We are anonymous, we are legion

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

UIDAI servers or third parties, Aadhaar leaks are dangerous: Experts

Admin — 2018-03-27T02:16:55Z

Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.

The article by Mayank Jain was published in Business Standard on March 27, 2018. Pranesh Prakash was quoted.

The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.

Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.

Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.

Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.

He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.

“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.

The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.

Queries sent to the UIDAI were not answered till the time of going to press

For more details visit https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts

Data Breach: How will the biggest scandal that Facebook is mired in affect its credibility in India?

Admin — 2018-03-27T02:09:41Z

Facebook has not been able to catch a break lately.

The article by G. Seetharaman and Shephali Bhatt with additional inputs by Indulekha Aravind was published in the Economic Times on March 26, 2018. Sunil Abraham was quoted.

Rebuked for the misinformation spread on its platform by Russian agencies during the 2016 US presidential election, aiding Donald Trump’s victory, Facebook was on the defensive for most of 2017. Making matters worse for the Menlo Park, California-headquartered social media behemoth, another one of its past oversights has now come back to haunt it in what is undoubtedly its biggest public relations challenge.

Reports by the New York Times and the Observer of London on March 17 disclosed that a researcher linked to Cambridge Analytica (CA), a political consulting firm that worked on Trump’s campaign, had accessed details of 50 million Facebook users unbeknownst to them and shared it with CA, which uses online data to reach voters on social media with personalised messages. The reports were based on revelations by whistle-blower Christopher Wylie, who had worked with CA.

This is how it unfolded: in 2014, CA hired Aleksandr Kogan, a Soviet-born American citizen, to mine data on US voters on Facebook, through a personality quiz app. It was downloaded by 2,70,000 users, who logged in with their Facebook credentials. That enabled Kogan to access not just their data on Facebook, but also their friends’ profiles. Facebook says Kogan lied that the data was only for his research, while there was a commercial element to it as CA paid for the app. It is unclear at this point how exactly the data was used or whether it was effective.

In 2015, Facebook removed his app and sought an assurance from him that the data had been destroyed. But it later found out that the information had been passed on to CA. Facebook has since stopped apps from accessing information about a user’s friends and has even limited the data that can be collected about the user.

While the broad details of the issue have been known since 2015, the sheer number of accounts that were compromised was not known till now and has led to calls for Facebook to be deleted, with #DeleteFacebook trending on Twitter. The company, one of the world’s most valuable public companies, has shed $75 billion, or 14% of its market value, since March 16.

As Facebook spends the next few months trying to convince its users that their data is safe, India will be crucial to their plans. India is, after all, its largest market, with 250 million monthly active users, 12% of its global base, according to recent data by We Are Social and Hootsuite, firms involved in social media marketing and management, respectively.

There are other reasons why India is important to Facebook: WhatsApp, the country’s chat app of choice, has 200 million users, again more than any other market, and Instagram has 53 million. Both these apps are owned by Facebook, giving the company an outsize role in how Indians communicate.

Facebook will only grow as smartphone and internet adoption grows — India is set to add 100 million internet users and 250 million smartphone users by 2020. But at the same time, it has to deal with those wondering whether they should sign up or continue being on the network.

Soumya Sinha, a 32-year-old data consultant in Delhi, says FB is quite passive-aggressive when it comes to data. “It gives you a lot of privacy options, makes you feel you are in control of your wall, but buries an ‘unless you don’t want to share’ option at the bottom,” he says. “If you don’t opt out, it assumes you are happy to share. Even if you do, you can never be sure the non-consensual sharing has stopped.”

Privacy controls — not just on Facebook but on social media platforms in general — are not easy to find and even the most tech-savvy have a hard time ensuring the accounts are as secure as they can possibly be. “Indians are very liberal with others accessing their data. A lot of other accounts are linked to my FB account. Who knows which one of them will provide my data to others?” says Prateek Kharangar, a 30-year-old doctor in Rajasthan.

Mark Zuckerberg, Facebook’s billionaire chief executive, issued a statement on March 21 admitting that Facebook had made mistakes. He added that Facebook would do a thorough audit of suspicious apps and make its privacy policy stricter by limiting the user information it shares with third-party apps.

Facebook will also revoke permission to apps that a user has not accessed for three months and show an option at the top of the news feed, allowing users to do the same. Zuckerberg also said in a subsequent interview to the New York Times that Facebook would let concerned users know about the CA debacle. Questions sent by ET Magazine to Facebook India went unanswered. The US Federal Trade Commission and the European Union are also scrutinising the issue.

Protect Data
Facebook has faced criticism in the past, including about its facial recognition software In India, it was badly bruised in its fight against net neutrality. Its Free Basics campaign tried to push free access to a few websites, including its own, in partnership with telcos, but the telecom regulator in February 2016 ruled in favour of net neutrality. Sunil Abraham, executive director of the Centre for Internet and Society, believes sites like Facebook should periodically inform users about the data the apps have access to. “Facebook should also ask you every quarter if you want to revoke permission. It’s required in countries where users are naive, unaware and incapable of protecting their own interests.”

