Free mobile and Facebook apps as well as games such as Candy Crush, Ludo and Chess can be potential tools for data harvesting, say cyber security experts, warning internet users in India against the seemingly innocuous everyday pastimes.
The warning comes as debates on data privacy intensify following social media giant Facebook's reported data breach by UK-based analytics firm Cambridge Analytica to influence elections and market campaigns.
"There are a lot users who play games like Candy Crush, Chess, Ludo, or other war games like Mini Militia. Some people click on 'free' apps like 'How would you look 30 years from now' and all that stuff.
"But we must remember one thing. Nothing is free in life. If you think the product is free, sorry, then you are the product!" leading cyber security expert Jiten Jain told PTI.
India's "most active" smartphone users spend four hours a day on mobile apps, according to an article on the website of the International Telecommunications Union (ITU), the UN's specialised agency for information and communication technologies.
Indians also downloaded 6.2 billion apps in 2016, up from 3.6 billion in 2015, as they led the field in the "most time spent" on Android devices by clocking 145 billion hours, it added, indicating the massive spread of mobile phone applications and games in the country.
Several apps on mobile phones and Facebook use data harvesting techniques and take users' consent in terms and conditions to access their data, including name, age, 'likes', friends and messages, posing a threat to privacy, cautioned Jain.
"Data harvesting" is the process of extracting large amount of data for analytics by "consent" of the user, sometimes even by tricking them, Jain said. "Data theft", on the other hand, is the unauthorised use of that information for commercial or any other purpose, he explained.
Data harvesting, Jain elaborated, is mostly by some sort of consent, while data theft is largely by unauthorised access or hacking into a user's profile or device.
It is imperative that data subjects become vigilant about their privacy while visiting a website, added Jaspreet Singh, partner, Cyber Security, Ernst & Young.
"Users should make sure they are validating the terms and conditions of any personal information provided online especially on social media," he said.
Read privacy policies of websites and understand how they may use or share their personal information in the future, Singh said in his "advisory". Users should also be wary while sharing their location on the internet.
"Web cookies are used to de-anonymize a user and track their activities online. Users may use private browsing or browsers with add-ons to block monitoring using cookies," he said.
According to Rama Vedashree, CEO of Data Security Council of India, youths comprise the majority of internet users in the country and it is imperative to increase awareness about online safety.
"Make sure that all of them have adequate awareness, knowledge and skill to leverage the power of these technologies and platforms (analytics and social media) but also stay safe -- both from security perspective and privacy," she said.
On social media platforms, for instance, users can control their posts, choosing to make them visible only to their friends or friends of friends or everyone.
Supreme Court lawyer Pavan Duggal, who specialises in cyber issues and argues for dedicated legislation for data protection or data privacy, said users should think through the terms and conditions before granting any apps access to their personal pictures or documents.
"Do not wait for the law to come in for it will take its own time. Be conscious about what you share online. Be aware that you are not being respected and seen only as a 'data subject' or 'data object' who is only providing them data on a 24*7 basis," Duggal said.
"You should understand the internet as a paradigm never sleeps, and never forgets," he said.
What's uploaded online will remain there for a "long, long time", he added.
There are several cases pending in courts where people's data has been unauthorisedly accessed and they have sought either damages or other relief, he said.
"Since the Information Technology Act does not have very effective remedies, we haven't yet seen much successful judgements. Further, there are no convictions in the country for breaches or misuse of personal data on social media," Duggal said.
According to ITU data, by June 2017 as many as 830 million young people were online, representing 80 per cent of the youth population in 104 countries. In China and India alone, up to 320 million young people use the internet, it said.