4 April 2018

The end of privacy

Kaushik Deka 

"Both the public and the private sector are collecting and using personal data at an unprecedented scale and for multifarious purposes. While data can be put to beneficial use, the unregulated and arbitrary use of data, especially personal data, has raised concerns regarding the privacy and autonomy of an individual. Some of the concerns relate to centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy."


This is what a nine-member committee of experts formed by the Union government to study various issues related to data protection had said in a white paper four months before two national parties of the country-the BJP and the Congress-got embroiled in a nasty slugfest over data theft. On March 27, Christopher Wylie, a former employee of British data analytics and political consulting firm Cambridge Analytica (CA), which had allegedly stolen the data of 50 million Facebook users in 2014, claimed that the Congress party was the firm's client in India. Two days earlier, the Congress had alleged that the Narendra Modi mobile application (NaMo app), launched by Prime Minister Narendra Modi in 2015, had been stealing data of those who downloaded the app and sharing it with a third party based in the US. The app, according to media reports, seeks 22 permissions, including access to contacts, camera and location. The BJP not only rejected these allegations but also hit back at its rival, saying that the Congress mobile application shared users' data with the party's "friends in Singapore".

Ironically, the source of both parties' claims is the same-the Twitter account of a 28-year-old French "security researcher", Robert Baptiste, also known as Elliot Alderson. Within 24 hours of Alderson's tweets, the NaMo app quietly changed its privacy settings. Earlier, the app stated that all information accessed by it would be kept confidential. Now, the app says certain information will be shared to give the user a better experience. The Congress, on their part, deleted their app.

The sordid saga has raised an uncomfortable question: are political parties mining private data for electoral gains? The answer is also interlinked with several other debates-security of digital data in the country, whether in the hands of government platforms, such as Aadhaar, or private service providers, such as Amazon and Uber, and the role of social media giants, such as Facebook and WhatsApp, that have overwhelming access to personal data. With over 250 million active users, India is now the largest national user base for Facebook. WhatsApp and Instagram, two other entities owned by Facebook, have over 200 million and 53 million users in the country respectively. With all these platforms showing vulnerability to data breaches, the right to privacy sounds like a utopian concept.

Politics takes over debate

While both the UPA and NDA governments have done precious little on data protection, the game of oneupmanship between the Congress and BJP has been continuing since the damaging revelation earlier this month about CA, which was set up in 2014 with the help of Steve Bannon, former chief strategist of US President Donald Trump and former head of alt-right media platform Breitbart News. It was formed as a subsidiary of Strategic Communications Laboratories (SCL), a British company that describes itself as specialising in data, analytics and strategy.

In a newspaper interview, Wylie, 28, claimed that in 2014, CA acquired user data of 50 million Facebook profiles through personality profiling app 'thisisyourdigitallife', built by Aleksandr Kogan, a Soviet-born American academic at Cambridge University. While the app was downloaded by just 270,000 Facebook users, it pulled data from the Facebook friends of these users as well, allowing CA to harvest the data without consent. Facebook had allowed Kogan, a psychology professor, who owns a company called Global Science Research, to collect data for academic purposes, but he reportedly sold it to CA.

Two newspaper reports claimed that CA used the data to aid Donald Trump's 2016 presidential campaign and to track audience behaviour in the Brexit campaign and elections in Kenya. According to Wylie, the Facebook data helped develop psychological profiles of users, which were subsequently used to influence them. This reportedly had a greater impact on voters than traditional advertising.

In a sting operation by Britain's Channel 4 News, CA's CEO Alexander Nix was heard boasting about his company's involvement in Trump's victory. Channel 4 wrote in its article: "In the meetings, the executives boasted that CA and its parent company SCL had worked in more than two hundred elections across the world, including Nigeria, Kenya, the Czech Republic, India and Argentina."

SCL had partnered with India-based Ovleno Business Intelligence (OBI), which had claimed on its website-now unavailable-to have worked with the BJP, Congress and the Janata Dal (United). One of the directors of OBI is Amrish Tyagi, son of JD(U) leader K.C. Tyagi. Though CA was formed in 2014, it claims to have helped its client achieve a landslide victory in Bihar in 2010. That was enough for the Congress to claim that the BJP had used the services of CA since it was the BJP-JD(U) alliance that won the 2010 Bihar assembly polls. Another OBI director, Avneesh Rai, claimed in media interviews that CA had actually worked to sabotage the Congress's campaign.