Many experts call for more transparency and clarity. Nayantara Ranganathan, programme manager at the Internet Democracy Project, says privacy policies are tweaked constantly and the changes the companies want us to know about are conveyed through blog posts and such, while there may be changes that we may not be aware of. Nikhil Pahwa, cofounder, Internet Freedom Foundation, says the process of notifying users of changes in terms and conditions needs to be improved. “So often, T&Cs are changed and the company just sends a generic mail to all its users. If they don’t respond, it is assumed they have agreed to the changes. That needs to change.” Some believe online consent agreements are being simplified.

While there have been calls for the privacy notice to be in local languages too, Rama Vedashree, CEO of Data Security Council of India, says that in markets like India, where millions are just being introduced to the internet, websites may have to look at pictorial representations to explain how user data will be used by third-party developers. Regardless of how intelligible tech companies make their privacy policy documents, given the number of websites we use, it is impossible to read every site’s terms. That is where a stringent law becomes necessary. “We don’t have a robust legal framework that acts swiftly, permits class action lawsuits and awards damages in tune with the harm incurred,” says Mishi Choudhary, legal director at the Software Freedom Law Center.

WHY FB CAN'T TAKE DATA SECURITY LIGHTLY IN INDIA

Source: Facebook, WhatsApp, We Are Social and Hootsuite, Ministry of Communications, Internet and Mobile Association of India

Abraham says presently only data security is covered under the Information Technology Act, 2000. “A mere infringement of your privacy without financial loss does not allow you to seek remedy.” However, India could have a data protection law sooner than later. A committee was appointed by the government last year to come up with a draft law, an important part of which will be a data protection authority. The Supreme Court, in a landmark ruling last year in a case related to Aadhaar, said privacy is a fundamental right.

The European Union’s General Data Protection Regulation (GDPR), which will come into effect in May, could be emulated in countries, including India. It makes tech companies more accountable for the privacy of those who use their services and has penalties up to £20 million, or 4% of the errant company’s global annual revenues, whichever is higher. This forced Facebook to put all of its privacy settings in one place in January.

“India must go further than Europe did with its General Data Protection Regulation, which requires companies to get unambiguous consent from users to collect data, to clearly disclose how personal data are being used, and to spell out why data is being collected. It must also ban any form of political advertising and the sale of data to third parties,” wrote Vivek Wadhwa, a tech entrepreneur and academic, in a column in ET on Friday.

In light of this controversy, there will be pressure on the government to hasten the process of introducing a data protection law, accompanied by a regulator. It is likely the draft document will draw on the European regulation. “The more we adopt from EU GDPR, the better,” says Pahwa, adding that users should also have the right to removal of personal data.

Ravi Shankar Prasad, India’s IT and law minister, has warned Facebook of stringent action if it is found influencing elections “through undesirable means”. The Indian government on Friday issued a notice to Cambridge Analytica asking if any entities engaged its services to harvest data of Indian Facebook users.

India could also take a leaf out of Germany’s playbook while enforcing data protection, especially if it involves tech companies that dominate the segment they operate in, like Google in search and Facebook in social media. Germany’s competition watchdog in December accused Facebook of abusing its dominant position to get users’ consent to access their data from third-party websites. The Competition Commission of India in February imposed a penalty of `136 crore on Google for abusing its dominant position in search to create a bias to favour its own services.

Messing Up Elections?
The ongoing controversy has been exacerbated by the fact that besides data privacy, electoral politics is at the centre of the issue. CA dug itself into a deeper hole when footage emerged of a UK television channel’s sting operation, in which the company’s top officials talk about using bribes and women to entrap their clients’ political opponents. CA has since suspended its chief executive, Alexander Nix, who was in the video. CA is partly funded by conservative US billionaire Robert Mercer, and Trump’s former White House chief strategist Stephen Bannon served on its board.

The issue has had political ramifications in India, with both the ruling Bharatiya Janata Party and opposition Congress trading charges about each other’s association with CA. The BJP has attacked the Congress by quoting news reports of talks between CA and the Congress ahead of the 2019 general election, while the Congress has hit back with a reference to the 2010 Bihar election on the CA website. The company claims that it worked on the Bihar election, reportedly through its parent Strategic Communication Laboratories, by identifying swing voters.

“Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won,” says the website. The JD(U)-BJP combine was the victorious coalition. Interestingly, the company’s India partner, Ovleno Business Intelligence, is run by Amrish Tyagi, son of JD(U) leader KC Tyagi. When contacted by ET Magazine, Amrish Tyagi declined to comment. Both the Congress and the BJP have denied any ties to CA.

“We have been on social media as long as social media was around and we have always been ethical in our conduct,” says Amit Malviya, head of BJP’s IT Cell. Divya Spandana, who heads the social media team for the Congress, says the party does not engage external agencies. “We only use data with the consent of the individual, emails are subscribed to and WhatsApp is through people who have signed up to receive messages.” The BJP made good use of social media in its 2014 campaign, and Prime Minister Narendra Modi and most of his cabinet are quite active on Twitter.

Facebook, Twitter and WhatsApp will play an even bigger role in the upcoming assembly polls and the 2019 general election, WhatsApp perhaps more so than the other two, given its popularity and user engagement. “What makes WhatsApp worse than Facebook is Facebook knows what’s being sent around (on its platform). If it comes up with a fake news mitigation strategy, it might work. WhatsApp doesn’t know what’s being sent on its platform,” says Abraham.

In his New York Times interview, Zuckerberg said that after the US presidential election, Facebook developed artificial intelligence tools to identify fake accounts and fake news, which were deployed during the French presidential polls in 2017. “This is a massive focus for us to make sure we’re dialed in for not only the 2018 elections in the US, but the Indian elections, the Brazilian elections, and a number of other elections that are going on this year that are really important,” he was quoted as saying. Both government authorities and the Election Commission of India will keep a close watch on how social media is used in poll campaigns.

While things do not look up for Facebook in the immediate future, some think it will get past the issue. Vineet Sehgal, chief marketing officer of Quikr, says while marketers will take a hard look at Facebook, the company will act swiftly to change its policies.

"There is too much at stake." More and more Indians are using social media, in addition to searching for information on the internet, buying things on ecommerce sites, booking app-based cabs, and making payments and transfers on online payment platforms. They will also buy more devices, including wearables and smart speakers, which gather large amounts of data. So naturally, it is imperative that the sanctity of that data become a top priority for tech companies, consumers and the government. "The emphasis of any (data protection) law needs to be protecting people, not data. Our legislators should ask about relationships of all entities with social media and data analytics companies," says Choudhary of Software Freedom Law Center.

For more details visit https://cis-india.org/internet-governance/news/economic-times-g-seetharaman-shephali-bhatt-march-25-2018-data-breach-how-will-the-biggest-scandal-that-facebook-is-mired-in-affect-its-credibility-in-india

PM’s app also susceptible

Admin — 2018-03-27T01:23:36Z

Even the Narendra Modi app of PM Modi is susceptible to data theft as a 22-year old Indian hacker established, claiming that privacy of more than 70 lakh users on it is at stake.

This was published by Free Press Journal on March 25, 2018

Still worse is that anybody downloading the app may not know that all data on his mobile automatically goes to CleverTap without his or her consent to let the firm populate it alike British firm Cambridge Analytica that helped the US President Donald Trump in the last election with the vast data stolen from Facebook.

Congress social media chief Divya Spandana/ Ramya on Saturday retweeted a tweet by one Pranesh Prakash to know whether Law Minister Ravi Shankar Prasad talking of summoning Facebook CEO Mark Zuckerberg will also summon the PM for privacy violation and data theft.

Once you download the Narendra Modi app, all your data like your phone numbers, emails, name, location and interests as also all on your phone list, WhatsApp list and email is captured and then populated to know your interests and send you mails and messages accordingly, Divya explained.

Hacker Javed Khatri, who was able to crack the app late last year says he is able to access private data of any user and that is how he “successfully managed to extract the personal phone numbers and email ids of ministers like Smriti Irani.”

“Not only that, I can make any user on the platform follow any other user on the platform. This is just the summary of this huge security loophole which I want to report. The privacy of more than seven million users is at stake if this gets ignored.” Javed said, stressing that he did not want to cause any harm but wanted to demonstrate how poor the security of the app is that he could easily hack it.

For more details visit https://cis-india.org/internet-governance/news/free-press-journal-march-25-2018-pm-app-also-susceptible

Data politics: BJP, Congress in spat over sharing app data without users’ consent

Admin — 2018-04-18T00:51:15Z

Congress took down its WithINC app after facing allegations of sharing user data, a day after it accused BJP of doing the same with the NaMo app.

The article by Komal Gupta was published in Livemint on March 26, 2018. Pranesh Prakash was quoted.

An app war has broken out between the Congress party and the ruling Bharatiya Janata Party (BJP)—appropriately on Twitter.

Fought in the shadow of the global storm on data leaks from Facebook and Cambridge Analytica, the two Indian parties accused each other of sharing user data with third parties collected without the users’ consent.

The Congress on Monday took down its app—WithINC —after facing allegations of sharing user data with servers in Singapore. However, the party has claimed it was forced to remove the app as the wrong URL was being circulated and people were being misled.

Congress president Rahul Gandhi took to Twitter after an anonymous French security expert claimed that Prime Minister Narendra Modi’s NaMo app was sending user data to a third-party website without user consent.

“Modi misusing PM position to build personal database with data on millions of Indians via the NaMo App promoted by Govt. If as PM he wants to use tech to communicate with India, no problem. But use the official PMO APP for it. This data belongs to India, not Modi,” Gandhi tweeted on Monday.

WithINC is the official app of the Congress to allow users to connect with the party through regular updates from various social media and news channels. “It also allows you to apply for membership of the INC by completing all steps of the INC membership process,” a descriptor on Google Play Store says.

Information and broadcasting minister Smriti Irani on Monday tweeted, “Now that we’re talking tech, would you care to answer Rahul Gandhi ji why Congress sends data to Singapore Servers which can be accessed by any Tom, Dick and Analytica?”

Trashing BJP’s allegations, Congress’ social media head Divya Spandana claimed that the membership page on the Congress app had been defunct for a while. “We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates. We collect data for membership and this is through our website, this is encrypted,” Spandana tweeted on Monday.

The NaMo app is designed to ensure that users do not have access to any data other than their own, a government official said on Sunday, requesting anonymity. Data entered by any user is used for analytics using third-party service, similar to Google Analytics, said the official.

“Apps ought to request the minimum of a phone’s functionality. They should evaluate the data they need, collect as little as needed, and clearly state what use they will make of the data,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

“The Narendra Modi app, quite famously, provided unrestricted access to the personal data of more than 5 million users,” Prakash added.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-26-2018-data-politics-bjp-congress-in-spat-over-sharing-app-data-without-users-consent

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks

Admin — 2018-03-26T22:37:30Z

The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming.

The article by Nilesh Christopher was published in Economic Times on March 26, 2018. Sunil Abraham was quoted.

While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.

“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication ZDnet citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company Indane that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.

UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.

There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.

“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.

In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.

UIDAI could take a leaf from Indian Space Research Organisation while handling data breach reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.

“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.

“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks

Indian IT firms not ready for European Union's proposed privacy laws, only a few compliant with GDPR

Admin — 2018-04-18T00:56:20Z

Only a third of Indian IT firms are compliant with the European Union's General Data Protection Regulation (GDPR), which will come into force on 25 May, according to a media report.

The article was published in First Post on March 26, 2018.

The GDPR, the EU's new online privacy rules, is designed to protect users' online privacy. The European Parliament has adopted the regulation but European governments have yet to approve the text.

“Only 30-35 percent of all IT/ITeS companies have started their journey to work towards GDPR compliance,” Jaspreet Singh, Cyber Security Partner at EY, was quoted as saying by The Economic Times.

The GDPR is applicable to companies globally, and has significant potential financial penalties. Damages of any breach of privacy of user data from Europe could cost companies as much as four percent of their revenue, according to The Economic Times. For the Indian IT sector, Europe ranks number two in terms of the amount of business it drives, with US still taking the lead.

Indian firms, according to Business Standard, are struggling to understand the GDPR policies. A survey by EY had shown that 60 percent of Indian respondents were unfamiliar with the new regulation.

"When asked to describe their company’s current status with respect to complying with the GDPR, only 33 percent of respondents said that they have a plan, while 39 percent said that they are not familiar with the GDPR at all and 17 percent said that they have heard of the GDPR but have not yet taken any action," EY’s Global Forensic Data Analytics Survey 2018 had said.

What the GDPR is all about?

The GDPR attempts to unify data protection laws across the EU. It applies to all companies, regardless of location, that process the personal data of people living in the European Union. It aims to strengthen the protection of EU citizens' personal details. It will apply to all companies, including those outside of the EU.

The GDPR is considered the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information.

Under the new regulation, users will be asked once and for all whether to accept cookies, rather than every time they visit a new website. Users will have the option of going invisible online, while the rules enshrine the so-called "right to be forgotten" legislation. The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.

Companies must be able to provide European customers with a copy of their personal data and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

How Indian firms will be affected?

According to a study published by The Centre for Internet and Society, as a result of GDPR, data protection procedures like breach notification; excessive documentation and appointment of data protection officer may have to be incorporated in the Indian laws as well.

"As non – compliance involves high fines, inability of India or the organizations situated in India to qualify as data secure destinations is likely to divert business opportunities to safer locations," the study said.

(With inputs from agencies)

For more details visit https://cis-india.org/internet-governance/news/first-post-march-26-2018-indian-it-firms-not-ready-for-european-unions-proposed-privacy-laws-only-a-few-compliant-with-gdpr

Modi Govt compromising privacy of individuals: Cong

Admin — 2018-04-18T01:10:42Z

Charging the Narendra Modi Governemt with compromising the privacy of individuals by leaking user information on the Narendra Modi app, the Congress on Monday said the counter allegations by the BJP that the Opposition party was indulging in 'data theft' were an attempt to divert attention from the issue.

This was published by United News of India on March 26, 2018.

Talking to reporters here, AICC spokesperson Abhishek Manu Singhvi said, 'we have said repeatedly that the biggest assault on individual privacy has occurred under the watch of the Narendra Modi Government. Not only people’s money, but people’s privacy is also in question.

