If Cambridge Analytica scam of 2018 was about illegal harvesting of Facebook users’ data for political marketing and user-specific campaign strategies, the latest snooping scandal using messaging platform WhatsApp is about unlawful surveillance and fraudulent invasion of individual privacy, fraught with far more dangerous implications.
The NDA government’s response to both the scams has followed a familiar pattern: vague assurances of a probe but no serious follow-up action. When the Cambridge Analytica storm hit the Indian shores in March last year, with reports suggesting that several parties had engaged the services of the data analytics and political consultancy company for political targeting, law and IT minister Ravi Shankar Prasad had said the issue would be probed thoroughly after getting relevant information from the British firm and also from Facebook.
However, in the face of the mounting heat, he announced in the Rajya Sabha in July last year that the investigation would be handed over to the CBI.
The Whatsapp snoopgate, involving snooping into the mobile phones of several Indian opposition leaders, journalists, lawyers and human rights activists, has evoked a similar response from the IT minister who said that WhatsApp has been asked to explain the “kind of breach and what it is doing” to safeguard the privacy of millions of Indian citizens.
More than a year after taking up ‘preliminary inquiry’, the Central Bureau of Investigation (CBI) is still undecided whether it should proceed with a full-fledged criminal investigation into the case. So far, the agency’s achievement is that it has secured “additional information” from Cambridge Analytica and Facebook pertaining to the personal data harvesting of Indian voters from the social networking platform.
The information is being analysed by the agency, the officials said, a day after political furore broke out over WhatsApp snooping.
The CBI had sought information from the two companies on the data collection methods. Based on the details received, it had dispatched more questions with some specific queries earlier this year.
Cambridge Analytica was accused of fraudulent mining of personal data of millions of Facebook users by taking advantage of the lax data permissions of the social networking giant and used it for political marketing. The unauthorised mining of data amounts to breach of trust and user confidentiality as it can be manipulated to create fake news, a phenomenon that has emerged as a major challenge to the core values of democratic societies.
The WhatsApp Snoopgate raises several disturbing questions over illegal hacking by unknown government agencies in flagrant disregard for the rule of law and contempt for fundamental right to privacy.
WhatsApp has filed a lawsuit against an Israeli firm whose spyware, Pegasus, was used to target the users of the messaging platform during a two-week period in May this year. The surveillance was carried out between April and May this year on over 1,400 users in 20 countries spread across four continents, WhatsApp said in its complaint.
In an Op-ed article in The Washington Post, the head of WhatsApp, Will Cathcart, wrote that the surveillance “targeted at least 100 human-rights defenders, journalists and other members of civil society across the world”. He underlined that “tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk”.
WhatsApp, owned by Facebook, has more than 1.5 billion users worldwide including 400 million in India, its biggest market.
NSO Group, the Israeli cyber intelligence company, has disputed the allegations but said that the spyware has been sold only to “licensed government intelligence and law enforcement agencies” for use to combat the threat of terrorism.
This raises a key question over who would benefit from snooping on political leaders, journalists and social activists and how any organisation, other than the government agencies, could afford buying the spying equipment which costs millions of dollars.
Home ministry feigns ignorance
The Union home ministry has said that there was no information on any order being given to purchase Israeli sypware ‘Pegasus’.
“The government will take strict action against any intermediary responsible for breach of privacy of citizens,” it said in reply to an RTI application filed on October 23 which asked whether the Indian government has purchased or given purchase order for the software from the NSO Group.
“It is informed that no such information is available with the undersigned CPIO,” the Cyber and Information Security (CIS) division of home ministry said.
Curiously, the target of snooping include lawyers in the Bhima Koregaon case, Bela Bhatia and Anand Teltumbde. It must be pointed out that the Pune police, in a chargesheet filed in November last year, claimed that the Maoists had plotted to assassinate prime minister Narendra Modi to destabilise democracy and wage war against India. Five activists — Rona Wilson, Surendra Gadling, Shoma Sen, Mahesh Raut and Sudhir Dhawale — were arrested in June last year in a case relating to caste violence in Bhima Koregaon village near Pune.
As the Snoopgate set off ripples in political and social circles, experts have called for surveillance reforms to protect citizens against illegal hacking and asked the government to reject the use of spyware in policing and security.
“There is an urgent need for official disclosure on whether and how this spyware was used in India to hack our citizens,” the Internet Freedom Foundation, an NGO working in the area of protection of digital liberties, said in a statement.
“The government must issue a public statement providing complete information and clarify which law empowers it to install such spyware,” it said.
The hacking of computer resources, including mobile phones, is a criminal offence under the Information Technology Act, 2000.
“In addition to seeking transparency through full disclosure, we hope to work towards solutions to ensure that something like this never happens again. We will continue our public advocacy through the SaveOurPrivacy Campaign which seeks to put forth a model draft law that provides for judicial oversight and parliamentary controls in the surveillance process,” the Foundation said.
Pranesh Prakash, a digital activist and member of Center for Internet Society, an NGO engaged in research on internet and digital technologies, advocated a ‘broad political coalition’ to undertake meaningful reform of the surveillance practices in India and bring them within a democratic framework that pays heed both to security needs as well as individual privacy and government accountability.
“It will not do for the opposition to merely call for the government to investigate. The opposition must push for a law to both curtail the government’s powers to conduct surveillance, as well as to make them accountable to Parliament and the people for unlawful surveillance,” he tweeted.
Lessons for India
While the march of technology cannot be stopped, there is an urgent need for adequate safeguards to prevent data theft, misrepresentation and breach of privacy in the light of the two scams.
The solution lies in the bipartisan efforts to put in place a robust data protection and privacy law in the country.
“The challenge before us is how to regulate mobile app providers, social media players and intermediaries in terms of handling and processing the users’ data. We don’t have a data protection law in place. We neither have a national law on cyber security nor a national law on privacy,” says Pavan Duggal, a leading cyber law expert.
Duggal, who has written several books on cyber security and data protection, says that the absence of these critical laws has created a very fertile ground for the misuse and unauthorised access of users’ data by the service providers.
There is a need to revisit the existing provisions pertaining to intermediary liability and make service providers liable for unauthorised access to third party data. At present, the service providers are using Indians’ data with impunity and transferring them outside the territorial boundaries of the country. “As a result, the government loses all control. This has a detrimental impact on the protection and preservation of people’s data privacy and personal privacy,” Duggal, a senior Supreme Court lawyer, said.
European Union is role model
By formulating a legal framework to secure data, the European Union (EU) has set a role model in this regard. The EU has asked businesses and service providers globally to comply with its new privacy law — the General Data Protection Regulation (GDPR) — that comes into force from May 25 this year.
The EU GDPR, which has been designed after four years of debate, seeks to harmonise data privacy laws across Europe — to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. It was approved by the EU Parliament in April, 2016. Organisations that fail to comply with the new regulation will face hefty fines.
India needs to formulate its own privacy and data protection laws in tune with the country’s specific needs. “We have to deal with the huge issue of Aadhaar which is reeling under variety of cyber-attacks because we have failed to apply cyber security as an integral part of the Aadhaar architecture,” Duggal says.