Above: The Facebook headquarters in the US. The latest data breach is the third in six months/Photo: 1epa.orgb
The latest hack of Facebook, compromising several lakh domestic accounts, shows that India has no option but to finetune the Personal Data Protection Act, 2018, and push it through
~By Na Vijayashankar in Bengaluru
For Facebook, which was already in trouble following revelations that its data had been misused during the 2016 US elections, the latest instance of data breach is the third in the last six months. Since the largest number of users are in India—approximately 270 million—ahead of the US with about 210 million, there are apprehensions that this data breach has adversely affected a significant number of Indians.
One estimate is that accounts of about 5.6 lakh Indians might have been compromised. Facebook has announced that it has reset passwords of about 90 million users as a measure of abundant caution but has not provided the country-wise break-up of affected accounts.
Coming at a time when India is debating a draft privacy law—the Personal Data Protection Act, 2018 (PDPA 2018)—which is before Parliament, the incident has attracted wide attention in India.
The issues relevant for discussion in the Indian context are:
- a) Whether the data breach qualifies for “Data Breach Notification” under the current and proposed data protection laws in India and whether any regulatory action is called for at this stage, including imposing a fine on Facebook.
- b) Whether the opposition to the recommended provision on data localisation under PDPA 2018—according to which all data fiduciaries are required to keep “Sensitive Personal Information” and “one active serving copy of personal information” in data centres in India—fizzles out as a result of this news.
According to a Facebook announcement, vulnerability was present in a feature which enabled its users to view how their profiles would look to others. This was a good thought to provide confidence to the users to check their privacy settings. Unfortunately, it appears that unauthorised persons could exploit the functionality to get a copy of the “Authentication Code” which Facebook generated for the purpose.
It is presumed that this “Authentication Code”, which contained information on what data set has to be made available to them from the larger set of data in the account’s data repository, became available to hackers. In the process, the hackers might have actually been able to collect the “Access Tokens” with which videos could be uploaded, or text messages could be posted. In certain cases, the “Access Tokens” could also perhaps be used to access third party apps. Depending on what were the apps in which the access data was usable, damage could be caused to the account holder by, say, putting up posts that could be self-defaming.
There is one doubt about whether the “Authentication Code” could have been used to access more critical services such as “Facebook Banking” which banks like ICICI Bank have enabled. In these services, a text message generated on Facebook could have triggered financial transactions in the bank provided the bank’s systems were naïve enough to accept just the access code as the “Signature of the customer”. At present, no such exploitation is reported and we hope there is no such incident.
Now Facebook has temporarily disabled the “View As” feature and confirmed that the bugs have been fixed. It can, therefore, be presumed that the damage has been contained related to what has so far been identified and what needs to be done is to learn the right lessons and move on.
The latest developments also raise several important issues:
- Is “Data Breach Notification” at all necessary? As briefly explained before, the data actually accessed by hackers is the data generated by Facebook as “Authentication Code”. This would normally be in the form of a “Hash Value” and cannot be dissected and deciphered. But it may be used in toto in a “Store and Replay Attack”, causing impersonation and related damages.
Though the data lost is not “personal data”, it could be considered “sensitive personal data” as it is a substitute for a dynamic password for access of some services.
Hence the data breach might be required to be reported to the Indian Computer Emergency Response Team, or CERT-In, under the current regulations under the Information Technology Act (ITA) 2000/8.
- Immediate action required in India: here, one risk that needs to be identified is the possibility of fake messages being sent out in the name of the user. This could result in some defamatory messages being published for which the victim may face legal action. The damage, however, depends on whether it can be quantified and is significant.
There is, however, another kind of risk in which people who might have posted defamatory messages during the time when this vulnerability was present could take the defence that it was caused by the “bug” and avoid legal action against them. If such defence is launched, it will be necessary for the courts to find out if there is evidence to believe that the specific account was indeed one of the affected accounts.
It is, therefore, necessary for CERT-IN to demand a full list of 5.6 lakh Indian accounts which might have been, reportedly, affected and also see whether they were indeed exploited. CERT-IN may be called in as a witness with this evidence to a court in any defence where the “Facebook View As Bug” is quoted as a culprit. If CERT-IN does not collect such data, it would be a dereliction of duty and if it collects and then loses the data or if Facebook itself does not share the data and deletes it, then there could be a charge of “Destruction of Evidence” or “Lack of Due Diligence” or “Lack of Reasonable Security Practice” or “Lack of cooperation with the law enforcement/regulatory authorities in India”.
These requirements may be read into the current data protection law in India in the form of ITA 2000/8 and does not require PDPA 2018.
As for Facebook account holders, if they can prove that they have suffered damage due to this security breach, they can invoke Section 43, 43A, 66, 72A, etc., along with Section 79 and Section 85 of ITA 2000/8 and seek financial remedy and prosecution of Facebook and its CEO, Mark Zuckerberg.
- What if PDPA 2018 was in place? If the proposed PDPA 2018 had been in place it would be necessary to first determine whether what has been compromised is “Personal Data” or “Sensitive Personal Data”, whether Facebook is a “Significant Fiduciary” or “Guardian Fiduciary” that requires registration, whether the security practices were adequate, whether data breach occurred and if so whether it should be reported to the individuals, etc.
Just as the European Union is contemplating slapping a fine of $1.6 billion (in addition to around $9.3 billion contemplated on the day General Data Protection Regulation became effective), India could have also tried to slap fines. Since the incident may adversely impact users who have trusted Facebook to gain access to services such as “Facebook Banking”, it is necessary to immediately stop “social media banking” through Facebook or Twitter, where a message from the relevant app is considered as the “authentication to debit the bank account”. RBI should move in to enquire if any such vulnerability exists and take appropriate corrective action.
CERT-IN also has to make its own inquiries to ensure that the interests of Indian users are protected. The powers of CERT-IN under Section 70B of ITA 2000/8 are good enough to demand such information.
- Is localisation a risk? As per PDPA 2018, all sensitive personal data has to be kept within India and at least one active serving copy of all personal data (even if it is not sensitive) has to stay in India. There is stiff opposition to this provision under the argument that if data is stored in India there would be a greater data breach risk as Indian data centres are less capable of securing data than their counterparts elsewhere. But the fallacy of this argument has been exposed. Data is as much at risk in the US as it is elsewhere. The argument against data localisation is, therefore, irrelevant.
The Facebook data breach is unfortunate but instead of worrying, India must look out for lessons to learn and use them to finetune PDPA 2018 which is at a draft stage.