With the Narendra Modi government’s cabinet approving the Personal Data Protection Bill, 2019 last week and the draft being available in the public domain, this much needed legislation is ready to be tabled in Parliament. The bill, worryingly, requires social media companies to verify the identity of their users in the name of combating fake news. And depending on how the rules are framed, these companies may also be asked to report to the government accounts that do not verify themselves, including foreign-based accounts that post in India.
This move will wreak havoc on user privacy and anonymity, defeating the original purpose of the data protection law by concentrating more sensitive data in the hands of private companies, all without addressing the issue of misinformation.
Concern based on evidence
As we wait for the text of the rules providing details of the provision under the bill, it stands to reason that the expected form of verifying a user’s identity would involve the collection of government-issued identification. Aadhaar cards, driving licences, or passports and other government IDs contain a wealth of sensitive and irrevocable information about their users. These include names, date of births, addresses, contact numbers, photographs and unique numbers that serve as an identifier to access to critical government services – for example, your PAN number. The proposed provision will effectively hand over the data to social media companies on a vast scale. And the companies that obtain consent under their often-incomprehensible privacy policies will then be able to use this data against their users to profile and target them.
This is not a hypothetical scenario. There is considerable evidence of social media companies already doing so with other uniquely identifiable information, such as phone numbers. In order to prevent account takeovers and provide better security, many firms allow users to store their phone numbers for two-factor authentication. When enabled, users receive one time password (OTP) via SMS, which they need to provide in addition to their password to login into a website or an application.
Despite the clear security-focused nature of this service, Facebook in 2018 and Twitter in 2019 were both found to be using this information to profile users and send targeted ads. When such companies will be incentivised to collect government IDs, little would prevent them from using this treasure trove to further invade user privacy for profits.
Many issues, zero clarity
Data collected is data at risk. By encouraging the collection of IDs, the Modi government will put users at a greater risk of harm from data breaches, both inadvertent and malicious. Just last week, for example, the sensitive personal details of more than 32 crore users of Bharti Airtel’s mobile application were leaked in a breach. Under the government’s proposed Data Protection Bill, the negative impact of such leaks will be exponentially greater due to the additional demographic information collected by social media companies.
Moreover, the resources that will be required to build and maintain these verification systems in a secure manner will further entrench the already lopsided power dynamics in social media. One of the surest ways to ensure only large companies can provide social media services is to design laws that create compliance burdens and privacy risks for startups that leave them without any chance to begin with.
There is also the inherent difficulty in rigidly categorising ‘social media companies’. Are websites that let users leave comments below news articles also social media companies? What about reviews for restaurants on food aggregator apps? The same issue extends to travel review websites and countless other service providers. This ambiguity will lead to companies erring on the side of caution and collecting user data anyway, harming privacy.
Not the way to combat fake news
There is remarkably scant evidence to prove that the verification of users online will help combat fake news and misinformation. Given that the vast majority of misinformation spreads on WhatsApp groups, online forums, and chat applications, the verification of users for certain social media accounts will not improve digital literacy or critical reasoning, which are at the core of the issue. It’s also not clear that people spreading misinformation will be deterred by having to use their verified, real names. How many of us have received a WhatsApp forward from an unsuspecting family member about UNESCO having declared India’s national anthem as the ‘best national anthem in the world’? Will verifying the identity of that family member, regardless of the platform, really curtail such messages?
We know that protecting privacy, and anonymous speech in particular, is critical to people feeling safe when expressing themselves online. For example, the anonymity provided by social media platforms has been crucial in letting victims of sexual harassment and abuse speak out and hold their oppressors to account, which this provision will make it much harder to do given the increased risk of retaliation. Reporting anonymous users to the government will likely lead to them becoming the targets of government scrutiny and investigation, further chilling free speech.
Misinformation is a real problem, but the Personal Data Protection Bill, in its present form, is not the right way to solve it. This legislation was created to protect the privacy of Indians in the digital age and it should focus on doing so. When the bill is introduced in Parliament, it should be sent to a joint parliamentary committee of both Houses for review. When this consultation has taken place, vigorous public scrutiny will be needed to compel the Modi government to drop the social media verification provision.
More than two years ago in August 2017, the Supreme Court promised all Indians a fundamental right to privacy; it’s high time the Modi government delivers on it.
The author is Policy Advisor at Mozilla Corporation. Views are personal.