‘Weakening of democracy’, ‘media whirlpool’ and ‘millions of Facebook users conned’ are three phrases that pretty much sum up the discussion around Cambridge Analytica and the alleged data theft from Facebook.
Living in the 21st century, where the new developments in tech come exponentially faster than they used to five or ten years ago, begs the question: Is our legal framework up to date with the potential threat?
Are our political executives qualified to identify and solve a modern day crisis? Are we ready to defend our democratic fabric under an attack, of which the front lines are on the web, and soldiers come in the form of millions of lines of codes?
How Does India Fair in the Cybersecurity Test?
With the alleged Russian interference in the American elections, I, as a journalist, became wary of the possibility of foreign influence in the Indian elections. With the furore brought on by investigations conducted by The Guardian newspaper and TV channel Channel 4 in the UK, we have been able to find connections between social media data, its use in influencing elections, and the possibility of a foreign government meddling with elections (Russia in this case). With a possible adversary in Eastern borders, and another one bordering Kashmir, India needs to audit its tech potency.
There are three basic questions to be asked:
Is the Indian leadership technologically competent?
Short Answer? No! Had the Cambridge Analytica incident not occurred, we probably would not have noticed how insufficient our leaders’ understanding of modern day cyber warfare is. The Law Minister of the country Ravi Shankar Prasad claimed that the government could ask Mark Zuckerberg to appear before a court in India. Turns out, he cannot. Why? We will get to that in a minute.
Is the Indian cybersecurity infrastructure secure?
Short answer? Not at all. The Washington Post published an article on 4 January 2018, flaying the Indian cybersecurity set up. The article discussed how journalists from the Tribune newspaper were able to secure personal information of Indian citizens such as their names, address, and contact details for a meagre sum of USD 8, and for another USD 5, the guy was ready to print them a fresh set of Aadhaar Cards. Concerns over the security of data provided by Indian citizens for Aadhaar cards have been rising since its inception in 2009. The Attorney General of India, KK Venugopal tried convincing the Supreme Court by saying the data was “secure behind five feet thick concrete walls.” While the sturdiness of the walls cannot be questioned, it is highly unlikely to play a role in case of a data breach, a hack, or an internally orchestrated leak. Walls do not matter in cyber warfare.
Now here’s the broader, and possibly the most important question of all.
Does India have the legal framework to bring potential cyber-criminals such as Cambridge Analytica to book, if need be?
The answer, once again, is an emphatic NO. Most of the cyber issues fall under the scope of IT Act of 2000. Considering the case in point, where Facebook reportedly provided data on private US citizens (50 million of them at least) to Cambridge Analytica, however indirectly, were used for psychographic profiling. The process is, in simple words, a micro-targeting tactic used in political campaigns to identify the digital behaviour of users. The digital behaviour gives an insight into the concerned person’s real-time behavioral aspects, such as their political ideologies, conscientiousness, favourite words, gullibility, likeliness to buy certain products etc.
Can Zuckerberg be Tried in an Indian Court of Law?
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 define personal information as any information that relates to a natural person.
The information deemed ‘personal’ under the law are basic information such as passwords, financial information, such as bank account or credit card details, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. Most information used for psychographic profiling are not covered under the IT act, leaving Indian citizens susceptible to such profiling which is a blatant invasion of privacy.
Secondly, the law only applies to corporate bodies and persons located in India. Facebook, or any such corporation collecting data on Indian citizens cannot be touched under the IT Act, which is why our Law Minister cannot subpoena Zuckerberg. And thirdly, IT Rules may only apply to the data collector and not the data processor. Therefore, a firm such as Cambridge Analytica, which could breach Indian citizens’ privacy, cannot be brought to book on Indian soil.
There is, however, one way to get to such companies, which is to book them for espionage, but that route is too far-fetched.
In 2018, the need for modern legal structure regarding cyber-crimes is of utmost importance. Our inefficiencies in overhauling the legal provisions provide a major loophole to companies analysing our personal data and political parties using it for electoral gains.
The superpower of the future needs to prepare for the war of the future.
(Ishan Garg is a broadcast journalist based in the United Kingdom. He works as an editor for an upcoming digital platform and his passion is to write and talk about the convergence of politics and technology, which in his opinion, is going to define the course of the rest of the 21st century. He tweets @IshanGarg93. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)