Cambridge Analytica has been in the limelight since whistle-blower Christopher Wylie revealed that the UK-based company used illegally-obtained data of 50 million Facebook users to influence the result of the US presidential election and the voting on Brexit. The controversy has raised new concerns regarding the misuse of data on social media sites, privacy of users and the power of social media to influence important political outcomes.
While the controversy unfolded, allegations were made about the connection of Cambridge Analytica with Indian politics. Irrespective of whether these allegations are correct, the truth is that the data of Indian social media users has been out in the open, unprotected, for quite some time now.
Statistica, an online data portal, estimates that India will have about 492.68 million mobile phone internet users by 2022. The data portal also reckons that, in 2019, there would be around 258.27 million social network users in India — up from 168.1 million in 2016. Facebook is projected to have close to 319 million users in India by 2021.
Digital networking on such a massive scale has given people the opportunity to communicate with one another and exchange ideas across the world. But the flip side of such exchanges is that the data of these social media users can be exploited to extract personal information. The information of social media users, including their browsing history, is used for targeted cross platform advertising. The problem, however is that, as senior journalist Mandira Moddie points out, analysed in bulk, this information can reveal intimate psychological profiling, including ideological preferences, which can help campaign managers to influence crucial political outcomes in democracies.
All of this has naturally raised concerns about the country’s data protection laws. India follows the Information Technology Act, 2000. Under the Act, only passwords, financial information — such as bank details — information pertaining to a person’s physical, physiological and mental health conditions and sexual orientation, medical records and biometrics are identified as “sensitive personal data”. Entities handling such data are required to have “reasonable security practices and procedures”. This means that different entities can choose their own reasonable security procedures to protect sensitive data. Such a law points to the vulnerability of data of social media users and the need for more stringent data protection laws.
After the recent data breach, questions were raised about the security of data held by the Election Commission of India (ECI). I believe that the worry regarding the ECI’s data is unnecessary. The Commission holds two kinds of data — electoral rolls and election results. The electoral rolls do not consist of sensitive information, which might reveal personal history or the ideological preferences of voters. All it has is the voter’s name, age, name of father/ spouse, and address. All this is already in the public domain. This data has already been used to target specific audience segments. The BJP’s famous panna pramukhs — in charge of one page each of electoral rolls — conduct such analyses on a regular basis to reach out to voters. This, to my mind, is a perfectly legitimate democratic activity. In this context, technology is a labour saving — and not an intrusive — instrument.
The other set of data pertains to voting information, including election results. Such data is, of course, very sensitive, sacrosanct and secret. It is, however, contained in the EVMs and is not linked to any external sources. The data on results is, therefore, absolutely secure.
Questions have been raised if linking the ECI’s data with Aadhaar will compromise privacy and security. There, too, my answer is no. The only objective of linking ECI with Aadhaar is to detect duplicate voters — a major concern. Biometrics will involve checking impersonation only.
Where does Facebook come into this? The ECI has, time and again, collaborated with Facebook for its voter outreach and education programmes. Facebook has helped the ECI reach a large number of voters, especially the youth. The collaboration has been a productive one for Indian democracy. The ECI, in fact, recommended a special award to FB for this work by the President of India on National Voters Day on January 25. After the recent events, Chief Election Commission, O P Rawat did say that there was a need to review the ECI-Facebook collaboration. Subsequently, though, the ECI has affirmed that its partnership with FB will continue.
There is no doubt, however, about the need for a stricter data regulation framework in India to avoid data abuse, and prevent undue influencing of voters. Any element which could influence election results is a concern and must be kept under close scrutiny. It is relevant here to refer to Section 171C of IPC which deals with “Undue Influence at Elections”. “Whoever voluntarily interferes or attempts to interfere with the free exercise of any electoral right commits the offence of undue influence at an election,” the section notes. This includes threatening a candidate or voter “with injury of any kind” or “inducing or attempting to induce a candidate or voter to believe that he or any person in whom he is interested will become or will be rendered an object of divine displeasure”. Violation carries a punishment of an year’s imprisonment and/or fine.
Winning elections and defeating rivals in an electoral contest is a normal democratic activity. Segmentation of targeted audiences and selective targeting is an old marketing practice that is also followed by election campaigners. But the content of messaging must be ethical and legal. It should not violate laws, regulations or codes such as the Representation of People’s Act, the Indian Penal Code and the Model Code of Conduct. The message should not carry hate speech, it should not amount to disrupting election campaigns or contain personal attacks or appeal on the basis of religion or caste.
The rules that apply to media must apply to social media as well. The application of these rules cannot be ignored because they might be “tougher” to implement in the latter’s case.
Profiling of political orientation of citizens for intimidation or undue influencing by governments, political parties and individuals has serious implications and points to the need for adequate legal/ technical safeguards. Stricter data protection laws, more security and safeguarding the privacy of individuals are, therefore, essential if we are to survive this age of technology and emerge as a stronger and more efficient democracy.