The role digital, data-driven technologies have assumed in our society is unprecedented amid this global coronavirus pandemic. Whether it’s contact tracing apps or efforts in using open data for generating epidemiological models to predict resource needs, we are navigating varied technological responses to enforce economic and social lockdowns.
We’ve seen a huge spike in mobile application downloads because developers and companies–from fitness apps to magazines to online learning platforms—are offering free services for varying durations. Edtech startups like Byju’s, Vedantu and Toppr have launched free live classes. Byju’s reported a 150 per cent increase in new users, a growth of 60 lakh signups in March alone.
Offering free services might come across as a benevolent gesture on part of these companies, but the providers of online educational solutions, it seems, have no answers to the questions around data privacy.
Data collection and risks
The privacy breach at Facebook-backed Unacademy reported on 8 May, which involved the theft and sale of user data of nearly 22 million accounts is a case in point. Sensitive student data such as usernames, phone numbers, email addresses and login information were compromised.
Several edtech platforms collect large amounts of student data, but do not deploy adequate privacy or security measures. Lack of transparency during data collection and inconsistent privacy and security practices in data storage and processing by online learning platforms has been a significant concern for some time now, even before the user surge witnessed during the pandemic. In the United States, three senators have flagged concerns with the Federal Trade Commissioner (FTC) on the need for more adequate privacy guidance around edtech platforms.
There are three fundamental challenges that we must factor surrounding edtech offerings, especially around freemium incentives that lure accretion of new users.
The first challenge is data ownership. While companies do collect, store, use, manipulate and sell data, the general consensus regarding ownership across many policies is that the data belongs to the user. Since edtech platforms provide services for adaptive, personalised learning experiences, the data they collect can include personally identifiable information such as geolocation, and behavioural and activity (on virtual classrooms) data. Malicious use of this sensitive information could result in identity theft, tracking, social engineering, bullying, or other means for targeting children.
Since the user has the first right over her data, a direct policy response should ensure that edtech services communicate their privacy policies in an easily accessible manner. The platforms’ notice of its data collection and processing practices must be written in plain language that is easily understood by students, parents and educators alike. This ‘understanding’ would involve knowledge about and consent to the optional and vital kinds of data collected by the application, accompanied by additional details regarding processing and management of this data and the practices followed by the platform after a user decides to unsubscribe from its services.
Data is not a commodity
The second challenge arises from normative interpretations of data as property. For one, the idea of treating data as property fails to recognise the value that varieties of personal information carry with it or the enduring interest, individuals may have in their personal information, even if they choose to part ways with it.
Data is not a commodity but information. Any system of information rights–whether patents, copyrights, and other forms of intellectual property or even privacy rights, present some tension with the strong interest in the free flow of information that is reflected either in the First Amendment in the US or with a reading of the Puttaswamy judgment in India. A property-based system also disregards any interest besides property that individuals have in their personal information. Consumers benefit by freely providing information for use but only in a particular context. The same data used unlicensed and in an unrelated context can result in a range of privacy harms.
Treating personal information as property to be licensed or sold may induce people to part ways with their privacy rights in exchange of small value while injecting enormous friction in the free flow of information. So, better approaches to strengthen privacy emanate from ensuring individual privacy interests by regulating desirable forms of data flows.
Finally, platforms that are incentivising new users with discounted or zero price offerings can create market distortionary effects, especially when larger entrenched firms with a predatory approach are involved. In times of Covid-19, making services entirely free can end up damaging the free market. Non-sustainable zero pricing strategies are evident when cash-strapped platforms take a hit with the larger players exercising their market power to drive such forms to exiting. This leads to monopolisation where the larger firms look to recoup losses at a later stage. India’s telecom sector is a good example to understand how the market is now left with only a few big fish.
Although India’s competition, information or privacy protection laws do not address this challenge yet, the European Commission has strictly imposed regulations combining anti-trust and privacy laws. The European Commission had fined Facebook for providing misleading information during its 2014 probe under the EU Merger Regulation, a legislation that dealt with both anti-trust and privacy breaches.
Data monopolisation can be prevented by introducing the concept of ‘behavioural data carry-along’. The idea mooted in the US could be explored in India too. The concept states that individuals possess rights over their own personal data, and they have with them the power to completely delete or request their data from the companies.
The growing popularity of edtech platforms has inadvertently shown light on some questionable data privacy practices. This is concerning, especially in data rich India, which is arguably the largest potential market for these applications. The Personal Data Protection Bill, 2019 does define regulations with respect to collection and processing of children’s data and the role of “guardian data fiduciaries”. However, till we’ve this data protection framework in place, individual edtech firms are at liberty to follow discretionary data collection practices without any robust checks and balances.
Sahil Deo is co-founder of CPC Analytics, a data-driven policy consulting firm with offices in Pune and Berlin. Subhodeep Jash is a policy professional working with a business advisory firm, FTI Consulting. He’s previously been a Tech Policy Fellow at New America Foundation. Views are personal.