Elections and data breach

Political leaders and independent election strategists accept that big data-voluminous amount of structured or semi-structured data that has the potential to be mined for information-plays a huge role in formulating election campaigns, and political parties often seek access to such data, most of which is available in the public domain.

"The Election Commission data, the voters' list, a simple telephone directory and various surveys conducted by multiple government and private agencies are some of the sources of big data for political parties. The usefulness of this data depends on the quality of the analysis," says S. Anand, CEO and chief data scientist of Gramener, a data science company based in Hyderabad and Bengaluru.

Indian telecom pioneer Sam Pitroda, who heads the overseas department of the Congress, also accepts the significance of big data analysis in political campaigns. "Data analysis gives us a good understanding of multiple attributes, such as age group, caste, religion, location, education, profession and relationship," he says.

But there is a near consensus among various stakeholders that the impact and scope of mining and analysing social media data is very limited in the Indian political context. Anand dismisses the power of social media data in influencing elections, saying that user profiles of platforms like Facebook do not necessarily provide information crucial for Indian elections, such as caste and political leaning. "The social media penetration in 2014 was much less compared to what it is now. And to even say that Facebook data will help create a successful election campaign is a 10-year leap of faith at the moment," he says.

According to the 2018 Global Digital Report from We Are Social and Hootsuite, India has 34 per cent internet penetration compared to the global average of 53 per cent. The US has 99 per cent internet penetration. India is also far behind the global average in social media penetration. India recorded 19 per cent social media penetration in January 2018 as against the global average of 42 per cent. However, at 31 per cent, it was the second fastest growing country in terms of social media penetration.

The data also indicates that it was most unlikely that CA had enough numbers to influence Indian elections through social media manipulation. India's internet penetration has been fuelled by mobile phone data, which received a huge impetus only in 2016 with the launch of Jio phones, resulting in sharp fall in data tariffs. In India, 79 per cent of the web traffic comes from mobiles as compared to the global average of 52 per cent.

A prominent election strategist, who has worked with both the BJP and the Congress, agrees with Anand and says that the social media behaviour of people in the US and in India is vastly different. "In the US, it may be easier for an analyst to guess whether a person is Republican or Democrat. In India, people don't reveal much about their political behaviour," he says.


Praveen Chakravarty, who heads the data analytics wing of the Congress, believes that social media certainly makes it easier to get one's message out in a targeted manner, but it cannot predict voters' behaviour. "Predicting voter behaviour through Facebook trends is vastly overrated and exaggerated, at least in the Indian context," he says. Contrary to his assertions, a study published in the Proceedings of the National Academy of Sciences in 2013 showed that if one had enough data, just based on 'likes', one could predict sensitive personal attributes, including political views, fairly accurately. That could perhaps be the logic behind Prime Minister Narendra Modi recently asking BJP MPs to increase the 'genuine likes' on their Facebook pages to 300,000 if they wanted to contest the 2019 elections.

But Chakravarty dismisses CA's claims of helping political parties win elections with its data analysis. "Data and analysis can be a very useful input in overall electoral strategies. But to say that data analytics alone will win elections is a gross exaggeration. It is one of many important inputs into an election," he says.

According to Pitroda, the impact of messaging based on data analysis is short-lived. "Politics is not about selling a product. This is a new phenomenon promoted by businesspeople to make money. It will not last long. Mahatma Gandhi did not need such tools to communicate. If the message is true, it will reach the target audience."

A campaign strategist, who did not want to be named, pointed towards the complications in analysing such data as Facebook offers dynamic data. "Billions of data points will be generated every day. To make sense of these, a high level of analysis is required, which could be really time consuming," he adds. He is also confident that neither the BJP nor Congress has ever used CA because several Indian entities offer such data sets at much cheaper rates.

Chakravarty agrees, saying external agencies are not required for constituency mapping or analysing election trends at booth levels. "I have published an entire body of empirical research work using electoral data. It is no brain surgery," he says.

Adds the strategist, "That's the reason a top BJP leader slept through a CA presentation. Ambrish Rai, who used to do surveys for political parties, was taken on board by CA because he helped the British company get access to several political leaders."

Amit Malviya, head of the BJP's IT cell, is not willing to dismiss the impact of social media data though he categorically states that his party never used any social media data procured without consent. "We have such a large database of our members. We don't need Facebook data and we don't indulge in unethical practices," he says. Malviya, however, confirms that the BJP extensively uses social media platforms to promote the party's vision and achievements and the volume of engagements has been steadily growing. He also seeks to dismiss the Congress's allegation about misuse of data of the users of the NaMo app, saying that the data is being used for analytics using a third party service, similar to Google Analytics. "The data is in no way stored or used by the third party services. Analytics and processing on the data is done for offering users the most contextual content. It enables a unique, personalised experience according to a person's interests. A person who looks up content related to agriculture will get agriculture related content prominently," he explains.

