Ramesh Gupta was excited about his upcoming trip to Mahabalipuram. For months he had been planning this extended weekend getaway. He kept the plan under wraps, disclosing it only to two of his friends over his private email.

So, Gupta was quite taken aback when he opened his email to find ads asking him to book into the ‘best guest houses in Mahabalipuram’ and ‘best taxi services for sightseeing’ in Mahabalipuram.

After Manjunath Desai signed up on a third-party service provider that promised to compare the best health insurance plans for him, he suddenly started getting calls from different service providers claiming that they had the best insurance plans for him.

These are just two of the millions of instances of how your privacy is at stake online. Sitting in front of your computer or using your smartphone in the comfort of your home, you might think that the world doesn’t know what you are up to, but you are mistaken. Welcome to world of data brokering.

In Gupta’s case, he had become a classic example of data leak from the cloud storage. Seemingly innocuous data about your itineraries, your financial statements etc. that you think are safe and secure in your personal storage in the cloud are not that personal after all. In the case of Desai, he had fallen prey to a sophisticated, multi-million dollar industry of data brokering.

The profilers

Simply put, data brokers are companies that sell personal information of individuals online. There are an estimated 5,000 data brokers worldwide, and nearly 10 million open datasets published by government agencies and non-governmental organisations (NGOs), according to Gartner. Incidentally, almost nobody refers to themselves as a data broker. They call it a “customer engagement company” or “research data collection company”, offering “information services”, “consumer risk management”, or “marketing automation”, based on their degree of sophistication.

But their work is the same — collecting data about individuals from many sources but without the consent from people whose personal information is being profiled.

In a sense, you can think of data brokers as profilers sitting in institutions such as FBI who make a sketch of criminals to capture them. Only in this case the profile being made is of you. The purpose is to use it to market and sell something to you that you did not explicitly express a desire to buy and probably do not even need.

Data brokers combine different sets of online and offline data to build a profile of a person. So that kidney stone that you thought only you and your wife knew about, may not be such a big secret after all and in all likelihood, all the insurance companies know about it too.

Data is also easily scraped from websites with poor security policies. Fraudulent websites which resemble the real ones are often set up where the unsuspecting online visitor will generously offer his or her details. It has been observed that there are clones of hugely popular sites such as Flipkart, WhatsApp and Facebook. Even the popular game show Kaun Banega Crorepati has many duplicate scammer websites which are spoofs of the original game show website setindia.com or the Sony Liv app on the Google Play store.

Legal recourse?

Data brokering as such is not illegal but it does fall in a grey zone. This is mostly because of the vagueness in the legal recourse available. More recently, the country has witnessed considerable debate on the privacy concerns related to Aadhar.

Data protection in India is governed by provisions of the Information Technology Amended Act, 2008 (ITAA) under Sections 43-A and 72A of the Act. There has been some encouraging talk of bringing in a Personal Data Protection Bill into legislation, but it may still take some time to come into force.

How have others tackled it?

The European Union’s EUGDPR (European Union’s General Data Protection Regulations) is quite robust According to this law, the liability of a data breach is on the data controller and any person who has been subject to data breach is entitled to compensation from the data controller.

In the US, there are state specific laws governing data protection.After the EU, Japan has introduced a separate central legislation for protection of data known as the Act on the Protection of Personal Information (APPI). The Act took partial effect in 2016 and has been enforceable from May 30, 2017. Similar to the EU law, consent of a data subject forms the essence of the legislation and has been stated as mandatory in case of transmitting data to a third party or for any use beyond communication purposes.

The bottomline

Lawmakers, organisations, and individuals need to be invested in finding a solution. In addition to better laws, organisations need to look at the ethical and responsible considerations in collecting, storing and sharing data in a way that does not compromise the personal data of individuals and institutions.

At an individual level, being more alert while leaving your digital footprint will go a long way in protecting you. Using ad blockers, disabling third-party apps, auditing social media accounts and not sharing phone numbers and other personal details randomly on websites or offline in restaurants and shops are some of the measures that may keep you safe.

It is also very important to educate and raise awareness for the new generation around this topic. A whole generation, that is privacy and online security aware will not only make us all safe in the long run, but can also catapult the nation towards a culture of building and using software applications online that have privacy and security as a core design principle.

The writer is Associate Dean, ICFAI Business School, Hyderabad. With contributions from Ziroh Labs, Bangalore

Related Topics
comment COMMENT NOW