The Government of India decided to set up an “expert committee” under the National Cyber Security Coordinator in the National Security Council Secretariat .
- The committee will study the reports, evaluate their implications, assess any violations of law, and submit its recommendations within 30 days.
- There is a recent revelation that shows how a Shenzhen-based information technology firm, Zhenhua Data, with links to the Chinese government and military, is monitoring over 2.5 million individuals across the world, including at least 10,000 Indians. The investigation has elicited a range of responses.
Q. What is its background?
- With smartphones becoming ubiquitous, technology improving accessibility, and with probably the cheapest data in the world (Rs 6.5 per GB), almost every phone is a data device today.
- Now, three out of four smartphones sold in India during April-June this year, were Chinese brands; in the previous quarter, four out of five phones sold were Chinese. Most phones also come pre-installed with Facebook, Google, YouTube, and many other social media platforms.
- India has banned 224 Chinese apps including TikTok, CamScanner and PUBG. In the US, TikTok may soon change hands. What is at the centre of such actions in India and the West is fear at the app level, and also at the pipe level (with companies such as Huawei and ZTE), that personal data may be compromised and may find their way into Chinese servers. Beijing denies this, but countries are sceptical, and turning more cautious — given particularly the nature of an assertive and ambitious China, which is being seen as expansionist today.
Q. Question of Legality :
- Zhenhua Data has scraped personal information from about a dozen social media platforms, and many other online sources. At the heart of the legal argument is the baseline assumption: can consent given to Facebook, Twitter, Wiki, Medium, YouTube and Instagram, etc. be taken as consent for any third party scraping information from these platforms?
- The Personal Data Protection Bill, once it becomes law, will place responsibilities on the platforms, be it Twitter or Facebook, which are the primary collectors of data, to keep personal information safe.
- There will be intermediaries like account aggregators and consent managers, who will keep a tab on these platforms, and their possible misuse.
Operations and scale
- Zhenhua Data has collected information on about 2.5 million key individuals and over 650,000 organisations, from countries across the world.
- There are thousands of individuals in India, along with their network of families and associates tracked across multiple social media platforms. The Indian database includes prominent people — ministers, businesspersons, entrepreneurs, defence personnel, bureaucrats and diplomats, scholars and researchers, scientists and academics.
Q. What is the point in tracking public figures, about whom so much is known anyway?
- That is exactly the motivation — because tracking them gives you an insight into their followers’ minds. How followers or friends react (like/share/comment) to any public figure on open platforms reveals a lot about each of them.
- Zhenhua Data is not necessarily interested in every follower of a public figure. But that is the thing about big data. It is about casting the net as wide as possible where individuals are not necessarily targeted as consequential in themselves, but simply because they complete the wide arc. The more information one collects and correlates, the more one gets to discover. Leaving out certain members of, say, a leadership team of any setup because they are not exciting enough defeats that purpose.
Q. So what, many companies have been doing this for years, both in India and in other countries?
- Like any big data operation involving OSINT (open-source intelligence), Zhenhua Data deals in volumes.
- First, the sweep: how many people it tracks. Second, the depth: how many data points it engages to collect information about every person it tracks. The potential of the database for ‘hybrid warfare’ depends on both factors: how many they know about, and how much they know about each of them.
- Such an operation may not be immediately successful in filling all the information columns against each name. But it spells out the data ambition the company wants to achieve over time. The chances of striking gold — actionable intelligence — multiply as the data pool grows. And the chances of even a fraction of the Overseas Key Information Database — already 5 billion pieces of information and counting — yielding what is called “useable data” is motivation enough to keep invested in the project.
- Companies are subject to regulation, and can be held accountable or asked questions by elected legislatures. In contrast, a Chinese company, from an opaque authoritarian set-up, mining big data in a more open democratic system doesn’t have similar checks and balances.
- Also, propaganda — misinformation, disinformation and fake news — has always been a big item on the agenda when countries go to war. But what big data allows now is to customise data for millions instantly, making rapid response possible.
- The sweep of Zhenhua’s targets, from politicians and CMs at the Centre and states to legislators in J&K and the Northeast, scientists in critical technology institutions to a range of tech start-ups and over 6000 accused of a range of crime, all monitored over years, yields a staggering volume of information which can be analysed by sophisticated big-data tools and processed as per the end user.
Q. What should government do then ?
- Experts suggest the government must educate citizens on cyber hygiene; a stricter level of hygiene for those in important positions from a security point of view. With the mobile phone becoming a data device, and storing almost all personal information, “key individuals” should be cautious about sharing personal information on social media or allowing platforms to track their geo-location, etc.
- Not much can be done perhaps to stop the collection of data all together – given what technology allows, and particularly since open-source public data is by definition open and public. Big platforms such as Facebook and Twitter discourage automated scraping and bots, but recent events suggest this is more to maintain their monopoly of data for advertisement.
- Individual governments can force them to make mass scraping more difficult, but overdoing it may change the nature of the platforms and these companies are no pushovers. So, without sweating much over the source of the data and how it is collected, governments can invest in predicting possible strategic end uses foreign agencies may utilise such a database for. That means building capacity to pre-empt disinformation and propaganda campaigns. Given the bewildering pace of change in cyber security, the new battlelines are drawn.