While Malviya justifies profiling for 'contextual content', cyber security expert Subimal Bhattacharjee believes such databases remain tools for misuse. "The primary intent behind asking for so much access is to build a profile. So, from a user's point of view, the less access he or she gives, the better," says Bhattacharjee.

Pitroda sees a sinister design in such analysis and customisation of messaging. "It's done to influence the likes and dislikes of an individual. For instance, some nasty comments about Sai Baba will be deliberately attributed to an individual or a party and those will be sent to someone who worships Sai Baba. The purpose is to provoke the individual against that party," says Pitroda.

While political parties have launched a no-holds-barred war to gain the upper hand on social media platforms, the Election Commission is still playing catch-up. A 14-member panel set up by the EC in January to study how social media and other digital platforms are used ahead of polls may submit its report only in April. It means the recommendations are unlikely to be implemented during the assembly elections scheduled this year-Karnataka in May, and Rajasthan, Madhya Pradesh, Chhattisgarh and Mizoram later this year. Despite the importance of authentic poll-related information reaching the masses, the EC made its debut on Facebook and YouTube only in January. The EC had limited presence on these two platforms-it had a Facebook page titled India Votes for overseas voters since last year and some training capsules were uploaded on YouTube. The commission, however, has ruled out its presence on Twitter in the near future owing to "certain reasons".

How safe is your digital footprint?

Whether data sourced from social media and mobile apps is electorally significant or not, CA's Facebook exploits and revelations about the NaMo app have made it clear that personal data digitally stored on any platform-including the 'much protected' Aadhaar-is open to misuse. India's biometric ID programme, Aadhaar, with over 1.1 billion users, is the world's biggest database.

On March 23, Karan Saini, a New Delhi-based security researcher, claimed to have discovered a data leak on a system-run by a state-owned utility company that uses the Aadhaar database for verification-that can allow anyone to download private information of all Aadhaar cardholders, such as the 12-digit biometric-based unique identification number, phone numbers, services they are connected to and bank details. Saini's revelation came a day after Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), the nodal agency for Aadhaar, had told the Supreme Court that Aadhaar data was encrypted so well that it would take even the most powerful computer time equal to "the age of the universe" to break a single key.

But as cyber security law expert Pavan Duggal points out, the threat arises not only from Aadhaar's central server but multiple agencies using its data, as was in the case Saini discovered. "Aadhaar is a mandatory ecosystem in which several private players are also involved," he says, lamenting that strict data protection measures are often not followed by these players.

"The problem with platforms such as Aadhaar and Facebook is that these are huge centralised databases and any breach at any point compromises the entire data. The breach can happen at any point, right from the photocopy of your Aadhaar card," says Pranesh Prakash, policy director at the Centre for Internet and Society.

Attempting to dismiss Saini's claims, the UIDAI resorted to a strange argument. "If one goes by the logic of the story, since the utility company's database also had bank account numbers of its customers, would that mean that all Indian banks' databases have been breached? The answer would obviously be negative." What the UIDAI authority fails to recognise here is that the Aadhaar cardholders did not volunteer to make their bank account details public without consent.

The Congress, which had initiated the Aadhaar project, has been critical of the Modi government's handling of privacy issues related to it. "PM Modi's respect for privacy was seen when the government vehemently opposed the right to privacy in the Supreme Court," says Congress leader Abhishek Manu Singhvi. "The attorney general has told the court that Aadhaar is safe and secure because it is behind 13 feet high and 5 feet thick walls."

Singhvi labelled the Modi dispensation as a dismissive government, which follows the policy of shooting the messenger and ignoring the message. "One journalist showed how Aadhaar data of 10 million people could be procured within 10 minutes for just Rs 500. An FIR was filed against her. Two security experts have recently pointed out Aadhaar data leakage. But the government, instead of taking note, is busy dismissing such complaints."

The Union government may have ignored the Aadhaar breach, but it sent out a harsh message to Facebook over the CA leak. Union minister for law & justice and IT Ravi Shankar Prasad threatened to summon Facebook CEO Mark Zuckerberg to India (see interview). Within 24 hours of the remark, Zuckerberg said in an interview: "There's a big election in Brazil. There are big elections around the world, and you can bet we are really committed to doing everything that we need to, to make sure that the integrity of those elections on Facebook is secured."

