Indians Worried About Data Misuse on Facebook

Shweta Nambiar, a final-year arts student in Mumbai was taken by surprise when, on Sunday, she was asked to login to her Facebook account again. And when she did, a message on Facebook showing a "security alert" talked about how her account details were breached in a recent hack that impacted at least 50 million accounts globally.

"I have no idea what kind of details from my account have been leaked out and Facebook hasn't provided any details either. I'm not even sure how safe it is to use Facebook any more," Nambiar said.

Several other Facebook users shared a similar experience as Facebook provided very little details of what exactly happened during the security incident that it reported.

While Facebook insists that it was successful in fixing the vulnerabilities that led to the breach, it said it is still investigating the incident, wherein the attackers exploited a vulnerability in Facebook's code that impacted "View As" — a feature that lets people see what their own profile looks like to someone else.

Access tokens

"This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged into Facebook; they don't have to re-enter their passwords every time they use the app," Facebook said.

Facebook later said on Friday that the breach also affected third-party apps that have been linked to your Facebook account. As a precautionary measure, Facebook logged about 90 million people out of their accounts, the company said.

While the social networking giant reported the incident to the FBI as well as the Irish Data Protection Commission, Indians remain clueless about how safe their data is with Facebook. And there's still no word from the company on how many of the 90 million users are from India. Privacy activists feel that Facebook has been taking users for a ride for a long time and it's high time that the Indian government takes some action.

"Facebook is taking all users for granted. I don't see how Indians are being treated better or worse on this specific issue," said Sunil Abraham, President at Centre for Internet and Society. "Facebook is not willing to disclose the extent of breach in India because currently there is no obligation under Indian law to do so."

Mishi Choudhary, technology lawyer and online civil liberties activist said "They (users) can proceed under sections 43a and 72 of IT Act. Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s)"

Other activists feel the breach highlights why Indian data protection law is urgently required in the country. "This is a clear example of why we need a data protection law with extra territorial applicability that will protect the data of Indian users, even if the entity collecting data is overseas," Namita Viswanath, Partner at IndusLaw, said. This is not the first time Indians were impacted by data breaches at Facebook.

Right to privacy

Recently, Facebook admitted that the data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica, which used it to attempt to sway elections in different places, including one in Uttar Pradesh.

The proposed Data Protection Bill 2018 has tried to address several such misuses of data by making individual consent central to data sharing. The report notes that the right to privacy is a fundamental right. Unless you have given your explicit consent, your personal data cannot be shared or processed. Of course, this also means that the onus lies on you to make an informed choice.

We have several laws, including the IT Act 2008, which can be used to protect users' personal information. What's required, however, is a strong enforcement of such acts to prevent companies from taking personal lives of citizens for granted.