Making Private Companies Accountable For Breach of User Private Data

Background

On 28 September 2018, Facebook informed the general public that an attack on its computer network, discovered by its engineers, had exposed the personal information of nearly 50 million users. The breach was the largest in the company’s 14 year history. Facebook is not the only IT giant whose user’s private data have been compromised. Topping the list of user data breaches is Yahoo Inc. where 3 billion user accounts were breached in 2016, followed by credit rating agency Equifax (150 million user accounts in 2017) and LinkedIn (117 million user accounts in 2016).

In the case of Facebook, three software flaws allowed hackers access to user accounts. The attackers exploited a vulnerability in Facebook’s code which ran “View As” feature that lets the user see how his/ her profile looks like to an outsider. View As should have been a view only feature. However, in one specific configuration, it allowed a third person to post a video onto the user’s Facebook page. A new version of video uploader functionality (introduced in July 2017) also generated an access token (equivalent of user’s digital key which keeps the user logged into the system even when they turn off the application so that the user need not re-enter the password every time they use the mobile app) in addition to uploading the video, which it should not have. When the video uploader appeared as a part of View As feature while using a particular combination, it generated the access token not of the viewer (person uploading the video) but of the user whose Facebook page was being accessed. This access token (user name and password) was clearly visible in the Hyper Text Mark-up Language (HTML) code of the user’s Facebook page which was generated and could be easily exploited to not only gain access to Facebook but also on Instagram, Spotify and hundreds of other apps which allow log in based on Facebook’s credentials.

Clayes C Arnold, a professional law corporation, and Morgan & Morgan Complex Litigation Group filed a class action suit against Facebook in the US District Court, Northern District of California the same day of the announcement of the breach. The suit claimed that the Personal Individual Information (PII) which included name, birthday, hometown, addresses, locations, interests, relationships, email addresses, photos, videos etc. had been compromised in the Facebook data breach of 25 Sep 2018 due to lax and non-existent data safety and security policies and protocols of Facebook. The suit was filed on behalf of all US citizens whose data has been compromised by Facebook. This is not the first class action suit concerning user’s data privacy being served on Facebook. A Class action law suit was filed against Facebook and Cambridge Analytica for stealing and improperly using more than 71 million user’s data on 10 April 2018 in Federal District Court of Delaware.

India presently lacks data privacy laws. Thus, the act of data compromise or harvesting data by social media companies can be considered immoral and unethical but not illegal. Hence, users in India are presently unable to sue social media companies for data loss or compromise. Like other governments, the Indian government, where Facebook has over 300 million users, also asked Facebook to provide an update on the country specific impact of the data breach. As per newspaper reports, Facebook has informed Computer Emergency Response Team, India (CERT-IN), that no Facebook account in India has been affected by the recent data breach. The company responded that accounts in India have been attacked or targeted, but none have been compromised. Facebook is yet to quantify the exact country specific impact of the data breach to the Indian government, despite the fact that the highest number of Facebook users are from India.

Facebook has been at the centre of more than one private data misuse investigationthis year. In the famous Cambridge Analytica data breach scandal, the whistle-blower Christopher Wylie had revealed the sheer scale of operation of harvesting millions of Facebook profiles to predict and influence choices during elections. He also revealed that since 2015, Facebook was aware that user’s privacy data was being harvested at an unprecedented scale and yet hardly any measures were taken to secure the confidential data. Facebook CEO Mark Zuckerberg himself admitted that mistakes had been made and Facebook has a “responsibility” to protect user’s data and if it fails, “we don’t deserve to serve you”.

Digital Privacy laws

Individual digital privacy concerns have recently drawn the attention of governments and law makers the world over. The European Union’s General Data Protection Regulations (GDPR) have been enforced since 25 May 2018. Under the GDPR, firms anywhere in the world that collect data on EU citizens need to offer the user the option to see the information collected about them and to move or delete that information. Firms are also required to report any data breach within 72 hours of occurrence. The penalties for violating GDPR are also significant with maximum of US $ 23.5 million or 4 % of firm’s revenue, whichever is larger. The US Congress is also in the process of finalising the Social Media Privacy Protection and Consumer Rights Act of 2018, which in many ways resembles the GDPR.

The Chinese approach to data privacy is different than that of EU and US. While EU believes that data privacy is the responsibility of the user and the US believes that it is the responsibility of the tech firms who should police themselves, the Chinese believe that it is the government’s responsibility to protect individual user’s private data. The Chinese cybersecurity laws which were enforced in 2017, require Critical Information Infrastructure Operators (CIIOs) to store personal information and important data collected and generated within China. It is also in the process of formulating rules for cross border transmission of personal Information and important data.

