Sunil Abraham, Executive Director of Centre for Internet and Society, says Indians are vulnerable in the absence of a data protection law
What exactly is the nature of the Facebook data breach? What went wrong?
Technically, this is not a data breach. There is an internet standard called O-auth (open-authorisation). Through it, different applications on the internet that don’t want to build their own authorisation infrastructure can use the authorisation infrastructure provided by internet giants such as Facebook, Google, Twitter, etc. There was a personality quiz application, which used the Facebook O-auth service. In this protocol, the authorisation server can also give some data to the application which is using its services.
Does that mean that when we ‘sign up with Facebook’, we also authorise such transfer of data?
What you are doing is that you are a user of the application (personality application). Once you try to use the service, it will give you a choice — whether you want to authenticate yourself using Facebook, Twitter etc. So basically you are authorising a third-party application to use your data.
Previously, Facebook’s authorisation service allowed the third-party application to harvest data on your profile as well as that on your friends’ list. Facebook is designed to allow this kind of data harvesting.
How is the data harvesting being done by the third-party application dangerous for users of Facebook?
It is you who has given consent for data harvesting, and not your friends. But the application was abusing the consent given by you to harvest the data of people who have not given consent. Facebook had, however, discontinued this API in 2014 as mentioned by Mark Zuckerberg in his statement.
How can Cambridge Analytica (CA) — the British data consultant which also provides services to political parties — influence the choice of these Facebook users?
The CA has experts that focus on psychological manipulation. Thus, the more personal information they have about you, the more they can do what is called “micro-targeting of advertisements”. Suppose they know you are an undecided Republican (now governing party in the US) voter, so they can target you with information and propaganda — including misinformation — in order to push you over the fence. For example, it could discourage an African-American voter, who is going to vote for the Democrats, from going out to vote that day by showing him depressing content. They can also encourage a Republican voter to go out and vote by scaring them that if they don’t vote, the Democrats will win.
How do you take Zuckerberg’s statement? Can it even be considered a valid apology?
Whether he has apologised or not is irrelevant to our situation. What we Indians need is a regulatory response. For the past eight years, my centre has been working towards getting a data protection law. As the situation stands today, what Cambridge Analytica did in the US can be repeated in India. And that won’t be illegal under the present set of laws in India.
Union IT minister Ravi Shankar Prasad said Indian laws are stringent and they can also summon Mr Zuckerberg. How strong is the law that Mr Prasad could be referring to?
Section 43 of the Information Technology Act has been commonly misunderstood as the data protection law. In reality, it only has data security provisions, i.e. under Indian law if you lose property or money as the result of a breach of your personal information, you can approach the court. While in case of data harvesting it amounts to infringement of the right to privacy.
Ever since this scandal surfaced, both the BJP and Congress have been distancing themselves from the CA and are also accusing each other of using the CA or its Indian wing’s services. Why are these accusations making these political parties so nervous?
Unfortunately, I am only a policy researcher and I don’t follow a political party. It is better to ask a political analyst that kind of question.
Hypothetically, even if these parties – the BJP and the Congress — have used the CA’s service, have they been on the wrong side by doing so?
As I said previously, there is no law in our country. Suppose a political party did exactly what Cambridge Analytica did, it will still not be guilty under any law in India.
A commoner’s argument could be — even if my personal data is with these companies, how is it going to affect my voting choice?
What has been clear from the CA episode is that personal data can be used to manipulate you. They can make you depressed, they can make you feel suicidal, they can make you buy products that you don’t want, they can even make you vote for parties you don’t like. The most important aspect of the story is that it is undermining free will.
Since the 2014 general elections, India has been witnessing the rise of troll culture where dissenting voices are crushed. A narrative is being created in favour of one party or against any party standing against this party. Do you think services of such agencies could have been used to do so?
No, trolling is a separate thing, while manipulation is more subtle. Unlike manipulation, where you are unaware of the influences, in trolling you know when you are being targeted. The trolls are trying to silence and intimidate you – that is not done through the use of personal information.
There were media reports which said that 70 per cent of the applications used in India do not explicitly take user consent at the time of installation. Also, many of these apps do not even delete the personal information of users once they have been uninstalled from mobile phones. How dangerous is this situation?
It is not just that these applications don’t take your consent, or that they retain data after you’ve stopped using their services, what is scarier is that many of these applications take extensive permissions on your phone. For example, the torch application sometimes asks for permission to read your messages. What they can do using this is harvest your one-time passwords (OTPs) from your SMS folder in order to conduct fraudulent financial transactions.
They can also collect your personal photographs, and maybe later that can be used to blackmail you. A lot of horrible things can happen because we have, what is called, a regulatory battle.
According to media reports, the CA’s Indian subsidiary — Ovleno Business Intelligence, whose Indian operations are headed by the son of JDU leader KC Tyagi — was hired for elections in India — Bihar polls in 2010 and 2015, and in state polls. Could it be possible that data harvested by this company was used to influence voters?
Again, I don’t know the specifics connected to the behaviour of Cambridge Analytica and its subsidiary in India. I don’t think anybody has done any research on this question.
There is already the conundrum over Aadhaar in India and pressure to link it with our bank accounts and phone numbers. Do you think the Facebook data breach or data harvesting will press the question of privacy here?
It’s a very different type of privacy concern. With Aadhaar, the primary concern is of biometrics and the storage of biometrics in a centralised database. Here, it’s a concern of unauthorised third-party applications being able to harvest our personal data. Though different, they are two excellent case studies for us to test the effectiveness of our draft Data Protection Bill, which will come out in April or May.
The Facebook CEO didn’t mention that Facebook will stop collecting our data. Do you feel Facebook too is on the wrong side when speaking of attempts to harvest personal data?
You cannot accuse Facebook of doing wrong. Being wrong or right is an ethical question and subjective. For instance, I might think that Facebook is doing something wrong, however, Facebook, which is trying to maximise its shareholding value, might think it is doing right.
Also, at the end, it’s all about the legal framework. In US jurisdiction, what Facebook did is completely legal. Under the European data protection law, what they did is illegal.
This article was first published in Newslaundry.