By: Sharanya Ranga and Probal Bose
With the government’s push towards a Digital India, the data privacy regime in the country or rather the lack of it has come under immense scrutiny. We have been ploughing through one incident after another at a rather alarming pace, with the debit card data breach in October 2016, the Aadhaar data breach a couple of weeks back almost in sync with the Cloudflare data breach. Along with these security breaches, recent data brokering activities that have come to light has left the digital population of the country worried. While the data brokering industry is in its nascent stage in India, it is nevertheless a serious privacy concern.
What is data brokering? The data brokering industry has been in existence around the world for over a decade now with an estimated market value of $200 million globally. So what exactly do they do? Simply put, the data brokers collect a person’s (let’s call her Gita) information from a multitude of public sources of information straddling both online and offline mediums. This includes Gita’s social media posts, media coverage, browsing histories, payment transaction records besides traditional sources of information such as the census, company law records, voter lists, court records, etc. This rich source of data mined about Gita’s life is then used to create her individual profile stitching together different pieces of information, which may range from Gita’s religious affiliation, brand preferences, eating habits to personality mapping, and is sold to various target advertisers.
So pretty much there is a profile of Gita that has been created: Gita is a software professional, did her schooling in Mumbai, passed out of IIT, writes regularly on a blog for techies, loves to play tennis and shops for sportswear on a particular website during lunch hours at work, planning to trek the Himalayas in October, flies Jet Airways to meet her parents in London every 3 months, books tickets online through a travel portal, uses a Citibank credit card, and treats her friends every Saturday morning to idlis at Saravana Bhavan and much more! This is sold to targeted advertisers and businesses for them to woo Gita in a focused manner tailored towards her interests. Oh, by the way, Gita has no clue about her profile being mined and sold to/by third parties she has never ever dealt with. Her consent is nowhere in the picture.
Risks outweigh the benefits? That explains why we log in to Facebook or Twitter, the ads related to your last night’s online shopping or surfing history will eerily pop up! The information is definitely beneficial in understanding a customer, her likes and preferences to build in customer stickiness in a competitive business environment. But the risks may far outweigh the benefits in the long term. The pressing concern here is the sheer lack of transparency in the entire exercise especially considering how the data brokering operations operate ‘outside’ regulatory purview. Users are in no position to choose what personal information is to be shared and what is not.
In India, the Information Technology Act, 2000 and the rules provide a rudimentary framework that is not in sync with the rapidly evolving technological disruptions in the digital space. There is pretty much nothing in the legal framework to protect the Indian user from the data broker’s use of her data, leave alone for sharing, storing and selling it to third parties. In fact, protection and prevention itself may be farfetched when there is little knowledge on and control over the data brokering exercise. Circling back to Gita’s example, it’s all attributed to complex software algorithms that mine and sift through reams of data in a matter of few minutes to put together Gita’s profile for specific marketing purposes. While this has made the industry what it is today, it conveniently forgets the user and her personal information that provides the ‘raw material’. It is almost as if the idea of “personal data” has become a paradox in itself.
The way ahead for India We could take a leaf from the US Federal Trade Commission’s report to the US Congress released in May 2014 on this subject, rather tellingly titled “Data Brokers: a call for transparency and accountability”. Among other things, the report proposes a regulatory framework for the data brokering industry through a centralized mechanism such as a web portal where the industry details the manner of data access and collection and users are allowed to access their data and choose to “opt-out” from getting sensitive data shared with third parties. Industry players are also required to share the source of their data to the user and leave room for correction if such data is outdated or incorrect. While not exactly similar, we can evaluate the learnings from the “Do Not Disturb” framework rolled by our telecom regulator to manage telemarketing calls and unsolicited commercial communications.
A dedicated online portal regulated at a central level, having a robust mechanism for user access may well strike a balance between user privacy and business interests from a risk mitigation perspective. More than ever, these ongoing developments are a clarion call for the government to get its act together on data protection and privacy regulation in India. This will contribute to “Digital India” being embraced by an empowered user with less apprehension. The time to act is now, with each passing day taking us closer to the data breach landmines all over cyberspace.
This article was first published on http://businessworld.in/article/Data-Brokering-Another-Landmine-Lurking-Around-In-Digital-Space-/23-03-2017-114978/