The Government of India on Wednesday decided to set up an “expert committee” under the National Cyber Security Coordinator in the National Security Council Secretariat following a three-part investigative series by The Indian Express. The committee will study the reports, evaluate their implications, assess any violations of law, and submit its recommendations within 30 days.
The series reveals how a Shenzhen-based information technology firm, Zhenhua Data, with links to the Chinese government and military, is monitoring over 2.5 million individuals across the world, including at least 10,000 Indians. The investigation has elicited a range of responses.
The Indian Express attempts to frame the context given the prevailing situation on the India-China border, the scale and legality of the operations, the technology involved, and the end-use possibilities, given the trove of information being collected.
China is Watching: The background
Over the past decade, the rapid evolution of Internet technology, cheap phones, and cheaper data, has transformed the lives of urban and rural Indians in ways that now seem irreversible.
With smartphones becoming ubiquitous, technology improving accessibility, and with probably the cheapest data in the world (Rs 6.5 per GB), almost every phone is a data device today.
Huge emphasis on digitisation of government services by Prime Minister Narendra Modi, and the demonetisation of Rs 500 and Rs 1,000 currency notes in November 2016, have turned mobile phones into almost a KYC device that is linked to the individual and her/his identity: Aadhaar authentication is facilitated by the mobile phone; instant transfer of funds between bank accounts is enabled via UPI.
Now, three out of four smartphones sold in India during April-June this year, were Chinese brands; in the previous quarter, four out of five phones sold were Chinese. Most phones also come pre-installed with Facebook, Google, YouTube, and many other social media platforms.
India has banned 224 Chinese apps including TikTok, CamScanner and PUBG. In the US, TikTok may soon change hands. What is at the centre of such actions in India and the West is fear at the app level, and also at the pipe level (with companies such as Huawei and ZTE), that personal data may be compromised and may find their way into Chinese servers. Beijing denies this, but countries are sceptical, and turning more cautious — given particularly the nature of an assertive and ambitious China, which is being seen as expansionist today.
Question of Legality
Zhenhua Data has scraped personal information from about a dozen social media platforms, and many other online sources. At the heart of the legal argument is the baseline assumption: can consent given to Facebook, Twitter, Wiki, Medium, Youtube and Instagram, etc. be taken as consent for any third party scraping information from these platforms?
Two decades ago, this might have been all right. But the exponential rise in processing capacity, rapid evolution in big data analytics and artificial intelligence, has completely changed the paradigm.
Increasingly, it is becoming more and more obvious that companies have no skin in the game in what is said or written or appears on their platforms; they claim no intermittent liability.
The Personal Data Protection Bill, once it becomes law, will place responsibilities on the platforms, be it Twitter or Facebook, which are the primary collectors of data, to keep personal information safe.
There will be intermediaries like account aggregators and consent managers, who will keep a tab on these platforms, and their possible misuse.
But can these platforms or the intermediaries really act against a sovereign nation like China, if it is the ultimate source of misuse?
Operations and scale
Zhenhua Data has collected information on about 2.5 million key individuals and over 650,000 organisations, from countries across the world.
There are thousands of individuals in India, along with their network of families and associates tracked across multiple social media platforms. The Indian database includes prominent people — ministers, businesspersons, entrepreneurs, defence personnel, bureaucrats and diplomats, scholars and researchers, scientists and academics.
The first question this throws up is:
What is the point in tracking public figures, about whom so much is known anyway?
That is exactly the motivation — because tracking them gives you an insight into their followers’ minds. How followers or friends react (like/share/comment) to any public figure on open platforms reveals a lot about each of them.
Zhenhua Data is not necessarily interested in every follower of a public figure. But that is the thing about big data. It is about casting the net as wide as possible where individuals are not necessarily targeted as consequential in themselves, but simply because they complete the wide arc. The more information one collects and correlates, the more one gets to discover. Leaving out certain members of, say, a leadership team of any setup because they are not exciting enough defeats that purpose.
📣 Express Explained is now on Telegram. Click here to join our channel (@ieexplained) and stay updated with the latest
The second question that follows is:
So what, many companies have been doing this for years, both in India and in other countries?
Like any big data operation involving OSINT (open-source intelligence), Zhenhua Data deals in volumes.
First, the sweep: how many people it tracks. Second, the depth: how many data points it engages to collect information about every person it tracks. The potential of the database for ‘hybrid warfare’ depends on both factors: how many they know about, and how much they know about each of them.
Such an operation may not be immediately successful in filling all the information columns against each name. But it spells out the data ambition the company wants to achieve over time. The chances of striking gold — actionable intelligence — multiply as the data pool grows. And the chances of even a fraction of the Overseas Key Information Database — already 5 billion pieces of information and counting — yielding what is called “useable data” is motivation enough to keep invested in the project.
Companies are subject to regulation, and can be held accountable or asked questions by elected legislatures. In contrast, a Chinese company, from an opaque authoritarian set-up, mining big data in a more open democratic system doesn’t have similar checks and balances.
Also, propaganda — misinformation, disinformation and fake news — has always been a big item on the agenda when countries go to war. But what big data allows now is to customise data for millions instantly, making rapid response possible.
The sweep of Zhenhua’s targets, from politicians and CMs at the Centre and states to legislators in J&K and the Northeast, scientists in critical technology institutions to a range of tech start-ups and over 6000 accused of a range of crime, all monitored over years, yields a staggering volume of information which can be analysed by sophisticated big-data tools and processed as per the end user.
Then the third question is:
Basically, you can’t do much… what is the point then?
It is not that you cannot do anything. Experts suggest the government must educate citizens on cyber hygiene; a stricter level of hygiene for those in important positions from a security point of view. With the mobile phone becoming a data device, and storing almost all personal information, “key individuals” should be cautious about sharing personal information on social media or allowing platforms to track their geo-location, etc.
Not much can be done perhaps to stop the collection of data all together – given what technology allows, and particularly since open-source public data is by definition open and public. Big platforms such as Facebook and Twitter discourage automated scraping and bots, but recent events suggest this is more to maintain their monopoly of data for advertisement.
Yes, individual governments can force them to make mass scraping more difficult, but overdoing it may change the nature of the platforms and these companies are no pushovers. So, without sweating much over the source of the data and how it is collected, governments can invest in predicting possible strategic end uses foreign agencies may utilise such a database for. That means building capacity to pre-empt disinformation and propaganda campaigns. Given the bewildering pace of change in cyber security, the new battlelines are drawn.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines