In one of the largest data leaks in social media history, Cambridge Analytica, a London-based political consulting firm linked with US President Donald Trump’s 2016 election campaign, allegedly extracted Facebook data from 50 million user accounts without consent. A loophole in the social network’s application programming interface or API allowed a third-party to collect data through its apps of not only the app users but also from their friends network. The firm is accused of creating psychological profiles to influence how people vote or even think about politics and society or “behavioural microtargeting with psychographic messaging” that could have affected the polls.
The exposé, which prompted Facebook CEO Mark Zuckerberg to publicly apologise for the “breach of trust” was done by a whistleblower who has also claimed illegal funding by the Brexit campaigners, that questions the legality of the referendum, besides triggering a debate on data privacy practices across the world. A rare probe has been launched by the US Federal Trade Commission. In India, data theft allegations reached Prime Minister’s doorstep, with a French researcher tweeting that Prime Minister's official application “NarendraModi.in” has been sending personal information of its users to a third-party data analytics website in.wzrkt.com without the users’ consent. (Down To Earth tried accessing in.wzrkt.com but it failed to open and the google listing for the site said “no information is available for this page”). Fact-checking website Alt News verified the claim and found it to be true despite the privacy policy in place then that clearly stated “Your personal information and contact details shall remain confidential and shall not be used for any purpose other than our communication with you. The information shall not be provided to third parties in any manner whatsoever without your consent.” It was, however, changed, without any user intimation, to: “Certain information may be processed by third party services to offer you a better experience.”
Pratik Sinha, co-founder of Alt News, says, “The issue becomes much bigger since he (Modi) is the prime minister of the country. At least that is the position people want to trust. And instead of being upfront about it, which at least Facebook was, the privacy policy was secretly changed.”
Even Congress has been facing criticism for its possible link with Cambridge Analytica ahead of the 2019 general elections, with the whistleblower testifying that the party had employed the controversial firm for certain "regional projects".
Sinha says the central issue is that the psychological quiz app that passed on the data to Cambridge Analytica “need not be the only app at that point of time” and that once Facebook digs out details of other apps that had a similar access during the period, “we will see what sort of apps gained that level of data and whether it still exists somewhere and has been utilised for Indian electoral purposes”.
Sinha added that as bad actors are always present in a system who abuse it and its loopholes, the central blame of the data leak falls on Facebook because it was responsible to guard the users’ data. He also raises a question that if Facebook had plugged the gap in 2015 as they claim, for how long is that data valid and how it can be used in influencing elections.
Osama Manzar, Founder and Director, Digital Empowerment Foundation says data privacy protections currently in place are “no longer enough to encompass all the technological advances made in the past two decades”.
“India is in the process of making a data protection law and this process needs to be expedited. The existing provisions in the IT Act are not stringent enough. The law should adopt and adapt the EU's General Data Protection Regulation (GDPR), which is set to come into force this May. The GDPR places strict collection on the purposes that data can be collected and how it can be processed. It has a provision for the right to be forgotten, which ensures that residents can ask that their data be deleted from databases under the right circumstances,” he adds. Google has also recently updated its EU User Consent Policy to reflect the new legal requirements of the GDPR.
Both Sinha and Manzar agree that the way forward is digital literacy and awareness, especially in a country like India where there are many first-time internet users. “A lot of people work with the default settings, so the other question is the know-how. People do want to post pictures and their personal moments (on social media). In that case, we should be well aware of these privacy laws... At the end of the day, you are dealing with your own data. Just the way when you walk out of the bank, you look at your passbook very carefully, (in the digital world) you should be careful about the permissions you are giving to an app. The challenge is that we are not taught through our education as to how to deal with this expression of data,” Sinha says. “Initially, it will need a conscious effort but over the time, it will become a subconscious activity similar to how we look at both left and right while crossing the road.”
Manzar adds that privacy policies need to be understandable by the common people and not be written in complicated, legal language, especially in India that has language barriers and low literacy rates. “Strict onus of accountability needs to be placed on bodies that collect data,” he says, adding that there needs to be a regulation of such platforms “but what is the right kind of regulation needs to be debated. In a country like India, with the current political climate, regulation left solely to the government might do more harm than good.”