On March 16, the world was distraught to hear news about how Cambridge Analytica (CA) misused consumer data it procured from Facebook, to influence voters during elections. Facebook admitted that personal information of about 50 million users wrongly ended up in the hands of consultancy firm Cambridge Analytica, which worked on US President Trump’s 2016 campaign. Facebook consumers were enraged to find that their trust with the social media platform was betrayed; their privacy was breached.
What does that mean for Indians who also have accounts on Facebook? There has been news that certain Indian political parties have worked with CA in the past.
Update: In a further development, it has been reported that Facebook data of 5.62 lakh (1 lakh = 100,000) Indians are affected by the data scandal. This data has been gathered through the Facebook app and is in the possession of Cambridge Analytica. Facebook has over 20 crore (200 million) users in India.
Facebook claims that only “only 335 people” in India were directly affected by the installation of an app and another 562,120 people were “potentially affected” as FB friends of those users.
“The saga is noteworthy because of the magnitude of customers involved and the way the harvested data might have been used,” said Jaspreet Singh, Partner – Cyber Security – Africa, India & Middle East (AIM) | Advisory Services, EY. “As we are moving towards digitisation, and as we involve technology in our life, it is becoming relatively easy for anyone to gather intelligence about our personal life, putting consumer privacy at the spotlight.”
But protecting Aadhaar numbers, a unique identification number for all Indians is a bigger concern.
March is the final month of the Indian financial year. In this month (and the preceding months) Indian consumers received many SMS messages and emails from banks, financial companies, service providers and third-party processors – urging them to complete a “mandatory” process called KYC (Know Your Customer). The emails cited a government mandate for citizens to furnish their Aadhaar number and other identification details, by March 31st. The Supreme Court of India then issued a notice saying this deadline (March 31st) was extended indefinitely.
When such notices, mandates and deadlines are issued in India, it creates a sense of urgency and a need to hurriedly comply, as the deadline approaches. And it’s very fashionable to do things nearer to deadlines, in India! Malicious elements can take advantage of human anxiety and fear, and send false notices with malicious links to fool consumers into revealing personal details -– which could be fraudulently misused.
It’s a well-known fact that there are inadequate laws in India, to protect consumer data and privacy. There is compliance in certain industries, but it is largely towards securing infrastructure and data behind corporate firewalls.
“We still don’t have any data protection laws or privacy rules to avoid such a scenario,” said Altaf Halde, Global Business Head of Network Intelligence – a Global Cyber Security Services provider. “Though we have many compliances that companies follow for data protection and privacy issues, the adoption has not yet reached a stage where we can confidently say, that, as citizens, we are protected in case of any privacy issues.”
There is, however, a provision in the law in the IT Act 2000, said Adv Prashant Mali, President & Founder, Cyber Law Consulting (Advocates & Attorneys). “If any Facebook consumer has valid evidence of this breach, a criminal case under Section 43(b) read with Section 66 of The IT Act, 2000 can be filed, along with a civil suit for compensation and damages,” said Mali.
Consumers at the risk
The lure of ‘free’ is too high a temptation to ignore. There are numerous services on the Internet today with convenient and useful services for consumers. Moreover, access to these free services is often through mobile apps – making it far easier for a consumer who has never used a PC to surf the Net.
While installing apps or registering for services, consumers rarely read the fine print to know their rights. Does anyone read the T&C to learn what the service provider is entitled to do with the personal data that consumers share? Do you blindly agree with everything the app asks during its installation on your phone? Can this app access your phone address book? It is like going for a free coffee or beer with a colleague or business peer – who wants your knowledge and advice on a certain matter (and not the pleasure of your company).
“Today, the fine print hides what consumers give away as rights while using these data aggregator services,” said Pankit Desai, Co-founder and CEO, Sequretek. “The way their data can be used or abused is something that there is just no understanding of the service users, just like the way hazardous warnings are put on cigarette packets. The risk to individuals is similar, if not higher since the collective consciousness of a generation can now be moulded using the large database at these companies’ disposal.”
Government and Regulator role
Consumer data usually rests on servers in data centres outside the country. To speed up access, these servers ‘mirror’ or duplicate consumer data on mirror servers, locally. But that is a secondary consideration.
When the data of a national is outside its jurisdiction, what can a country do to protect citizen privacy? The question that some ask: “Is our government doing enough?”.
“Many countries including ours (India), have time and again raised this issue with tech majors like Facebook and Google, about storing data on US servers,” said Sequretek’s Desai.
“(Facebook/Google) being a private organisation, there can’t be much done by the government of the host country. The state heads of these countries should jointly mull a policy initiative where data of citizens of one country should not be stored on foreign servers.”
Some believe there needs to be an international treaty or standards for consumer privacy, like the one that exists for crime and extradition of nationals. An international body with legal powers comprising members from various countries needs to set up policies and governing frameworks.
“The need of the hour is to have stringent privacy laws and regulations governing the personal data processed by social media giants and breaches should be penalized heavily,” said Jaspreet Singh of EY.
Desai echoes that sentiment and feels there is a need for adequate laws that strongly advocate protection of consumer data. “Currently, the laws don’t spell out stringent guidelines for companies who own the consumer data and how can they share it. Taking advantages of the loopholes, consumer data of any volume can be bought or sold just like any commodity,” he said.
The Facebook incident has certainly stepped up awareness for consumer privacy at an international level. Companies like Facebook may soon be summoned to testify in courts. Fearing similar action against them, global tech companies offering B2C services have started revising privacy policies. You will get a sense of that the next time you log in to one of your favourite services.
“I feel there is a silver lining to this too. Mass awareness is now created so people wouldn’t trust news and games on Facebook anymore, or at least vigil would be high,” said Adv Prashant Mali.
Pankit Desai feels the need for an awareness campaign that continues to educate the user base on the rights they are giving up by using these platforms.
Going forward, consumers need to proceed with heightened caution when downloading apps or subscribing to new services.
Digital Creed advises its readers to read the privacy policies carefully and tweak the security settings in their social media apps. Don’t allow everyone into your private space – keep it exclusive to your inner circle.
Lastly, remember that there’s no such thing as a ‘free’ service – there is always a hidden agenda. Are you willing to pay for it with your data?
You might also want to read: