The world has just learned how a data analytics firm, Cambridge Analytica, harvested the data of 50 million Facebook users and used that information to feed strategies such as ‘behavioural microtargeting’ and ‘psychographic messaging’ for Donald Trump’s presidential campaign in the U.S. Chris Wylie, a former CA employee-turned-whistle-blower, set off a storm with revelations of how the company had deployed a ‘psychological warfare’ tool for alt-right media guru Steve Bannon to try to sway the election in Mr. Trump’s favour. CA chief executive Alexander Nix, who was suspended a few days ago following an undercover report by a British TV broadcaster, said the company has used other dubious methods in projects worldwide — including honeytraps to discredit clients’ opponents. The combination of using personal data without consent and tailoring slander campaigns, fake news and propaganda to discovered preferences of voters is a potent and corrosive cocktail. Facebook has said its policies in 2014, when a personality profiling app was run on its platform, permitted the developer to scrape data not only from those who downloaded the app but also from the profiles of their Facebook ‘friends’. Yet it did not make sure the data were destroyed by the app’s developer Aleksandr Kogan, a Cambridge University academic, nor by CA itself when it came to light that Mr. Kogan had sold the data to CA, a third party. Facebook founder and CEO Mark Zuckerberg has offered an apology and expressed willingness to cooperate with inquiries and potentially open up Facebook to regulation.
This episode has brought to light several issues that need to be addressed. First, companies have been collecting data and tailoring marketing campaigns accordingly. The issue here is particularly prickly because politics and elections are involved. Second, regardless of whether what Facebook and CA did was legal or not, something is broken in a policy environment in which the data of millions are taken and used when only 270,000 people knowingly or unknowingly gave consent. Third, technology is evolving at a rapid pace, raising the question whether laws need to be reframed mandating an opt-out approach universally rather than an opt-in approach. Individuals often share their data without being aware of it or understanding the implications of privacy terms and conditions. Fourth, there must be clear laws on the ownership of data and what data need to be protected. Personal data cannot be the new oil. Individuals must own it, have a right to know what companies and governments know about them and, in most cases, that is, when there are no legitimate security or public interest reasons, have the right to have their data destroyed. The CA issue is a wake-up call for India; the government is still dragging its feet on framing a comprehensive and robust data protection law.
#FancyJ