Psychographics
Cambridge Analytica is a warning sign. And Indians are at risk: the country has no data protection law.
Psychographics
***
The revelation that Facebook had allowed personal information from 50 million user accounts in the US to be used by British data analytics company Cambridge Analytica shook the world. It took a toll on the stock prices of many companies including Facebook, whose value tanked significantly, and created a trust deficit in social media worldwide. Facebook founder Mark Zuckerberg will face the US Congress next week to answer questions about how his social media behemoth has been sharing the confidential information of its users for profit.
In India, this has led to a bitter debate and mudslinging between the BJP and the Congress over the latter employing the services of Cambridge Analytica to influence elections. While the slugfest between the two big parties continues, this has led to a larger question: how safe is personal information and data in the hands of social media companies such as Facebook and WhatsApp? Indians routinely open up their hearts on these sites to share information about themselves and their families—do the sites then sell this data to others to manipulate buying and, well, voting?
The Facebook problem began in 2014 when a Cambridge researcher, Alexander Kogan, developed an app with a personality quiz called “This is your Digital Life”, which was put up on Facebook. Through this, he collected data from 270,000 users. This then gave him access to data from those users’ friends, and ultimately he was able to harvest the data of 50 million people. All this was then given to Cambridge Analytica, who used it to influence Donald Trump’s US Presidential election campaign. The issue here for India is that whistleblower Christopher Wylie, who revealed the nexus between Cambridge Analytica and Facebook, also said that the data analytics company had worked in India with the Congress party. This brings up privacy issues relating to personal data in India and the ability of social media companies to potentially misuse such data.
What is of concern is that India currently lacks privacy protection laws and everything is out in the open for firms to misuse. Personal information and data are routinely sold by social media companies, credit card companies and telecom operators. The government has set up a committee led by Justice (retd) B.N. Srikrishna to look into privacy issues; this committee has prepared a draft report but is yet to submit its final report. At the moment, Section 43A of the IT Act and associated rules serve as India’s primary data protection provisions. Given that Facebook is a foreign company, the applicability of these provisions to the social media giant is unclear. Says Usha Ramanathan, privacy activist and legal expert, “Most people do not understand the nature of privacy policy. So they sign on everything when signing on to a social media app or website. As a result, personal data and information are sold and the user has become the product. You are the one being sold and so the service is free. We do not realise that, from being a consumer, we ourselves have become the product for these social media sites. Their business is only about using our data.”
Ramanathan explains that a high level of manipulation of data and information takes place through the social media sites, who not only make use of it themselves but also aggregate the data and sell it to others. “When the systems know you even better than you yourself, manipulation becomes inevitable. That is the tragedy of technology,” she says.
Amber Sinha, cyber analyst and senior programme manager at the Centre for Internet and Society (CIS) feels that there is a need to look at the various kinds of data one shares while engaging with a social media platform such as Facebook—volunteered data (data that is actively provided by individuals, such as details in a form when they sign up for a service), observed data (behavioural data generated through an individual’s use of the service), and inferred data (which is neither actively nor passively provided by the individual, but arrived at through the analysis of collected data).
While individuals are aware of the first category, they are often unable to exercise meaningful control over the second, as it is continually and automatically collected. Observed data also includes the collection of data from other online behaviour of the individual through various tracking tools which are deployed on the browser. Further, the third category is often outside the scope of regulation, as it is not directly collected from the user but is inferred by the controller based on other data collected. This loophole must be closed by regulation to cover data use as well as collection practices.
Just as there is no privacy for personal data, there is also no privacy for our online activity, which is constantly monitored by companies such as Facebook and Google. Says K.K. Mookhey, founder and CEO at Global Cyber Security Service Provider, Network Intelligence, “The Facebook model is inherently problematic. You and I are the producers and consumers of the content provided by companies like Facebook. Facebook tunes the content according to our habits. What we see on Facebook is according to our choices and general surfing habits. It tracks our general surfing habits on non-Facebook sites, analyses our online behaviour, and then tweaks our content accordingly on Facebook. This is gross manipulation which is automated through algorithms.”
With the data in hand, marketers can choose specific parameters to provide content and do micro-targeting. Cambridge Analytica did psychographical mapping of the preferences of voters in the US elections using this kind of data. The company started by looking at undecided voters, and kept pushing them towards the Republican Party. According to Elonnai Hickok, COO with CIS, “Personalisation of content, be it advertising, news, a product on Amazon or your Facebook feed is a practice that is being used across the board. Personalisation happens through algorithms and the data you feed into it. No algorithm is perfect and it is possible for manipulation to happen intrinsically. Manipulation of the type that has been attributed to Cambridge Analytica is an extension of personalising a message to influence, not buying habits, but larger choices.” Adds Sivarama Krishnan, leader, Cyber Security, with PwC, “There is a clear case of privacy violation from a principle standpoint. It is not a legal violation as users have signed up to it voluntarily. They are manipulating the behaviour of the user by suggesting options according to a user’s behaviour and surfing habits. This is what Cambridge Analytica has done. This is a big challenge.”
The public perception of all this is, however, quite different, and most people want their data to be secure. According to a survey done by online analytics company Local Circles, 86 per cent of people in a sample survey wanted a law that protected their private information and 84 per cent did not want their bank transaction details to be accessible after the linkage of Aadhaar and bank accounts, while 75 per cent did not want their call records to be accessible after similar linkages. A whopping 94 per cent wanted companies, particularly banks and telecoms operators, to face a penalty if information is leaked. Says Hickok, “Selling of data that allows for personalisation is one of the primary business drivers. Though Facebook allows for controlling who sees the data, the company itself has given access to the information as per its business needs. The selling of data does happen around the world on a routine basis. It is important that privacy regulation place a framework around how data can be collected and used, and the redress that individuals can seek if their privacy is violated.”
There is no doubt that there is gross violation of privacy as social media companies use and manipulate content for users in order to mould the latter in a particular manner for the sake of business. While the European Union is ready to introduce the General Data Protection Regulations (GDPR) to protect personal information and data from May, India is still a long way from reaching this stage and does not have any legal way at all to safeguard personal data. The country needs to develop GDPR-like rules to protect its citizens. Until that happens, Big Brothers like Facebook will continue to watch you and will continue to mine Big Data.