On a cold January morning, whistleblower Christopher Wylie informed British authorities that Cambridge Analytica had wrongfully accessed the profiles of around 50 million Facebook users including 1 million British. What followed was really disturbing; it appeared that Cambridge Analytica had built an app, this is your digital life, which collected Facebook user-data purportedly for use in academic research but in reality, an associate firm, AggregateIQ (AIQ) had access to servers and data of Cambridge Analytica, which AIQ had used to harvest and analyse Facebook data for influencing elections in various countries. Wylie further revealed that to sway the Brexit vote, two NGOs, Vote Leave and BeLeave, had made huge payments to AIQ for the Facebook data; violating privacy, legal and ethical norms because the data was collected and shared surreptitiously and Vote Leave and BeLeave had acted in tandem and had violated election spending limits. According to Wylie, the outcome of the Brexit referendum would have been different had AIQ not been in the picture.

Across the Atlantic, the depredations of Cambridge Analytica were even more serious. Some 270,000 Facebook users had willingly provided their personal data to thisisyourdigitallife app which illegally also captured the data of 87 million of their friends, building up 30 million profiles for targeted political ads during the US presidential elections of 2016. Significantly, Facebook and Cambridge Analytica (CA) had supported the Trump presidential campaign by floating campaigns like ‘Defeat Crooked Hillary’, where the OOs of “crooked” were a pair of handcuffs. Looking to the fact that CA was in possession of the data of around 70 million Americans (out of an electorate of 235 million); such targeted campaigns could well have swung the election in Trump’s favour. Incidentally, US Special Counsel Robert Mueller, is investigating whether Trump’s presidential campaign managers colluded with the Russians.

The role of election spoiler Cambridge Analytica was not innocent but well thought out, secretive and disruptive; an employee of CA boasted to an undercover reporter of Britain’s Channel 4, “We just put information into the bloodstream of the internet and then watch it grow, give it a little push every now and again … And so this stuff infiltrates the online community and expands but with no branding ~  so it’s un-attributable, un-trackable.”  There was consternation all around when the New York Times and the London Observer carried Wylie’s revelations on 17 March 2018. Coupled with an earlier admission by Facebook that it had allowed, though unwittingly, fake Russian Facebook accounts to purchase more than $100,000 in ads to spread Russian propaganda on Facebook during the 2016 presidential election, the news report led to investigations on both sides of the Atlantic. Wylie and Zuckerberg were called to testify before a British parliamentary committee. Zuckerberg did not appear before the British committee but testified for five hours each on two days before the US House of Representatives Committee on Energy and Commerce and the Senate.

As part of the investigation into this murky episode, the offices of Cambridge Analytica were raided in the  UK. It emerged that in addition to Brexit and the US presidential elections, CA had been hired by the Israelis to influence Nigerian presidential elections. The standard operating procedure, for all elections, was to push fake news and views to persons, selected by data analysis, who would be receptive to such input. Additionally, for the Nigerian elections, CA had pulled out all stops to discredit the challenger to the incumbent President Goodluck Jonathan.

It is no secret that advertising powers the Facebook’s immensely successful business model; with 2.2 billion users, Facebook currently has a market capitalisation exceeding $  483 billion, which is a bit more than the current Indian  budget. Facebook users realise that the excellent services that Facebook provides gratis, could come only at some cost but the idea that the data they had submitted in good faith to Facebook had been used to manipulate their political opinion proved universally abhorrent. A #DeleteFacebook campaign was launched and Facebook shares dropped 10.1 per cent  in the week following Wylie’s disclosures.

Initially, even after public outrage, Facebook was defiant, denying all wrongdoing and putting the blame on third parties for wrongful use and sharing of data. After Wylie’s story broke in the papers, Facebook went to the extent of suspending his account. In its defence Facebook said that since 2015,  it  was not allowing harvesting of user data but it did not deny that it provides advertisers with “targeting tools” so that advertisers can direct their promotions to users who may be interested in the advertised products. Facebook also was not in a position to deny Wylie’s assertion that the data harvested earlier had not been destroyed. Later, chastened by the immense negative publicity it had attracted, in a full-page newspaper advertisement,  Facebook apologized to its users for misuse of their data. To allay user concerns Facebook announced a “data abuse bounty” programme to reward people who reported any misuse of data by app developers. Facebook re-wrote its terms of service and data-use policy and gave users the option of deleting their account from the settings menu. Facebook also declared that henceforth only authorised advertisers would be able to run political advertisements,  which would be clearly labelled as “Political Ad” and would also carry “paid for by” information.

Zuckerberg was suitably contrite and respectful in the Congressional hearings, promising to revamp the security and content divisions of Facebook by increasing their strength to 20,000 employees by December 2018, before elections are due in the US, India and a number of other countries. Zuckerberg also promised to put AI (Artificial Intelligence) systems in place to purge Facebook of hate speech and disinformation. During the hearings, it soon became apparent that there was no consensus among US lawmakers about the kind of measures they wanted to bring in to ensure privacy. On his part, Zuckerberg refused either to change his business model or to support any specific measures to regulate Facebook.

The Facebook controversy had an interesting fallout in India. Four days after the New York Times and the London Observer carried the Facebook story, the Law and Information Technology Minister, Mr. Prasad called a press conference accusing the Congress party of having deep links with Cambridge Analytica. He also warned Zuckerberg in the following words: “”Mr Mark Zuckerberg you better note the observation of the IT Minister of India. We welcome the FB profile in India, but if any data theft of Indians is done through the collusion of FB system, it shall not be tolerated. We have got stringent power in the IT Act, we shall use it, including summoning you in India.”

While warning Zuckerberg, Mr. Prasad seems to have forgotten that the US is very touchy about the safety and dignity of its citizens and even the  UK, which is a close ally of the US, could not enforce the attendance of Zuckerberg before its parliamentary committee. All other political parties took a cue from Mr Prasad and accused each other of being clients of Cambridge Analytica, with the imputation of having adopted dishonest means during earlier elections. Later on, it emerged that only 335 Indians had taken the thisisyourdigitallife quiz and Cambridge Analytica could harvest the data of only 5.50 lakh Indians, which made the Facebook debate academic for India.

Still, valuable lessons are to be learnt from the controversy. Firstly, the Facebook controversy highlighted how large corporations consider themselves to be above the law and have no compunction in riding roughshod over citizens’ rights. Nothing happens to them till they are caught in  ***flagrante delicto***  and even then they get away with a light rap on their knuckles. Second, Facebook, the villain in this episode, is not the only entity holding our data. We have to furnish all kinds of details for transactions with mobile operators, Government departments, payment applications etc. No duty has been cast on these entities not to share or misuse the data they gather from users.

Instead of fuelling an acrimonious debate, the Government would be better advised to bring in a data protection law on the lines of EU’s General Data Protection Regulation (GDPR) which mandates a set of “digital rights” to EU citizens. Under GDPR, entities possessing data of EU citizens have to observe a strict data protection compliance regime, with transgressions being penalised up to 4 per cent of the data holding entity’s worldwide turnover. Lastly, keeping in mind the potential for misuse of citizens’ data the Government should rethink its objective of linking Aadhaar to all conceivable identifiers. Otherwise, unscrupulous hackers could be able to access all information about a person once they have that person’s Aadhaar details.On the internet, users have the choice between privacy and convenience. While visiting a website if you give it all information it asks for, you have an easy time when you visit it next.

Israeli historian Yuval Noah Harari has observed: “There is a saying that if you get something for free, you should know that you’re the product. It was never more true than in the case of Facebook and Gmail and YouTube. You get free social-media services, and you get free funny cat videos. In exchange, you give up the most valuable asset you have, which is your personal data.” It appears

that the only foolproof way to prevent your personal data from being stolen is to remember the age-old proverb “Better safe than sorry” while surfing the internet.

The writer is a retired Principal Chief Commissioner of Income-Tax.