The recent data breach involving alleged misuse of information of Facebook users by data mining and analytics firm Cambridge Analytica has once again highlighted the need for users to treat their digital lives as their physical ones. Experts have pointed to the importance of aspects such as following basic cyber hygiene and a periodic review of the security facets of one’s profile on various web platforms, especially on social media, where users tend to share personal information.
In a post on Thursday, Facebook CEO Mark Zuckerberg, while explaining how the data was misused pointed out how, in 2013, “a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. It was installed by around 300,000 people who shared their data as well as some of their friends’ data. Given the way our platform worked at the time this meant Kogan was able to access tens of millions of their friends’ data”. While Zuckerberg claimed that since then Facebook has overtime changed the way it platform functions to “dramatically limit the data apps could access”, it could not stop the breach of trust by Kogan, who had shared the data collected through his apps with Cambridge Analytica.
“ But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that,” Zuckerberg said in his statement.
In a set of queries by The Indian Express, legal firm Software Freedom Law Centre (SFLC) said: “Everyone cares about their privacy. After all, you wouldn’t leave your door open and you would not hand out your address along with a picture of your family to strangers on the street, so why should it be any different on the internet? A big issue is that people do not understand the consequences of handing out bits of information about themselves – their profession, interests, friends, families, location, what kind of books, music and movies they like, do they like to drink coffee or tea, and so on”.
“These bits of information along with things that people do not explicitly mention – such as what time of the day they prefer to use a service and what words they search for – come together to form a very detailed picture about them. Quite often, this picture is more detailed than what your own spouse may know about you. The consequences of being profiled in this manner are unknown to most people,” SFLC added.
The legal firm also detailed few precautions that users must adhere to while using social media platforms. These include:
* Before you upload anything on the internet, think about whether it is acceptable for you to have that information, image, video, or voice clip available to everyone forever. That should be your basic filter for deciding whether or not you want to upload that thing in the first place.
* Certain social media profiles are meant to generate and maintain a large following. For everyone else, what makes the most sense is to set your profile to private, so that only those people who have been explicitly granted permission to view your profile and your posts would be able to do so.
* You should periodically review the privacy and security settings of your social media accounts. Having a strong password and setting up two-factor authentication are steps in this direction, but security does not end there. It is not a matter of setting it up once and then forgetting about it. Remove any device that you do not recognise from your list of logged in or authorised devices.
* Be highly selective about which apps and websites you connect to your social media accounts. Grant them access to your account only if the access is absolutely essential for the core function(s) of that app or website. Remove any connected app and website from your social media account as soon as possible.
However, experts have also argued that the rapid growth of cyber threats, which grow in line with the rise in technology, makes it nearly impossible for one to achieve 100 per cent security. “This is not the first time that a data breach has happened and certainly not the last time. When it comes to cybersecurity, there is no such thing as ‘100 per cent guarantee’ or ‘all steps taken to block any future data leak incidents’. Having said that, it is very important that governments and private players give the due importance to the data it has of citizens. They should repeat audits every year, if not every six months, as only full transparency will restore trust back in this system, else more bad news is likely to come,” said Altaf Halde, Global Business Head of cyber security firm Network Intelligence.
The need for a timely implementation of the data protection legislation in India has been underscored at a time when a massive breach of user information has been exposed at Facebook, including alleged involvement in the electoral process. While the preparation of the law is in its final stages before it is taken to the Parliament, the concept of having a comprehensive legal instrument for data protection has been in the works since 2010.
In July last year, the Ministry of Electronics and Information Technology constituted a committee under retired Supreme Court judge Justice BN Srikrishna to identify key data protection issues in India and recommend methods of addressing them. The panel came out with a white paper on data protection in November seeking public comments on the structure of the data protection law, and in December came out with a schedule for holding public consultations across the country ending in January.
Currently, data protection in India is governed by provisions of the Information Technology Act, 2008 under Sections 43-A and 72A. Compensation for failure to protect data (Section 43-A) was introduced by way of an amendment in 2008, which lays down the liability of a body/corporate to compensate in case of negligence in maintaining and securing the “sensitive data.” However, the Act does not define “sensitive data” and states the same as “personal information as may be prescribed by the Central government.”
“In today’s age, detailed profiles can be created using only personal data or information, without knowing any sensitive personal information. In an ideal data protection framework, all personal data would need to be protected with a high standard. Without any deterrent in place, there is currently no legal reason for any organisation to provide any protection for personal data or information…. A proper data protection law with an effective enforcement mechanism would ensure recognition for India as a trustworthy global destination for data-based businesses and privacy-conscious consumers while also protecting the Right to Privacy of the people in India,” SFLC told this newspaper.