Facebook data leak: Big message for India is need for a robust privacy law

Facebook Inc’s admission on Wednesday that personal data of almost all users of its social networking platform could have been accessed is worrying. That’s a potential 2 billion people whose data may have been gathered by entities that were not supposed to have access to them. The scale of this disclosure dwarfed two others made on the same day — that the number of people whose Facebook data was accessed by political advisory Cambridge Analytica was 87 million, and not 50 million as previously thought; and that around 600,000 of these people whose data was accessed are Indians.

Disclosing the bigger problem, the company admitted that a feature that allowed people to find the Facebook profiles of users by simply typing in their phone numbers or e-mail had been misused by some to scrape public data. That this data was being used by Facebook was always known — after all, the company’s business model is built around advertising which, in turn, revolves around the use of such data to get to know the user. That it could be easily accessed and used, perhaps misused, by others, has come as a shock to many.

There were more disturbing disclosures as well, explicitly, and for the first time, laying out exactly what data Facebook shares, and with whom. It spoke of the other platforms it owns (including Instagram and WhatsApp) and how it shares data across them. It gave out details of exactly what it collects, and shares (including the information it collects on the devices).

The disclosures were accompanied by prospective changes to Facebook’s data sharing policies that make it difficult for third-party developers and apps, for instance, to scrape Facebook data. That’s little comfort to people whose data has already been accessed. For instance, Facebook has said it will no longer be possible for anyone to access profiles by simply typing in phone numbers.

The Wednesday disclosures highlight just how lax Facebook was with default privacy settings and serve as a warning to users of digital platforms who usually do not bother to change these settings (admittedly, many of these default settings are hard to change). And given that Facebook has known about the data misdemeanour at Cambridge Analytica since 2015 – and, indeed, made it impossible for app-developers to collect user data this way – they highlight the company’s all-too-casual approach in protecting user data.

For India, the big message from all this is the pressing need for a comprehensive and contemporary data-protection and privacy law. Data is the new oil, but the emergent digital business can do without robber barons.