While privacy activists have trained their guns on Aadhaar and its so-called vulnerabilities, as this newspaper has been arguing for a long time, there are far greater dangers from what firms like Facebook and Google know, about where you go, where you eat, where you travel, even what you have bought and whom you have voted for if you talk about this on social media. The still unfurling Facebook-Cambridge Analytica scandal, however, brings out just how big the possibility of personal information leaking out is, and how this can be, and is being, abused.
In this case, Cambridge Analytica, a political data firm hired by President Trump for his 2016 election campaign got illegal access to the personal data of 50 million Facebook users and used this to develop special campaigns targeted at them. Initially, Facebook tried to downplay the breach—it first said the claim of “a data breach is completely false” and that everyone “involved gave their consent … people knowingly provided their information”, and said that around 270,000 persons gave their consent; according to The New York Times and The Guardian, data was obtained for more than 50 million users.
In 2015, a psychology professor at Cambridge University, Aleksandr Kogan, Facebook says, lied to it and developed an app to gain access to information about people after they chose to download his app, “thisisyourdigitallife”. When Facebook learned Kogan had passed on the information to Cambridge Analytica, it says it removed his app, and demanded and got certifications from him and the companies he had sold the data to, stating that they had destroyed all the information obtained illegally. Yet, it took Facebook around three years more to suspend Cambridge Analytica, Kogan and a few others after it “received reports that … not all data was deleted”.
It gets worse. According to The Washington Post, by the time the 2016 elections happened, Facebook had perfected a system that allowed much better targeting of voters, “cheaper and with better feedback”. The Post talks of how, with a database of personal information that is probably the largest in the world, Facebook “provides a way for software developers to build on top of their platform, allowing other companies to use their data under certain conditions”. And, we know from the Kogan case, how easy it was to abuse those conditions, even if they were strict to begin with.
How seriously you should take Facebook’s protestations about its innocence is best brought out by a piece in The Guardian after the scandal broke out. Facebook, The Guardian said, hired Joseph Chancellor, one of the partners of Kogan, as a quantitative social psychologist roughly two months after he left Global Science Research, the company set up to harvest Facebook data under the guise of academic research.
It is not clear how the Facebook-Cambridge Analytica matter will end since several investigations will start on the matter, in addition to the ones on the Russian propaganda and the fake news—apart from in the US, even lawmakers in the UK are looking at this in the context of manipulating public opinion in the case of the Brexit vote.
Contrast this abundance of personal information that is available so easily with the campaign against Aadhaar, which really has very limited information on people. At the time on enrolment, data is sought on the age/sex/address/email/phone but, apart from your biometrics, the Aadhaar authorities know little else—even Aadhaar’s worst critics have never said the biometric data was hackable or available for a price.
Aadhaar is used to authenticate various transactions, such as ration shop purchases and is linked—for those who have done this—to your bank account and mobile numbers, but no information on the calls made or the money paid/received are with the Aadhaar database. Linking of Aadhaar with bank accounts and PAN numbers, intrusive as it sounds, is essentially about ensuring the taxman knows exactly what bank accounts people have and that their PAN are not fake, nothing else. So, try as you might, it is not possible to use Aadhaar to create any sort of profile as can be done with Facebook data.
There is, undoubtedly, a problem when it comes to the privacy of data like mobile phone numbers and addresses (that Aadhaar collects) and even bank account numbers (that it does not collect) that several government websites have made public from time to time. This has to be stopped, and the Aadhaar authorities have to ensure these are not made public. But, it has to be pointed out, while Aadhaar is responsible for ensuring the data does not leak from its collection agencies, often the data leaks from government agencies who put this out in the public for purposes of transparency, so that people know where, say, pension money has been paid out and to which bank account. Also, many government organisations (goo.gl/kq7cAv), like the Election Commission and various municipalities, also routinely put out fairly sensitive data in the public domain.