Lessons from Cambridge Analytica Incident

If FB users can learn one important lesson from the Cambridge Analytica Incident, where the data of nearly 50 Million Facebook users was allegedly used to manipulate the USA Elections, it is this, there’s no such thing as a free lunch when it comes to sharing personal data like images, posts and preferences on social networking sites.

Though these sites and apps are purportedly free because they do not charge users, it is a no brainer that they get their Return on Investment (ROI) from the mountains of personal data that can be mined with the help of algorithms to enhance user experience and sell relevant advertisements.

Gullible users willingly share their personal data with these sites without understanding the consequences. However, even knowledgeable users face a conundrum when signing up for such sites and apps. For instance, whenever a user downloads an app, it tells you all it is capable of. You have to click on the agree button if you want to avail of the services.

The Facebook app, among other things, tells you that it can directly call numbers, read phone status and identity, read your text messages, take pictures and videos, record audio, record your approximate location, precise location, modify your contacts, real call logs, read your contacts, add or modify calendar events and send emails to guests without owners knowledge, read calendar events plus confidential information, read, modify or even delete the contents of your memory card and add or remove accounts.

Smartphone and mobile apps can make one a smart and efficient employee with all the information they collect as a trade-off, similar to how websites and e-commerce sites provide better services with the help of cookies, small pieces of code that track your online behavior and predict your next move with great accuracy.

Besides, ad networks may gather the information apps collect, including your location data, and may combine it with the kind of information you provide when you register for a service or buy something online to send you targeted ads that may be relevant to someone with your preferences and in your location.

Privacy by design effectively means that privacy principles such as preventing harm, transparency, choice, etc., are built into the architecture of the product itself. Thus, businesses need to include privacy and its related principles at the time of building of the product itself and not as an afterthought. Further, given that privacy by design presumes that the user is central to the entire system, meaningful consent and the real ability to withdraw this consent is another fundamental premise.

In many cases such as Aadhaar where the case in sub judice, quasi-government bodies will consistently pressure you to sign up, failing which you will have to run to the courts to queue up for justice. So you may end up signing up for these services, either because you feel helpless to fight the state or just do not have enough time to fight the system. India desperately needs a separate Privacy Act. The Right to Privacy, as enshrined in the Constitution, does not suffice when it comes to information security.

India also lacks a comprehensive policy on data protection or online security – the Indian Information Technology Act (2008) or amended rules in 2011 are not adequate. The Electronic Frontier Foundation advocates that “tech companies can and should do more to protect users, including giving users far more control over what data is collected and how that data is used.

Globally, the European Union (EU) is the most stringent when it comes to data protection. After four years of preparation and debate, the General Data Protection Regulation (GDPR) was finally approved by the EU Parliament on 14 April 2016. The enforcement date is 25 May 2018, and companies that do not comply with this law may face heavy fines. GDPR replaces the Data Protection Directive (95/46/EC) and “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy”, according to GDPR Portal.

The positive fallout of the Facebook data compromise is that the Indian government, too, is firming up its long-term strategy to secure data of citizens, especially those using social media. As Algorithms increasingly enhance user experience and the bottom line of firms, users must not let their guard down since these very algorithms can enable unparalleled invasions of privacy.