Even as startling revelations that the Narendra Modi app, run by the BJP is sharing data of millions of users with American companies emerge, the Modi Government mocks and flouts the ‘Right to Privacy’ with brazen impunity. While the Prime Minister’s Office, PMO India app, asks users to voluntarily part with their identity on 14 data points, the NaMo app asks for a sweeping access to 22 data points. The NaMo app records audio, video, contacts of your friends and family and even tracks your location via GPS. No wonder, Modi ji is like the ‘Bigg Boss’ who with brazenness likes to spy on Indians. The BJP whose IT (Identity Theft?) Minister does daily press conferences on the issue of data security and democracy, has much to answer to the people of India on the unscrupulous means by which Shri Narendra Modi’s personal app is accessing data and passing on data of more than 50 lakh Indians,' he alleged.

Describing the BJP allegations that the Congress was indulging in 'data theft' through its mobile app, Mr Singhvi said. 'the Modi Government is resorting to deflectionary and diversionary tactics. The Congress application had just 15,000 downloads against the 50 lakh Indians who downloaded the NaMo app. Also, the Congress application was discontinued as most of the users wanted to register offline.'

Accusing Mr Modi of misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by the government, Mr Singhvi said, 'Why does Mr Modi, in his own book ‘Exam Warriors’ urge you to download the NaMo app. Is he now planning to snoop in on minors? Mr Modi is misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by Government. If as PM he wants to use tech to communicate with India, there is no problem in that. But use the official PMO app for it, not the NaMo app. This data belongs to India, not to Mr Modi.

Shockingly, data of atleast 13 lakh NCC cadets which include personal mobile phone numbers and email ID’s are being given to the Prime Minister’s Office for an interaction.'

Citing in this regard the report of a committee of experts appointed by the government on the issue of data protection, Mr Singhvi said, 'importantly, a Government appointed Committee of Experts (CoE) to look into a framework for data protection, headed by Justice (retd) BN Srikrishna has made scathing observations in a paper released in November 2017, against the Government and has shockingly implied (according to the media reports) that the Modi Government is collecting personal data illegally. The committee, which is currently in the process of conducting consultations, has also considered the SC judgment on privacy, says in its paper “The public and private sector are collecting and using personal data on an unprecedented scale. While data can be put to beneficial use, unregulated and arbitrary use of data, especially personal data, raise concerns relating to centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.”

Alleging that under the Modi Government, not only the personal data of citizens was under serious threat, but there were multiple reports of data breaches in banks, Mr Singhvi said, 'astonishingly, under the Modi Government, not only the personal data of citizens is under serious threat, but multiple breaches in the banks. In an atmosphere where every single day there has been a bank fraud worth thousands of crores of rupees being reported, have resulted in one single question - how safe is our money in banks?

Banks and PSU’s have reported multiple breaches in recent past. A newspaper report on Monday said two online security experts have claimed that the Aadhaar database of two public-sector enterprises leaked select data and the vulnerability was fixed only a month after attention was drawn to it. This exposes their names, the 12-digit Aadhaar number and information of the services they have linked their Aadhaar card to. These services include bank details, policy details and other private information. This was corroborated by the UIDAI statement released on Sunday.

“It was left up there for more than a month — even though it had been reported to them directly,” claim the security experts. On February 23, 2018 a report had claimed that there was a data breach which had hit the the Punjab National Bank, whereby sensitive credit, debit card details of 10,000 customers were leaked. Quick Heal, a reputed software company in October 2017 had also claimed that there was a massive data breach in 6,000 government offices including banks. Earlier in 2016, as per media reports -- 32 lakh debit/credit cards of various Indian banks were compromised. The worst-hit was the State Bank of India along with certain private banks.'

He also charged the present Government of breach of Aadhaar data of individuals.

'In April 2014, the then Gujarat Chief Minister Narendra Modi had attacked Aadhaar and the UPA Government on its possible ‘security threat’. Life has now come full circle for the BJP. Just like numerous other issues, their blatant hypocrisy on Aadhaar is exposed. In January, this year, when a reputed newspaper in a sting exposed how 1 crore Aadhaar details can be accessed in just 10 minutes, by paying just Rs 500 in Chandigarh, the UIDAI had then filed an FIR against the reporter. Now the editor of the reputed media house has also been replaced.

We have seen it in May 4, 2017, when the Modi Government is on record in Supreme Court, accepting data breach in the Aadhaar scheme. Now the Attorney General in Supreme Court, while arguing that Aadhaar data remains safe and secure, says that the Aadhaar data remains secure behind a complex that has 13-ft high and five-feet thick walls, which is laughable and ludicrous, to say the least. On November 20, 2017, the UIDAI had accepted on record that –“More than 210 central and state government websites publicly displayed details such as names and addresses of Aadhaar beneficiaries”. Earlier too, ‘Centre for Internet and Society’, a Bengaluru-based organisation (CIS) in a study published on May 1, 2017, had found that data of more than 130 million Aadhaar card holders has been leaked from just four government websites. Therefore this is a serious issue. Clearly, neither our money, nor our Aadhaar details or our personal details are secure under the Modi Government.'