In the event, it was commerce rather than threats that pushed Facebook. Within a week, Facebook's market value shrunk 8 per cent, according to media reports. On March 24, Facebook published full-page newspaper ads, apologising for the CA scandal and vowed to secure its database in the future. "This was a breach of trust, and I'm sorry we didn't do more at the time. We're now taking steps to make sure this doesn't happen again," the ads read.

In an e-mail response, a Facebook spokesperson told india today: "We are investigating all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. While our internal and external reviews are still ongoing, we remain strongly committed to protecting people's information and announced some important steps for the future of our platform, and these involve taking action on potential past abuse and putting stronger protections in place to prevent future abuse." The social media giant also said it would inform people whose profiles have been compromised by any app. It will also launch Facebook's bug bounty programme to reward people who spot vulnerabilities. But are such assurances enough to secure digital footprints of individuals in the internet era, where web trackers such as Google Analytics can trace every click on the browser? India is the fifth most vulnerable country for cyber security breaches, according to the Internal Security Threat Report of 2017 by Symantec. Not just political snooping. There are other forms of data theft, primarily by corporates or hackers for marketing campaigns or for a good bargain.

For instance, in May 2017, a data breach at the food delivery app, Zomato, led to personal information of about 17 million users being stolen and put up for sale on the Darknet. The company had to negotiate with the hacker to get it taken down. Hackers stole data from 57 million Uber riders and drivers. Uber paid them $100,000 to keep the breach a secret. "The most common practice is the rampant access to call detail records of our mobile phones," says Anand. "Asking how safe is our privacy in the digital world is like asking if a human body will be safe on the street," says Prakash.

Experts unanimously demand a strict and robust data protection law that covers both government and non-government data. Duggal says the government must take the Facebook fiasco as a wake-up call and amend the Information Technology Act, 2000, to include a comprehensive section for data protection. "More than just a law, there should be adequate parameters for implementation," he says. Bhattacharjee adds that section 43, 43A and 72A of the IT Act are not enough to deal with the emerging environment.

India can also learn from the General Data Protection Regulation (GDPR), which is scheduled to come into effect in 28 member states of the European Union from May 25. The European Parliament adopted GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The types of data that GDPR seeks include basic identity information, such as name, address and ID number; web data such as location, IP address, cookie data and RFID tag; health and genetic data; biometric data; racial or ethnic data; political opinion and sexual orientation. In the context of the CA scandal, the protection of political opinions becomes very relevant in India.

Apart from the law, awareness about data protection needs more attention, say most experts. There is always a long list of terms and conditions for any kind of internet services and mobile applications that a person subscribes to. Most people ignore the fine print, allowing the service providers to share personal data with third party vendors. Often, the terms and conditions are changed without taking consent of the users, just as the fine print of the NaMo app was changed. Some applications even extract data without permission. For instance, if a person downloads Truecaller, it gets access to all the phone numbers stored in that handset. "I haven't downloaded Truecaller, yet my number and e-mail are available to it," says Prakash.

The new act must not only plug such loopholes but also protect personal data from being misused by government authorities. Congress president Rahul Gandhi has claimed the prime minister misused data of NCC cadets to reach out to them ahead of the 2019 polls. There is also a need to define what is personal data. A landline number was available in the public domain in the form of a directory, but a mobile number is considered private.

Experts say a strong autonomous regulatory body must be formed for the safekeeping of data, and the government must be held accountable for any leakage. Prakash is not hopeful the nine-member Committee of Experts headed by Justice B.N. Srikrishna will suggest provisions that bring the government under the ambit of data protection laws as five of the nine members are from government departments, including the head of UIDAI and the National Cyber Security Coordinator.

The government's attitude towards data protection was also evident when National Cyber Security Coordinator Gulshan Rai recently said that he avoided net banking as deterrence against banking frauds. His statement was a major embarrassment for the Modi government, which has been promoting digital transactions. Rai may have a better idea about the government's competence to fight data theft-in 2015-16, India spent Rs 68.2 crore on cyber security while the US spent $28 billion (Rs 1.8 lakh crore) during the same period. Till the government gets its act together, the only way forward for the individual digital consumer is to maintain basic digital hygiene, such as not posting personal information, going through the fine print before giving access to apps and using virtual private networks. That's what cyber experts call the T-shirt rule-don't disclose on the internet what you can't print on your T-shirt.

No comments: