Privacy On The Internet? The Oxymoron Of The 21st Century

Introduction to Data Privacy

Privacy has forever been a crucial aspect of the human being and one of the reasons we are considered individuals. In our private lives, we form opinions and have different experiences that distinguish us. These are the events that are personal to us, and if these were known to the world, we would have been nothing but an open book. With the advent of the digital world and more information being shared online, we are an open book being published for free.

Data Privacy explains how a piece of information must be managed based on its relative significance. It is considered similar to putting locks on our filing cabinets or safety deposit boxes in the bank because it denotes a sense of security. In practical terms, data privacy is a branch of data security that is concerned with the proper handling of data so that it does not reach the wrong hands.

Today, Data is the most important asset to any company, and they must do everything in their power to protect it. Data privacy is not just a business concern, as it may harm an individual far more as the risks are multi-faceted. Bruce Schneier, an American Crytographer, could not have put it better when he said, “Data is the pollution problem of the digital age and protecting privacy is the environmental challenge.”

Data could range from anything like the financials of a company or the opinions of an individual, but the concept of data privacy is principally applied to personal information which usually includes biometrics, financial data medical records and even social security numbers. A data breach at a corporation could put proprietary data in the hands of a competitor. In a similar way a leak at a hospital could put the medical records in the hands of those who may misuse it.

In this digital era, consumers have been using social media and e-commerce sites daily. These apps have been generating vital information through consumer usage that may be stored. This Data is being collected by websites and browsers to form a pattern and observe consumer behaviour.  Information leaked from a breach could be insightful for various reasons. In fact, it could be so insightful that it could change the world. That is what happened in March 2018 when ripples were created around the world after the Cambridge Analytica controversy.

Cambridge Analytica controversy

This data privacy scandal centres around a strategic consulting firm Cambridge Analytica and the social media giant Facebook. Between 2014 to 2017 personal information of approximately 87 million people was harvested from Facebook by Cambridge Analytica. This Data was to be used for political advertising and was the most significant know leak in Facebook history.

Facebook has had numerous data breaches due to its inadequate and insufficient measures to protect the data, but a leak of this magnitude was not unprecedented. Cambridge Analytica was able to harvest personally identifiable information through a personality quiz app called “thisisyourdigitallife”. The information gathered from the app was useful in building a “psychographic” profile of all the users so that they could be categorized to understand behaviour.

Researchers associated with the programme stated that they could automatically and accurately predict highly personal traits of an individual. This included but was not limited to ethnicity, sexual orientation, age, political and religious views. The quiz gave the creator the application access to find profile information and user history of the individual. It also gave them access to all the user’s friends which gave them more data to munch on.

So how did profile information of an individual give the model information like political views, and even if it did how was it useful? The model helped form a relationship with a given attribute, for instance, combination likes such as “Juicy Couture” and “Adam Lambert” were likes indicative of gay. Similarly, likes such as “WWE” were indicators of a straight man. This is how, through likes and dislikes, millions of individuals were categorized for political benefits.

Cambridge Analytica sought to sell the data of American voters to political figures aiding the presidential campaigns of Ted Cruz and Donald Trump. It was reported that Ted Cruz paid approximately six million dollars in services to the company. The Data was then used to create tailored advertisement so no matter what the views of an individual were, Ted Cruz looked like the right man. It may not have completely worked for Ted Cruz, but with Donald Trump the story was quite different.

Trump utilized the data to build profiles to which different messages were displayed. Advertisements were segmented into different categories, based on whether the individuals were Trump supporters or potential swing votes. Swing voters were shown negative ideas about his opponent, Hilary Clinton and in the long run, this worked in his favour, as his campaign was remarkably successful. The services of Cambridge Analytica were also allegedly used during Brexit in the United Kingdom and a host of other countries for smaller elections including India.

When this information came to light in 2018, there was a severe backlash, mostly faced by Facebook, as users of the social media website were worried about their Privacy. Facebook CEO Mark Zuckerburg apologized for this ‘mistake’ and agreed it was a breach of trust. The reaction was so severe that a movement was started to boycott Facebook altogether and their stock drastically fell as user rates dropped.

A new campaign of “#ownyourdata” was started making people aware of the repercussions of data breaches to the world in general. The founder of this campaign, Brittany Kaiser, a former Cambridge Analytica employee, set up a foundation, which promoted digital intelligence education. Programmes like hers are a necessity as everybody realizes the value of data and how it can be misused.

Government Intervention was severe as well with a U.S Court ruling that Facebook knew of Cambridge Analytica’s improper conduct months before they were publicly reported. Later, Facebook was fined five billion dollars to settle the investigation as it was apparent, they were involved in the illegal activities. Other government including Brazil, United Kingdom and India demanded further investigation into the matter as they believed there was more in the shadows.

