home and travel to India, thanks to VPN.

Figure 2: Visual trace route of Chinese Foreign Affairs website from India

China’s visa process is outsourced to a private entity which hosts its website on USA’s providers when I tried to access it. So I looked up their foreign affairs website for the purposes of this article and did a trace route. And as you can see the route was India->Italy->Japan->China showing IXPs, Seabone in Italy (DE-CIX Palermo is served by Seabone as well making interconnection between the two possible) and KDDI, Japan before terminating in China. I did the same process for Russia (Figure 3) and U.S.A (Figure 4) below. For Russia the hop was India->Netherlands->Russia and for U.S.A it was India->U.K.->Singapore->U.S.A.

So, if data were a human holding an Indian passport who wants to travel to China, they would need to apply for VISA for Italy, Japan and China. I understand when one flies by air, transit through airports are usually exempt or one needs to apply for Transit Visa. This makes airports as special zones were under controlled circumstances, transit of foreigners is allowed. Therefore, IXPs could fall under similar arrangements as well. But just like, when I didn’t know about my rights as an Indian citizen, and, that of my data, when they were being handled and protected by three institutions when I applied for the Visa, I don’t know how my data is being handled by these data transmitters when I submit the form.

Reciprocity for Citizen Data as a Policy

Just like Visa relationships are highly skewed, unequal and a matter of power relationships, data access, rights and legislations dealing with data transfer in today’s world is highly skewed and unequal as well. For example, the regulatory troubles of Big-Tech companies in the west has been a hot topic for quite a while now. While they struggle to be answerable and comply to the demands of their own government or that of the European Commission, they seem to still enjoy a free pass in most developing countries in the Asian and African continent. In India, the government has been praising the efforts of Facebook and Google for their investment in India among other companies while the local tech giants have their own views. Technology and Privacy experts in India often conflate and compare between two different worlds which are highly unequal in terms of power. The other argument they make is that the government does not understand technology. Blaming government workers or policy makers for not adequately understand technology is not restricted to India, if you hear the congressional hearings in the U.S.A. you’d agree. However, government workers do understand power, which was the whole point of the grilling of silicon valley tech bros where they accused technology companies for having too much power and exercising its sovereign regulatory power to protect its citizens. Maybe, since the governments around the world understand their own immigration rules and systems, they can try to equate the same level of understanding and try to see how they can regulate cross border data transmission and handling of its own citizens by entities who are foreign to their own sovereignty.

I see reciprocity as a concept that conveys equality of power, mutual respect and dignity in this context, where one data handler, technology provider or a network operator maintains the same standards across the border. The language in which computers and networks communicate to each other might suggest they do not really care about the person, as all they see is numbers. It’s the people and institutions controlling these computers and networks that can use that data and piece it together to build up information about humans. Equating a sovereign nation to an individual, it is the basic nature of an individual to act in their self-interest and those same values transcend to the nation’s sovereignty in the political arena (recommended reading). And India generally follows the concept of reciprocity when it comes to visa rules for foreign nationals. This means, if Indians require a visa to visit your country, chances are that you would need to apply for a visa to visit India as well. It is also a concept that is central to Europe’s approach to maintaining visa relations with non-EU countries. The concept of reciprocity has also been studied by multiple disciplines.

As a concept, reciprocity can be used to understand what is at stake when data of your citizens are being handled by foreign entities and gets transmitted across various borders of multiple sovereign nations. If I, a human, and data were one and the same, would governments and technology companies be more careful in the way they handle me? Why would you as a government allow private entities unregulated access to monetise or use my information in any way? The citizen does not even know or bother to care about the bureaucracies and laws that are in place to protect me as a citizen. It’s the government’s one main job; to protect the interests of its own people against enemies, both foreign and domestic. Maybe policy, tech and privacy advocates could start looking at various mechanisms in place when it comes to self-interest, foreign policy and then consider them for understanding citizen data handling across borders.

Well all these are interesting questions that sometimes I ponder about.. But the most profound questions that I am think right now is,

What if the HTML reference fname had a passport and citizenship of India as well, just like me? And, would that entitle the same level of respect and dignity for my fname that I receive?

Some people worry about dolphins, tonight I worry about data… and India.

Figure 3: Visual trace route of Russian Visa website from India
Figure 4: Visual trace route of Embassy of U.S.A. website from India


Links/References used as hyperlinks in the article:


If you would like to cite this page here is a suggested citation as part of ISSN 2700-290X:

Kumar, A. (2020) “If Data were Human: Applying the concept of VISA reciprocity to Data Transfer for India” In Rural Human Review, #8, September 2020. Muenster: Rural Human Review. Retrieved month dd, yyyy from

Back To Top