In India, the Justice BN Shrikrishna committee submitted a draft data protection bill called The Personal Data Protection Bill, 2018 to the government on 27 July 2018. The draft bill calls for comprehensive data protection laws to include data protection obligations, grounds for processing of personal data, rights of the data principal(confirmation, access, correction, data portability and right to be forgotten), various transparency and accountability measures, and restrictions on cross border transfer of personal data.

Another aspect linked with user digital privacy rights is the mass surveillance of digital data being carried out by various countries. A number of court judgements have come out recently where the courts have outlined how such activities maybe undertaken keeping in mind both user rights as well as national security considerations. In the case of “Big brother watch and others V. The United Kingdom” concerning bulk interception of communications, intelligence sharing with foreign governments and obtaining communication data from communication service providers, the European Court of Human Rights gave the following judgment on 13 Sep 2018 :-

(a) Bulk interception regime violated Article 8 of the European Convention on Human Rights (Right to respect for private and family life/ communication).

(b) The regime of obtaining communications data from communication service providers also violated Article 8 of the convention.

(c) Both bulk interception regime and regime of obtaining communication data from communication service providers violated Article 10(Freedom of expression) of the convention.

(d) The regime for sharing intelligence with foreign governments did not violate either Article 8 or Article 10 of the convention.

On 25 May 2018, the US Supreme court, in the case of “Carpenter V. United States”, in a landmark judgment ruled that authorities must obtain warrant in order to access mobile tower records which can provide an accurate time bound location of a mobile phone user. Prior to this ruling, authorities could requisition mobile tower records without warrant by claiming that the records were required in connection with ongoing investigations. The ruling is bound to have ramifications on the way citizen’s private data is collected by state agencies and will necessitate stricter procedures on collection and handling of person’s private digital data.

Takeaways

Increased awareness The recent class action suits, judgements by world courts and data privacy laws have increased awareness amongst the general public about the importance of owning one’s digital data and its adverse impact in case of breach and compromise. However, in countries like India there is a need for the government to take suitable initiatives like mass education drives in order to make the citizens, especially those who are illiterate and living in rural areas aware about the importance of safeguarding and owning one’s own private digital data.

Accountability of Social Media Companies Companies that handle user data, in particular, social media companies, are bound to become more serious about the way they store and handle user private data due to the strict penalties outlined by data privacy laws like GDPR and likely adverse impact on their reputation and stock value in case of data breach/ compromise coupled with growing number of class action suits being accepted by courts.

Role of state The recent judgements by the US Supreme Court and the European Court of Human Rights will force the governments to rethink their strategy on gathering intelligence through mass surveillance of user private data. In addition, most countries are moving towards protecting the private digital data of their citizens and enacting laws for the same. The draft Personal Data Protection Bill 2018 has enunciated adequate measures along with stringent penalties against defaulters for protecting the private digital data of citizens. The same needs to be enacted into law so that compliance by companies and enforcement by the state can commence.

Towards Cyber Sovereignty Governments have realised that in today’s digital world, data is an important commodity that needs to be protected and rightfully transacted. In addition, recent data privacy laws of China have brought to fore the debate on localisation of data within the state’s territorial jurisdiction. India is also moving in the same direction. The western countries, especially US,are strongly opposing the move claiming that it would result in non-optimal utilisation of resources and fragmentation of the internet. As things stand, data localisation is a must in case the state has to guarantee the safe custody of its citizen’s private digital data which has been considered a fundamental right by the Supreme Court of India.

Conclusion

The mega data breaches of user’s private digital data in the last two years coupled with scandals of mass data harvesting in order to swing election outcomes has drawn the world’s attention towards protection, safe custody and management of this extremely valuable commodity. Attention has also been drawn towards mass surveillance of digital data by states. It is therefore extremely important that firstly the common man be educated about safe custody and management of his personal digital data, secondly, the IT companies, especially social media companies need to relook their existing procedures and strategies concerning safe custody, cross border transit, data analysis and sale of meta data to other companies, and finally, the government needs to implement and enforce adequate laws to ensure protection of personal digital data. There are no easy and quick fix solutions and the class action suits against Facebook and other social media companies are being keenly watched the world over as their outcome will be a pointer towards the way in which cyber space will be managed and governed in future.

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.