For more details visit https://cis-india.org/internet-governance/news/united-news-of-india-march-26-2018-modi-govt-compromising-privacy-of-individuals-congress

Aadhaar safety

Admin — 2018-03-26T17:09:26Z

We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.

The article was published in Asian Age on March 25, 2018.

Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.

‘Safety claims are bogus’
Hrishikesh Bhaskaran, Privacy Activist
Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).

The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.

‘Multi-level security assumes added significance’
Jaideep Mehta, CEO of VCCircle.com
Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.

‘Tightening system, or line of human command more important’
Ershad Kaleebullah, Technology Editor
There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.

‘Your data security is in your hands, always be cautious’
Viraj Kumar Pratapwant, Senior Software Design Engineer
First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.

Sunil Abraham, Executive Director at Centre for Internet and Society
Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.

For more details visit https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety

Listening Machines - New interfaces for Art-Science and Technology Policy

Admin — 2018-03-25T03:37:00Z

Sharath Chandra presented his work "Listening Machines - New interfaces for Art-Science and Technology Policy" at the National Academy of Sciences, Washington D.C, at the Arthur M Sackler Colloquia on March 12, 2018.

For more info on the program click here

For more details visit https://cis-india.org/internet-governance/news/listening-machines-new-interfaces-for-art-science-and-technology-policy

Cybersecurity: The Intersection of Policy and Technology

Admin — 2018-03-25T03:24:23Z

Sunil Abraham and Aayush Rathi attended a round-table on 'Cybersecurity: The Intersection of Policy and Technology'. The event was organised by Synergia Foundation, Bengaluru.

The speakers for the round-table were Deborah Housen-Couriel, Professor at the Kennedy School of Government, Gaurav Gupta - Principal Secretary for IT, BT, and S&T, Government of Karnataka, and Dana Kursh, Consul General of Israel to South India.

The discussion at the round-table centred around developing approaches aimed at resolving the 'grand challenge' of cyber security. The role of deeper collaborations between various stakeholders such as academia, corporate enterprises, law enforcement and the government in arriving at cogent solutions was emphasised upon. For more on the discussion at the round-table, a press note can be found here.

For more details visit https://cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing

Admin — 2018-03-25T03:21:24Z

Amber Sinha participated as a panelist in the discussion on adapting privacy to new technologies organised by the USIBC on March 6, 2018 in New Delhi.

The way consumers interact with technology is quickly evolving, and there are distinct implications for privacy as these new applications and products become embedded in our daily lives. Many new technologies eliminate the need for consumers to interface with a screen, relying on sensor data, verbal interactions, or innate human communications – a grin or hand gesture. As technology evolves, so must the privacy protections.

Moderator: Ashutosh Chadha, Group Director, government Affairs & Public policy, Microsoft India

Panelists:

Shaundra Watson, Director, Policy, BSA | The Software Alliance
Betsy Broder, Counsel for International Consumer Protection, U.S. FTC
Amber Sinha, Senior Programme Manager, Centre for Internet and Society (CIS)
Riccardo Masucci, Global Director of Privacy Policy, Intel
Srinivas Poosarla, Vice President & Head (Global), Privacy & Data Protection, Infosys Limited

For more details visit https://cis-india.org/internet-governance/news/siri-did-you-hear-me-adapting-privacy-to-new-technologies-automated-decision-making-and-cloud-computing

Govt warns Facebook of stringent legal action if found misusing data

Admin — 2018-03-25T03:14:28Z

IT minister Ravi Shankar Prasad says that under the IT Act, Facebook’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The article by Komal Gupta was published by Livemint on March 21, 2018.

The government on Wednesday warned Facebook of stringent legal action if it is found misusing data, with law and information technology (IT) minister Ravi Shankar Prasad saying that under the IT Act, the social media giant’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The warning came after the ruling Bharatiya Janata Party (BJP) alleged that the Congress party was associated with London-based analytics firm Cambridge Analytica, which is at the centre of a global storm on the alleged misuse of data from 50 million Facebook users.

Prasad said the Congress indulged in “theft of online data” to help with its election campaigns, a charge that the opposition party denied.

“Will the Congress party depend on data manipulation and theft to woo voters? What is Cambridge Analytica’s role in (Congress president) Rahul Gandhi’s social media profile,” Prasad, who is also a senior BJP spokesperson, said in an interaction with reporters.

“Indian National Congress or the Congress president have never used and never hired the services of the company called Cambridge Analytica mentioned by the Union law minister. This is a fake agenda, a white lie being dished out on fake facts by the law minister unfortunately, and this has become a daily order,” Randeep Surjewala, the Congress party’s chief spokesperson, said.

