Facebook Breach: How Should India React?Can Government Help to Ensure Indian Users' Data Is Protected?
India's Ministry of Electronics and IT has asked Facebook for an update on the number of Indian users impacted by its recent data breach, which affected 50 million users worldwide.
But it's not yet clear what steps the government can take to make sure the social media platform is secure.
"The government of India should take a collaborative approach with law enforcement, regulatory bodies, policymakers and technology providers to protect social media users' data from future breaches."
Facebook has not yet disclosed the country-specific impact of the breach. But in an immediate response to the MeitY notice, it noted that nearly 5.62 lakh Indian users were "potentially affected," according to a news report from PTI.
"We are in touch with GoI [Government of India] to share preliminary information about the security issue we announced on Sept. 28. We took immediate action, informing all our users, advertisers and secured their accounts," a Facebook spokesperson said, according to Livemint.
Facebook has over 200 million users in India, which is it's largest market. Many users here use Facebook's single sign-on feature to log into third-party apps (see: Facebook Breach Single Sign-On Doom).
The breach resulted in users' access tokens being stolen. Those can be used to gain access to other third-party websites that the user logged into using their Facebook credentials via the single sign-on feature.
The single sign-on feature enables users to link access other services, including mobile applications, other social media accounts and music streaming platforms. For example, in India, users can log into third-party apps such as Swiggy, Zomato, Hotstar and FreshMenu, among others, through Facebook without creating a unique profile (see: Facebook Breach Worries Asian Organizations).
Although Facebook has said it has fixed the vulnerability that led to the cyberattack, it has not yet identified the attackers, and their motive remains unclear.
One likely perpetrator of the Facebook attack is an intelligence agency that was keen to build "big data" maps of citizenry using the stolen information, rather than raid people's Instagram profiles or Tinder picks. This raises the notion that Facebook data could be used in an effort to influence the upcoming Indian elections.
"This Facebook data is mainly useful to either advertisers or nation-states," says Avivah Litan, vice president at Gartner Research. "I doubt advertisers hacked Facebook, so I imagine this is the work of a nation-state building out its population maps for citizenry of various countries." (See: 50 million Facebook Accounts Breached)
Earlier this year, it was reported that voter profiling firm Cambridge Analytica apparently received data on nearly 87 million Facebook users without their consent. The firm worked on the 2016 campaign of U. S. President Donald Trump.
Securing User Data
So it's good news that the Indian government reportedly has appointed a CISO for the Election Commission and a cybersecurity nodal officer in each state with exclusive cybersecurity regulations.
In addition, IT and Law Minister Ravi Shankar Prasad said the government of India is considering regulating services of foreign internet companies, making them accountable under Indian laws.
Prasad warned Facebook it would be investigated if the social media platform is suspected of being used to unfairly influence Indian elections. On Twitter, he said: "We welcome @facebook having one of the highest number of users from India, but if theft of Indian data occurs in collusion with others to manipulate democratic processes, that will not be tolerated."
We welcome the fact that @facebook has one of the highest number of users from India but if any theft of data of Indians takes place in collusion with other companies for manipulation of democratic processes then that will not be tolerated. #FacebookDataBreach pic.twitter.com/OBdv2vN7Ho— Ravi Shankar Prasad (@rsprasad) March 21, 2018
The minister warned that stringent action would be taken against Facebook if the government determines that Indian user data has been compromised.
"Any data theft of Indians in collusion with Facebook will not be tolerated," Prasad said. The Indian government, if merited, will consider summoning Facebook CEO Mark Zuckerberg to testify about the security of Indian's data, he added.
Pavan Duggal, a Supreme Court attorney and cyber law expert, says Facebook could potentially be sued for damages under Sections 43 and 43 (a) of the Information Technology Act. "Facebook must tighten its belt. It can be sued for damages and criminal charges - breach of trust, and having no adequate mechanism for prevention," Duggal told Scroll magazine.
The government of India should take a collaborative approach with law enforcement, regulatory bodies, policymakers and technology providers to protect social media users' data from future breaches.
Meanwhile, enterprises must protect user credentials against breaches when apps are accessed using the Facebook login.
"Enterprises using single-sign-on features from social identity platforms like Facebook have to re-evaluate the risks by looking at elements like multifactor authentication and API controls," says Sameer Shelke, co-founder of Aujas Networks.