Mark Zuckerberg settles Cambridge Analytica suit weeks before deposition; experts reiterate data privacy concerns

Meta Platforms have recently reached a tentative USD 37.5 million preliminary settlement of a lawsuit involving the infamous Cambridge Analytica controversy where it was accused of violating users' privacy by tracking movements through their smartphones without due permission. Interestingly, the settlement offer comes days before Mark Zuckerberg and former COO Sheryl Sandberg were scheduled to be put on the stand for lengthy depositions. This eleventh-hour development in the case is being perceived as a desperate move by the company to avoid answering tough questions.

In February last year, a US court approved a USD 650 million settlement of a privacy lawsuit against Facebook for allegedly using photo face-tagging and other biometric data without the permission of its users in a class-action lawsuit that was filed in 2015. The lawsuit accused the social media giant of violating an Illinois privacy law by failing to get consent before using facial-recognition technology to scan photos uploaded by users to create and store faces digitally.

In 2019, the company announced that it was settling five lawsuits that claimed the platform’s business model allowed companies to illegally advertise job opportunities, credit offers and home sales that were only visible to men, young people, and users in white neighbourhoods. Even Facebook’s own job ads posted on the network screened out older users. As part of the settlement, former COO Sandberg said the platform will no longer allow advertisers to target users by age, gender, or zip code if the ads are related to housing, employment, or credit offers. However, it was made clear that ads related to other products and services will not be held to this standard.

In 2012, Facebook had agreed to settle a lawsuit by paying USD 20 million that alleged the site's "Sponsored Stories" feature publicised users' "likes" without compensation or the ability to opt out. The lawsuit alleged that the company "unlawfully used the names, profile pictures, photographs, likenesses, and identities of Facebook users in the United States to advertise or sell products and services through Sponsored Stories without obtaining those users' consent".

In 2009, Facebook paid up to USD 65m - USD 20m cash and 1.25m shares – to end a lawsuit in which Mark Zuckerberg was accused of stealing the idea for the social networking site from a company called ConnectU. The case, brought against Zuckerberg by three former classmates, Divya Narendra and the brothers Tyler and Cameron Winklevoss, had threatened to derail Facebook.

These are just a few from the huge list of legal suits Meta has settled in the United States. Facebook's parent company is also facing legal challenges in multiple counties including several territories in European Union, Canada and others.

It all started with a British newspaper expose that revealed the data analytics firm that worked for Donald Trump’s 2016 election campaign and the pro-Brexit campaign harvested millions of Facebook profiles of US voters, in what is considered one of the biggest ever data breach scandals.

Christopher Wylie, the whistleblower who worked with Cambridge University academic Aleksandre Kogan to obtain the data, told the British newspaper Observer that as an employee he exploited Facebook to harvest millions of people’s profiles and built models to exploit what they knew about them and target their inner demons. "That was the basis the entire company was built on”.

In a statement, following the scandal, Mark Zuckerberg in a statement on Facebook confirmed that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, what must be noted is that Zuckerberg didn't go public then to alert the users and said the company immediately banned the 'thisisyourdigitallife' built by academic Aleksandr Kogan, where he paid thousands of users to take a personality test and got them to agree to have their data collected for 'academic use'. Zuckerberg further announced a series of internal investigations and took full responsibility for the breach.

Interestingly, Cambridge Analytica's activities can also be traced to India. In fact, last year the Central Bureau of Investigation had booked the firm for collecting and harvesting unauthorised data from Indians on Facebook. The action came based on a complaint raised by the Ministry of Electronics and Information Technology. A CBI inquiry revealed that Cambridge Analytica's ‘thisisyourdigitallife’ app was reportedly installed by 335 Indians, which led to illegal data collection of approximately 5.62 lakh Facebook users.

Back in 2018, it was reported that Cambridge Analytica claimed on its website that it worked on the Bihar assembly elections in 2010, and its clients won a landslide victory. Whistleblower Christopher Wylie actually said the data analytics firm "worked extensively" in India, and the Indian National Congress as its client while testifying before the UK Parliament. On the other hand, personal data protection expert Paul-Olivier Dehaye, who was also placing evidence before the British Parliament, revealed that an Indian billionaire paid SCL Group, CA's parent company, to ensure that Congress lost the elections. The whistleblower also confirmed that the firm had offices and employees in India. Back here in New Delhi, BJP and Congress indulged in a blame game, both the parties refuted any claims of association with Cambridge Analytica and accused each other of using its services.

In an exclusive conversation with Times Now, Pavan Duggal, the Supreme Court lawyer and Chairman of the International Commission on Cyber Security Law, said that this entire episode needs to be seen as a wake-up call for all stakeholders.

The cyber security expert further said, "This also means that people now have to make a choice. Do they have to be on such platforms where their private information continues to get farmed monetised, often without their consent? were they prejudicially impacting their legal interest as also their data privacy and personal privacy? Or should they want to continue with this kind of nightmare? Just because you are ignorant about the nightmare does not mean that the nightmare doesn't happen".

While expressing optimism about India's new IT Rules, Dr Duggal further went on to explain that Facebook doesn't face similar action in India due to a lack of adequate legal frameworks to really start taking effective action.

"India does not have a dedicated law on privacy, nor a dedicated law on data protection, nor a dedicated law on cybersecurity. So in this huge policy vacuum that exists in India, it's like a wild, wild west, kind of an opportunity for platforms like Meta to come, garner data, collect data, monetize that, and often trample upon the rights and the expectations of the users".

It must be noted that the Economic Times reported in July that the central government might ask Facebook, Twitter, and other social media companies to explain their alleged poor compliance with legal notices served in India. Meta told ET that from July 2021 to December 2021, Facebook received 50,382 requests from various governments in India, of which 47,123 were legal. The company had complied with 64 per cent of these requests. On the other hand, in the US, Meta complied with 88 per cent of legal requests in the same period, while in the UK, it complied with 89 per cent of such requests. Twitter's overall compliance rate in India stood at 11 per cent, whereas in the US and the UK, it was at 13 per cent and 7 per cent, during January 2021-June 2021 period.

Dr Duggal feels that India as a country needs to do quite a lot of things in order to avoid a Cambridge Analytica kind of situation. "India needs to have a dedicated new law on cyber security along the lines of many other countries. Once India starts doing that and India starts effectively implementing its existing law, for example, if it effectively implements the IT rules 2021 in letter and spirit if it implements the IT directions 2022, then to a large extent India can be in a comfortable position," the expert noted.

To better understand the complex issues surrounding data protection, Times Now spoke to Jiten Jain, cyber security expert and Director, Infosec Voyager. The expert said, ‘strong penalties and stricter punitive measures can only deter these companies from crossing certain privacy-related boundaries. Mr Jain further explained: “Even in the proposed data protection law, it was said that the data principles or these companies which will be collecting data of their customers would have to define the specific purpose for which data was collected. For example, if Facebook is collecting data of Indian users for social media networking purposes, it will not be able to use it for advertisements or other commercial purposes”. Unfortunately, the government recently withdrew the Personal Data Protection Bill, 2019 and is currently reworking the law to bring in comprehensive and separate laws on data privacy, cybersecurity and telecom regulations. MoS in the ministry of electronics and information technology, Rajeev Chandrashekhar said that the government is currently examining the draft law to make sure it does not create any burden of compliance, especially on start-ups.