Facebook announces stronger measures to prevent a repeat of Cambridge Analytica ahead of Lok Sabha elections next year.
Indian government concerned over possible misuse of the social media during upcoming 2019 polls.
Need for more robust data protection legislation in India.
The government and private sector needs to build more secure systems for protection of Aadhaar.
One of the biggest ‘breach of trust’ in the online history has been acknowledged by and apologized for by the world’s largest social network, Facebook. Earlier today, the company’s founder Mark Zuckerberg admitted that data of over 50 million Facebook users was accessed without consent by a data firm who gained the rights for academic purposes.
Zuckerberg reiterated that the company took necessary steps when it first discovered the flaw and reassured that such a breach of users’ trust, and data, will be prevented going forward. Even if Zuckerberg’s promises are reassuring to investors and users, it does highlight the underlying need for a more robust system to address the challenges and draw the framework when it comes to safeguarding personal content on the web, not only in the US, but also in countries such as India where users are gradually adopting a digital lifestyle.
Following the leaks, the Congress in the US has demanded Zuckerberg to testify over the Cambridge Analytica scandal. Back home in India, Union Law and IT Minister Ravi Shankar Prasad warned the company of “stringent action” including summoning Zuckerberg over ‘misuse’ of data to allegedly influence the electoral process.
As soon as the news broke about the Facebook-Cambridge Analytica scandal, reports emerged that Cambridge Analytica and its India partner Oveleno Business Intelligence (OBI) Private Limited have reportedly spoken to both the Congress and the BJP for a possible collaboration for their upcoming Lok Sabha election campaigns. OBI CEO Amrish Tyagi was quoted as saying in a media report saying that the recent allegations will not deter the firm and its India partner from continuing their collaboration till CA is found to “violate Indian law”.
Now the question here is, does India have the right law to address such violations? Has the government done enough to protect the privacy and ensure data security before riding on the Digital India bandwagon? Currently, one of the most pressing issues concerning user privacy is Aadhaar. The biometric-based authentication system has come under the radar time and again for its security vulnerabilities.
India is gearing up for Lok Sabha 2019 elections
The Election Commission, which tied up with Facebook for the National Voters’ Day feature on the platform, is now concerned in light of the scandal. In an interview with The Indian Express, EC Commissioner, O P Rawat, said that the matter of EC’s partnership with Facebook, to encourage enrollment of young voters, will be discussed soon at a Commission meeting.
On the scandal, Rawat is quoted as saying, “Definitely. Something which can affect the election arena in an adverse manner, like public opinion being moulded. This should concern us and we will take a view on this.”
To save the company further problems, Zuckerberg announced strong measures to contain voter manipulation through Facebook’s platform. The company already put to use AI-based tools to identify and eliminate fake accounts and false news. For the upcoming elections in India, the company is now looking at enhancing the security features.
“This is a massive focus for us to make sure we’re dialed in for not only the 2018 elections in the US, but the Indian elections, the Brazilian elections, and a number of other elections that are going on this year that are really important,” Zuckerberg said.
Encourage ethical hacking
Altaf Halde, who is the Global Business Head at Network Intelligence Pvt Ltd, told BGR India that it is imperative for the government as well as private players to ensure data safety. “This is not the first time that a data breach has happened and certainly not the last time. Having said that, it is very important that governments and private players give the due importance to the data it has of citizens. Concerned parties should provide detailed instructions to all stakeholders on security mechanisms including both technical & procedural and provide the complete details of the security architecture and encryption used. No security by obscurity.”
Halde further said, “To detect frauds that misuse authorized logins, the concerned parties should implement robust monitoring mechanisms and a proper incident response mechanism. They should repeat audits every year if not every six months as only full transparency will restore trust back in this system, else more bad news is likely to come. It may also be a good idea to implement a public bug bounty program and reward researchers who find issues.”