Cambridge Analytica’s chief executive Alexander Nix—who was suspended on Tuesday—was secretly recorded in a Channel 4 sting claiming that the company ran Donald Trump’s campaign during the 2016 US presidential election. The firm is accused of harvesting private data from millions of Facebook profiles to influence and identify voter behaviour.

As of January, there were around 250 million Facebook users in India.

According to security experts, the incident yet again highlights the need for a stronger data protection law in the country.

“It has been almost six years since the report of the Justice AP Shah group of experts on privacy, but India still doesn’t have a data protection law. We urgently need a law that enshrines privacy by design — that would prevent entities like Truecaller from gaining access to third parties’ data without their consent, and entities like Facebook from providing it— as well as a liability regime that would enable an Indian data protection authority to hold accountable those who violate the law,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-21-2018-govt-warns-facebook-of-stringent-legal-action-if-found-misusing-data

Without stringent law, threats to Mark Zuckerberg are hollow: Experts

Admin — 2018-03-25T02:24:12Z

IT Minister Ravi Shankar Prasad on Wednesday warned Facebook and other social networks of tough action, if they attempted to influence the Indian elections.

The article by Alnoor Peermohamed and Karan Choudhury was published in the Business Standard on March 23, 2018.

The best way of keeping a check on the manipulation of elections through campaigns on Facebook is by introducing a strong data protection policy, said experts. After the Cambridge Analytica row, all eyes are on the use of such tools during the upcoming general election in India.

Union Law and Information Technology (IT) Minister Ravi Shankar Prasad on Wednesday warned Facebook and other social networks of tough action, if they attempted to influence the Indian elections. However, experts said these threats are hollow because the current law protecting user data lacks teeth.

“Without a strong data protection law, we wouldn't quite be able to take any action as what has happened is not a breach. While Section 43A of the IT Act talks about lack of consent from the users, it does not spell out any consequence for violating the same,” said Pranesh Prakash, policy director at think tank The Centre for Internet and Society (CIS). “Essentially, it's a toothless tiger.”

Having a data protection law might not directly stop firms from buying data from third-party developers and then deploying it for targeted users, but it is a great pre-emptive measure to stop unnecessary data collection. If users are asked to give consent for their data, it would vastly reduce the risk.

“The government's statement would be well supported, if it would be bringing a law, listening to key voices of experts and civil society. Even though the Justice Srikrishna Committee is currently examining and is expected to come out with a draft law, the timeline, transparency and willingness to safeguard user rights need to be better demonstrated,” said Apar Gupta, an independent lawyer.

Other experts have voiced their concerns over allowing tech giants to take sensitive user data out of the country. Once the data is out of India's jurisdiction, there is no way to ensure these companies are following the laws mandated by the government.

“Facebook is not an Indian company. We do not know how far it is complying with India’s IT Act. We should not be compromising on security and allow tech firms to play in the market without complying with the laws,” says Pavan Duggal, cyber law expert and Supreme Court advocate.

While both the Congress and the BJP have accused each other of working with Cambridge Analytica and denied their own affiliation with the company, the UK-based firm was already functioning in India through its partner Ovleno Business Intelligence (OBI). The OBI website, which has now been taken down, had listed the BJP, the Congress and Janata Dal (United) as its clients.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-and-karan-choudhury-without-stringent-law-threats-to-mark-zuckerberg-are-hollow-experts

‘If an Indian party acted like Cambridge Analytica, it will not be guilty under current laws’

Admin — 2018-03-25T02:01:18Z

Sunil Abraham, Executive Director of Centre for Internet and Society, says Indians are vulnerable in the absence of a data protection law.

The blog post by Amit Bhardwaj was published by Newslaundry on March 24, 2018.

What exactly is the nature of the Facebook data breach? What went wrong?

Technically, this is not a data breach. There is an internet standard called O-auth (open-authorisation). Through it, different applications on the internet that don’t want to build their own authorisation infrastructure can use the authorisation infrastructure provided by internet giants such as Facebook, Google, Twitter, etc. There was a personality quiz application, which used the Facebook O-auth service. In this protocol, the authorisation server can also give some data to the application which is using its services.

Does that mean that when we ‘sign up with Facebook’, we also authorise such transfer of data?

What you are doing is that you are a user of the application (personality application). Once you try to use the service, it will give you a choice - whether you want to authenticate yourself using Facebook, Twitter etc. So basically you are authorising a third-party application to use your data. Previously, Facebook’s authorisation service allowed the third-party application to harvest data on your profile as well as that on your friends’ list. Facebook is designed to allow this kind of data harvesting.

How is the data harvesting being done by the third-party application dangerous for users of Facebook?

It is you who has given consent for data harvesting, and not your friends. But the application was abusing the consent given by you to harvest the data of people who have not given consent. Facebook had, however, discontinued this API in 2014 as mentioned by Mark Zuckerberg in his statement.

How can Cambridge Analytica (CA) - the British data consultant which also provides services to political parties - influence the choice of these Facebook users?

The CA has experts that focus on psychological manipulation. Thus, the more personal information they have about you, the more they can do what is called “micro-targeting of advertisements”. Suppose they know you are an undecided Republican (now governing party in the US) voter, so they can target you with information and propaganda - including misinformation - in order to push you over the fence. For example, it could discourage an African-American voter, who is going to vote for the Democrats, from going out to vote that day by showing him depressing content. They can also encourage a Republican voter to go out and vote by scaring them that if they don’t vote, the Democrats will win.

How do you take Zuckerberg’s statement? Can it even be considered a valid apology?

Whether he has apologised or not is irrelevant to our situation. What we Indians need is a regulatory response. For the past eight years, my centre has been working towards getting a data protection law. As the situation stands today, what Cambridge Analytica did in the US can be repeated in India. And that won’t be illegal under the present set of laws in India.

Union IT minister Ravi Shankar Prasad said Indian laws are stringent and they can also summon Mr Zuckerberg. How strong is the law that Mr Prasad could be referring to?

Section 43 of the Information Technology Act has been commonly misunderstood as the data protection law. In reality, it only has data security provisions, i.e. under Indian law if you lose property or money as the result of a breach of your personal information, you can approach the court. While in case of data harvesting it amounts to infringement of the right to privacy.

Ever since this scandal surfaced, both the BJP and Congress have been distancing themselves from the CA and are also accusing each other of using the CA or its Indian wing’s services. Why are these accusations making these political parties so nervous?

Unfortunately, I am only a policy researcher and I don’t follow a political party. It is better to ask a political analyst that kind of question.

Hypothetically, even if these parties – the BJP and the Congress - have used the CA’s service, have they been on the wrong side by doing so?

As I said previously, there is no law in our country. Suppose a political party did exactly what Cambridge Analytica did, it will still not be guilty under any law in India.

A commoner’s argument could be - even if my personal data is with these companies, how is it going to affect my voting choice?

What has been clear from the CA episode is that personal data can be used to manipulate you. They can make you depressed, they can make you feel suicidal, they can make you buy products that you don’t want, they can even make you vote for parties you don’t like. The most important aspect of the story is that it is undermining free will.

Since the 2014 general elections, India has been witnessing the rise of troll culture where dissenting voices are crushed. A narrative is being created in favour of one party or against any party standing against this party. Do you think services of such agencies could have been used to do so?

No, trolling is a separate thing, while manipulation is more subtle. Unlike manipulation, where you are unaware of the influences, in trolling you know when you are being targeted. The trolls are trying to silence and intimidate you – that is not done through the use of personal information.

There were media reports which said that 70 per cent of the applications used in India do not explicitly take user consent at the time of installation. Also, many of these apps do not even delete the personal information of users once they have been uninstalled from mobile phones. How dangerous is this situation?

It is not just that these applications don’t take your consent, or that they retain data after you’ve stopped using their services, what is scarier is that many of these applications take extensive permissions on your phone. For example, the torch application sometimes asks for permission to read your messages. What they can do using this is harvest your one-time passwords (OTPs) from your SMS folder in order to conduct fraudulent financial transactions.

They can also collect your personal photographs, and maybe later that can be used to blackmail you. A lot of horrible things can happen because we have, what is called, a regulatory battle.

According to media reports, the CA’s Indian subsidiary - Ovleno Business Intelligence, whose Indian operations are headed by the son of JDU leader KC Tyagi - was hired for elections in India - Bihar polls in 2010 and 2015, and in state polls. Could it be possible that data harvested by this company was used to influence voters?

Again, I don’t know the specifics connected to the behaviour of Cambridge Analytica and its subsidiary in India. I don’t think anybody has done any research on this question.

There is already the conundrum over Aadhaar in India and pressure to link it with our bank accounts and phone numbers. Do you think the Facebook data breach or data harvesting will press the question of privacy here?

It's a very different type of privacy concern. With Aadhaar, the primary concern is of biometrics and the storage of biometrics in a centralised database. Here, it’s a concern of unauthorised third-party applications being able to harvest our personal data. Though different, they are two excellent case studies for us to test the effectiveness of our draft Data Protection Bill, which will come out in April or May.

The Facebook CEO didn’t mention that Facebook will stop collecting our data. Do you feel Facebook too is on the wrong side when speaking of attempts to harvest personal data?

You cannot accuse Facebook of doing wrong. Being wrong or right is an ethical question and subjective. For instance, I might think that Facebook is doing something wrong, however, Facebook, which is trying to maximise its shareholding value, might think it is doing right.

Also, at the end, it’s all about the legal framework. In US jurisdiction, what Facebook did is completely legal. Under the European data protection law, what they did is illegal.

(Transcribed by Newslaundry interns Priyali Dhingra and Maitri Dwivedi.)

For more details visit https://cis-india.org/internet-governance/news/newslaundry-march-24-2018-amit-bhardwaj-facebook-data-breach-cambridge-analytica-privacy-law-sunil-abraham