The impact that this controversy brought was huge in every aspect. It helped decide elections and changed the course of history, but at the same time, it helped create awareness around the world about the significance of Data Privacy. The layman began to comprehend the repercussions of a data breach and how it may affect him. Even governments and private organizations realized that it was essential to set up a rigid framework of regulations with severe penalties on non-compliance. However, with the compliances adapting, it was inevitable the breaches were evolving.

Way Forward

The last few years have shown us that Privacy on the internet is a true oxymoron. Data breaches are frequent occurrences, cyber-surveillance is something that everyone is wary off, but data privacy regulation is still in nascent stages.

All over the world, governments have been striving to establish regulations and compliances that would ease data privacy. Countries such as South Korea and Japan that enjoy high-speed internet have stringent penalties for companies that are not able to protect their user’s data. Other states like the USA and China regularly prosecute and convict individual hackers for data breaches.

Legislations like the General Data Protection Regulation (GDPR) in Europe and the Data Care Act in the USA have been advocating for change in this digital world. These laws have been revolutionary and helped developing countries understand the necessity of setting up a framework protecting data.

GDPR MODEL

The GDPR has been the torchbearer of the data protection movement as it has given every country skeleton legislation to work on, according to their needs. This law does not just apply to the European Union but also those dealing with EU citizens. Some of its key features are

• Specific Permission – Unless an app or a website gets the specific approval to use the consumer’s details, it will not be able to do so.
• Data Portability – This is a right given to every consumer to ask for the data that a company has about them in a readable format.
• Right to be forgotten – The information that a company obtains from a consumer cannot be kept forever. This data has a right to be forgotten and consumers could ask companies to delete it if required.
• Limits on the use of profiling – This provision was absolutely required as it would hamper another Cambridge Analytic controversy from occurring. Under the GDPR, Profiling can be allowed only if the person consents to the same or where it is permitted by the law. Adopting Techniques – The new law promotes techniques such as anonymization and encryption so that messages are encoded and can be read only by authorized personnel.
• Duty to report breach – Organizations are bound to report a data breach within 72 hours since it occurred. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, organizations must also inform those individuals without undue delay.

Hence, the legislation set up regulations that have given individuals a sense of security by making the process transparent. Similarly, companies have benefitted as the law is a one-stop solution making business easier.

In India, targeted breaches like the WhatsApp snooping incident are rare and unprecedented. We did not see data protection regulation with seriousness until the Cambridge Analytica incident.

INDIA EMULATING GDPR

After the GDPR came into being, India was heavily inspired and took steps to safeguard its citizen’s rights and their digital data. The Supreme Court passed a landmark judgment on Privacy which paved the way for the draft Data Protection Bill 2018 submitted by a ten-member committee.

The preamble of the Bill mentions ‘Data privacy is a fundamental right of every citizen’. This philosophy must be inculcated in our laws so that people can gain the trust of its State. The Bill goes on to charter a well-thought-out framework, covering various notions but is still to be passed as it sits in joint committee discussion.

Some of the provisions empanelled by the Bill could be very helpful as these would definitely reduce data leaks. The Bill has placed large emphasis on citizen’s privacy and included all the important provisions of the GDPR. India has also categorized data into three classes, namely sensitive data, critical data and general data. All the sensitive and critical data must be stored on local servers. In fact, critical data cannot be taken out of the country at all.

India has gone one step further as compared to the EU in ensuring its citizens the data privacy it deserves. Through such legislation, we are witnessing some quantum security solutions, but the industry is yet to hit an inflection point. There are a host of challenges being faced as data can flow from one country to another and then be breached. The problem here would be we would not know which legislation to adhere to.

It has been a couple of years since the GDPR has come into the formulation. Companies have found certain loopholes in the regulations like setting up complicated terms of service. These conditions have the user accepting his data being shared without even realizing it, as it is disguised in complicated language.  Another problem being faced is that the penalties for non-compliance are not stringent enough and may not act as a deterrent.

If data privacy is truly a fundamental human right, consumers must know how their Data is being used. For this to occur, it is important that corporations realize their moral responsibility to consumers and the intrinsic core value of Privacy. The safeguarding of citizen’s Data needs to be both a combination of technology and policy-based solutions, and only then will Privacy on the internet be taken seriously.

About the author: Vidur Ujjwala is a 5th-year student at Symbiosis Law School, Pune. An ambitious and enthusiastic go-getter who is always ready to give a 100%. Being a sports buff,He has inculcated the positives like team building and unity from there. His other interests includes watching football, trekking and discussing movies.