Facebook data crisis hasn't spilled over to apps in Indian market for now

Online deal discovery platform Nearbuy is among a few apps that do not have a Facebook link or log in

social media, Facebook, Twitter — Photo: Shutterstock

Last Updated : Mar 29 2018 | 6:30 AM IST

Are apps facing a crisis of sorts after Facebook has been hit with loss of market value and much more following revelations of the social media giant allowing a political consulting firm access to user data to influence elections? Facebook has run newspaper ads to apologise to users in the US and UK, and the European Union is on the verge of implementing regulations that mandate clear expressions of consent for access to user data. But in India, it appears to be business as usual for apps, for now, thanks to the absence of serious cyber security norms and low awareness among users.

“WhatsApp cares deeply about the privacy of our users. We collect very little data and every message is end-to-end encrypted,” says a spokesperson of WhatsApp, the Facebook-owned messaging platform which is one of the most popular apps in India. The company had conducted an end-to-end encryption workshop last August to educate the media and, through them, the users.

Companies do not concede any emerging crisis in India by way of customers’ perception of apps and maintain that data are collected only with permission. For instance, the Alibaba Group-owned UC Browser, which was last year delisted from Google Play Store reportedly on data security issues, has said complaints about theft of mobile data of its users in India to servers in China were unfounded.

Fitness technology firm GoQii, whose products include fitness tracker, app, care team and a personal coach for users, says it collects data only for the purpose of improved health care monitoring of customers. Abhishek Sharma, chief marketing officer and co-founder, GoQii, points out that the company is present in multiple markets and is therefore bound by global data protection laws.

Besides, the California-based company adheres to the Health Insurance Portability and Accountability Act of 1996, a US law that provides data privacy and security provisions for sensitive patient information.

Sharma agrees data collection is rampant in India, arguing that even if we look beyond apps it would be apparent. “There is always a rush for collecting personal data. Even if you update your KYC on a mobile, the operator asks for reference of another friend as mandatory. Why does he need that? It’s all about data generation,” he says, adding that data thus sold explains the long prevalent practice of telemarketing.

Online deal discovery platform Nearbuy is among a few apps that do not have a Facebook link or log in. Its CEO, Ankur Warikoo, says, “Whatever data the user willingly shares with Nearbuy is the only data we have. By virtue of this, we also do not work with any third-party app. So every algorithm or personalisation that we have to do happens at a native, in-house level.”

He admits that the data—around location, transaction, browsing history and personal details that are valuable and confidential—at Nearbuy’s disposal are immense. “But we took a conscious vow that we may have to go against the industry norms of how data is used. So be it, we are not going to work with a lot of third-party players,” says Warikoo.

He, however, points out there is large-scale abuse of data in India due to lack of strict regulations or protocols, and also that Android especially allows for easy and deep access. Apps, he adds, end up asking permission from users for things they don’t need access to. For instance, log in options in general are driven through one-time passwords (OTP), which invariably lead to users happily granting apps permission to read their OTP SMS and all other SMS texts.

According to Warikoo, fears around data security and sharing are only being raised by an elite class of consumers as also institutions, governments and activists who are hurt most by it.

The vast majority simply does not care.

“I haven’t heard a single user saying ‘I hated what Facebook did to my news feed’, even if they are saying they want privacy. The lack of protest in that sense means consumers are not unhappy,” he says.

Experts call for granting individuals choice and control over their data.

Venkatesh Krishnamoorthy, country manager for BSA | The Software Alliance, India, says there are a number of available tools, but companies should have the flexibility to implement what is most suitable. For example, consent dashboards could enhance consumer control, but imposing requirements on how the dashboards should be implemented would be overly prescriptive. “Presenting privacy notices in a public document would also foster consumer trust. This also affords the space and flexibility to offer translations in multiple languages, especially in a country like India, to reflect the diversity of individuals who use a product or service,” he adds.

Rana Gupta, vice-president, APAC sales, identity and data protection, of digital security company Gemalto, explains that mobile apps seeking user data interact with servers in the back end which consolidate all the data. “While using any mobile application, a user must consider the reputation of the application provider in terms of its history of user data handling as the biggest risk that a user faces is with respect to the sharing of the data collected by the server,” he says.

Though leakage of data through malware attack on endpoint devices remains a risk, it is usually much more rewarding for hackers to target the back-end servers as that allows them to get hold of the entire data in one go, says Gupta.

For enterprises running the server side of their mobile apps, Gemalto recommends a “Three Step Secure The Breach” framework—encrypting the sensitive data on their servers, managing the encryption keys in the tamper-resistance hardware and implementing secure two-factor authentication for anyone accessing the servers.