India is under attack. Whether it’s overt influence operations by the US social media platforms such as Facebook, or covert and insidious ones carried out by China’s TikTok.
In either scenario, India is ill-prepared to deal and laws are insufficient to crack down on foreign firms.
October and November have been menses horribilis in the Indian cyber security calendar. If the snooping attack on activists and journalists through WhatsApp by an Israeli firm wasn’t bad enough, we had a major cyber security breach at a nuclear power plant and an alleged cyber attack on ‘an important space target’ that must remain unnamed for now. This, of course, is a recurring pattern in India, the nation that remains one of the biggest sweatshops for cyber coolies but fancies itself a cyber Ivy League university.
On a TV programme a few months ago, a former foreign secretary had laughed off my warnings about India’s ignorance (and incompetence) on the matter of cyber security with a pompous remark: “The government is well aware of these issues, no one need worry.” Needless to say, he has been avoiding me since the hack at the Kudankulam Nuclear Power Plant. The issue here, however, is why India remains so clueless – or is it deliberately indolent? – over cyber security.
For starters, there are several kinds of threats in this sphere – from petty to major crime, active espionage, biometric and data collection, influence operations, and outright election manipulation, to name a few. This is where the US and Chinese approaches differ.
Overt and covert ops
The United States’ attempts are overt. For example, Facebook removing a whole host of Indian pages just before the 2019 Lok Sabha election or YouTube persistently demonetising Right-wing videos, or Twitter CEO Jack Dorsey admitting that the company’s conservative employers “don’t feel safe to express their opinions”, confirming the platform’s pro-Left bias.
Of note here is that these are all openly acknowledged examples, and they affect the Americans just as much as they impact the Indians. Such cases are normalised through laws that enable the collection of user data; and are protected by the freedom of being US-based companies, which means they can do howsoever they please. This legal protection that enables these companies to operate in blatantly partisan ways also helps users, in that their data has to be legally protected. Unlike the Indian system, US corporate protection laws are duly implemented and are not prone to judicial capriciousness. However, it is this same refusal to bow to government diktats or share information with them that makes the Indian government view these platforms with suspicion.
Contrast this with the Chinese approach. On the one hand, Chinese companies are infinitely more intrusive and prone to abuse; on the other hand, because they cooperate with governments, the Indian government, in particular, seems to have an affinity for platforms based in that country.
Facebook vs TikTok
Take the example of Facebook and TikTok. Facebook overtly sponsors virtually every event discussing cyber issues in India, effectively purchasing avoidance of any serious discussion of its influence operations. On the other hand, TikTok does this far more covertly and insidiously. Users are allegedly paid between US$ 1,500-2,000 to create content and become super users to influence others, in effect violating the Indian intermediary laws that govern such platforms.
American platforms do this differently. They take their chosen influencers on trips to America to popularise them and connect them with others in the field, effectively skewing the networks that get created in one political direction. And they do this without breaking the Indian intermediary laws.
It is estimated that TikTok on average spends about US$ 5-10 million per month on such influencers in India alone. TikTok’s parent company ByteDance also used doctored images of politicians on Facebook ads – not disclosing who had funded them. This is where things get tricky. Facebook did remove those ads, but went ahead and removed legitimate political pages as well, piggybacking on Chinese influence operations to carry out its own influence operation, all under the guise of “transparency”.
Where Chinese companies get a lot murkier than their US counterparts is when it comes to data collection. On average, TikTok collected 45 per cent more data than other applications, and worryingly shared all such collected information with the state-run China Telecom. Moreover, Chinese laws now mandate that companies have to share data with the Chinese government as and when required.
As The Wall Street Journal notes, “China’s tech giants have a second job: helping Beijing spy on its people.” This was confirmed by ByteDance’s CEO himself, saying they would “further deepen cooperation with authoritative (official party) media, elevate distribution of authoritative media content”. Tellingly, TikTok’s terms of service includes the ominous line: “We may disclose information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims or government enquiries.” This goes unheeded because nobody actually reads the terms of service. Worryingly, this information could also include financial and facial/biometric data, something we know the Chinese use to devastating effect.
So why hasn’t India still woken up to the problem, despite our alleged “cyber excellence”, which has publicly, humiliatingly and farcically been dispelled these last two months? In effect, we have been sitting ducks for years, and given the low calibre of our cyber coolies, this is only natural. But the mystery is why haven’t legislative solutions not been used to compensate for our obvious human capacity gaps.
The author is a senior fellow at the Institute of Peace and Conflict Studies. He tweets @iyervval. Views are personal.