Concerned parties should repeat audits every year if not every six months as only full transparency will restore trust back in this system, else more bad news is likely to come
Ethical hackers or white-hat hackers in India have insisted on the need for the government and private players to implement such bug bounty programs which not only help the growing community of security researchers who hack systems to find loopholes, but it also saves the long-term embarrassment for big brands. In an earlier conversation with BGR India, Bangalore based ethical hacker who has earned crores after finding security vulnerabilities in companies including Facebook, stressed that it is imperative for companies to invest in building systems which are hack-resistant if not hack proof. “The risk is increasing with more personal data being available online, but the solution to this is building more secure systems,” he said. “With the growth of such digital options, the government is also investing in building secure systems so as to protect end user privacy,” Prakash added.
Growing concerns around Aadhaar
In the Cambridge-Facebook scandal, the case involved a seemingly simple personality quiz app where people gave out their data without knowing it could be used to build a tool that would help predict and in turn also influence the debatable US Presidential Elections of 2017. In the case of Aadhaar, the government mandate is such that people have no choice but to link their Unique Identification Number with a variety of services, from banking, taxes, to mobile numbers and mobile wallets.
Aadhaar has now become one of the biggest concerns from a national perspective when it comes to data security and privacy
While the organization behind Aadhaar, UIDAI, and its advocates repeatedly stress at the systems being fully secure, the platforms which are handling this data may not necessarily be so. “In reference to Aadhaar, it has now become one of the biggest concerns from a national perspective when it comes to data security and privacy. It is very important that UIDAI takes necessary measures to build the confidence of the citizen in terms of protecting their demographic and biometric data. UIDAI should conduct a full-fledged end to end security audit and should make the results of the audit and the subsequent mitigation measures public,” suggests Halde.
The reason for making the information public makes the whole procedure much more transparent for the end-user. Tech companies in the west, including Facebook, Microsoft, and Google already make public their transparency reports where they detail how many times the government or private agents demanded disclosure of user data and exactly how many times these companies obliged.
Interestingly, the reason why these companies decided to come out with transparency reports is attributed to one of the biggest whistleblowers, Edward Snowden, who revealed the US and UK governments were snooping on the online activities of citizens. In a bid to gain consumer faith in their services, companies not only adopted stronger encryption systems but also decided to reveal to the public more often about such activities.
Onus of security is on users
In a recent interview, Mishi Choudhary, a technology lawyer and founder of SFLC.in, explained why it is critical for India to finally wake up to the growing menace of hacking and arm itself for the new-age war.
“There is no comprehensive data protection legislation in India, the companies are under limited obligations to protect the users’ data,” adding that, “there is a need to introduce changes to the data protection legislation.”
“The objectives of data protection legislation must be described in terms of people, not data. All persons are entitled to control the collection of information about them: about their bodies, their behavior, and their thoughts. So, the law we need is not about getting, managing, or automating consent. The objective is not consent, but control. People should be able to control access to information about them,” she added.
India is currently the biggest market for technology companies looking at innovating newer products. In such a scenario having a robust system to protect user data from prying eyes is the way forward. As for users, it is imperative that that awareness increases. Whether you install dubious personality quiz apps or forward ‘as received’ any viral message on Facebook or WhatsApp, it is important to understand the implications of such actions. It is only when the government, companies, and users join hands that such large-scale Cambridge Analytica-like scandals can be prevented. Until then, it is always wiser to frequent your account privacy settings column, on each app and platform.
As Shrenik Bhayani, General Manager, Kaspersky Lab (South Asia), says, “The current controversy between Facebook and Cambridge Analytica is a lesson for all of us when it comes to being cyber safe. We don’t realize how grave a threat is until we experience its consequences, the same thing happened when Facebook wasn’t careful enough at the beginning to foresee the threats ahead.”
At the time of stepping into digitalization, we can’t afford to be vulnerable
“We are lucky that Facebook being a tech giant- this data breach came to light and we can now learn to be more careful about what and how much do we share online, which apps/ 3rd party developers are we granting permission to access our data and save ourselves from Identity theft. The point that needs to be noted from this incident is that if a tech giant like Facebook is vulnerable to such data breaches, then how can we ensure that our personal data is not being misused by the cybercriminals. At the time of stepping into digitalization, we can’t afford to be vulnerable”.