With apologies to Benjamin Franklin, I would like to tweak his famous quote – “An investment in data pays the best interest.” Data is the most valuable resource in our increasingly digital world. The last few weeks have corroborated this very notion. Last month, the Cambridge Analytica data leak scandal shook one of the biggest tech giants – Facebook.
The Cambridge Analytica (CA) scandal came to light after a British newspaper published the revelations of Christopher Wylie, a former employee of the firm. As per Wylie’s account, CA indulged in illicit acquisition of voter data through a Facebook-linked application. CA member Aleksandr Kogan paid Facebook users to take an elaborate personality test through an application named ‘thisisyourdigitallife’. A quarter of a million users took the test, but the application also pulled private data from the test-taker’s Facebook friends. Facebook allowed the application on its platform to pull data from a users’ friends at that time but this has been banned since 2014. Initially, it was believed that 50 million users had been affected, but Facebook has gone on to revise the figure to 87 million users.
Kogan claimed to have developed the application for academic research. However, it has been revealed that he harvested the data from the application for CA, to build a tool which psychologically profiled the citizens to predict voting patterns. CA used this data to micro-target voters, run dedicated misinformation campaigns and influence voting decisions.
Data protection watchdogs on both sides of the Atlantic were quick to launch investigations on CA and Facebook. An undercover investigation by a British channel revealed the top executives from CA bragging about using sex scandals, misinformation campaigns (fake news) and working with spies to swing elections. The fact that CA executives admitted to having worked in more than 200 elections across the world, including India, is a cause for consternation.
Facebook CEO Mark Zuckerberg appeared before joint hearing of the Senate Judiciary and Commerce Committee on April 10, followed by his appearance before the House Energy and Commerce Committee on April 11. The testimonies went on for a little over five hours on the first day and four hours on the second day.
Mr. Zuckerberg did well in managing the Senators and Congressmen, ensuring that he did not give away anything concrete, despite the long hours spent in his cushioned chair. For the questions he couldn’t escape with his oft-used weapons of denying precise knowledge or getting back after consulting the team, he profusely apologised. The hearings also went on to exhibit the blatant lack of technical knowledge of some Senators and Congressmen, parts of which have been curated meticulously and shared widely all week. After having a reasonable laugh over it, we must all realise that this is a very daunting prospect. As such, data and privacy are widely unregulated domains. If the lawmakers do not upskill globally in time, we’re headed for chaos.
Many Senators and Congressmen squandered the opportunity by giving softballs to the CEO or getting him to make commitments to help increase connectivity in their constituencies. There were a few who posed serious questions – the highlight would be Senator Durbin, who asked if Mr. Zuckerberg would be comfortable sharing the details of the hotel he stayed in the previous night or the name of the friends he chatted with. Mr. Zuckerberg, visibly stunned, hesitated for a few seconds before coming up with a blunt no.
Overall, Mr. Zuckerberg made promises to coordinate with the investigating authorities and improve his firm’s data protection policies and tools. Since he testified, clamors from the EU parliament and many countries from Europe have grown inviting him to be appear before them.
The EU has the most sophisticated data safeguards currently and it is set to take them up a notch with the upcoming General Data Protection Regulation (GDPR), which is to come into effect from May 25. GDPR aims to give the customers adequate control over their personal data. It also introduces big penalties – fines up to 4% of annual global turnover or 20 million Euros (whichever is bigger), shall be charged on organisations breaching GDPR laws.
US lawmakers seemed to be keen on adopting some features of the GDPR, in the aftermath of the CA-Facebook data leak. During Zuckerberg testimonies, many US lawmakers talked of the bills they were going to introduce which borrowed from the EU laws. These bills were chiefly centred on user consent and opt-in functionality to determine how user data is to be shared.
The silver lining of the Cambridge Analytica scandal is that it has got everyone from lawmakers to laymen questioning the lax privacy culture that had set in. It has set the pace for privacy regulations in coming times.
In India, the CA scandal aftermath invited a stern response from all quarters, which later mutated into political sections trading blames about having ties with the firm. The Ministry of Electronics & Information Technology issued a notice to Cambridge Analytica and Facebook last month, seeking details of the breach and whether there was any interference with the Indian electoral process. Currently, the Ministry is examining the responses it has received.
India should use the lessons learnt globally from this episode to frame an apt data protection law locally. The government appointed the Justice Srikrishna committee last year to study data protection framework and draft a data protection law. The committee has since released a White Paper for stakeholder consultation. There are speculations that the committee will release its report by the end of May. It is expected that the committee would study the CA-FB fallout to fine-tune the contours of the data protection law draft that it will submit.
Politicians and power-brokers across the world have tried to reduce the identity of various sections of the society to their voting loyalties. We must not allow them to succeed in trimming down our collective identities even further to our virtual data trails. In our data-driven world, laws providing adequate data safeguards are the burning need of the day, lest we are rendered powerless.
Let us cross the Rubicon with regard to indifference over data policy!