Financial transaction security and data privacy are issues that have come to the fore often in the recent past. With a rising number of Indians spending time on websites and apps i.e. the digital world, the risks of digital attacks have grown exponentially. Unfortunately, Indian websites have yet to mature when it comes to user privacy, says Shivangi Nadkarni, co-founder and CEO, Arrka Consulting. It is important to understand that personal data of users is being collected all the time when the user is online – via the mobile apps they have installed on their phones, via the websites they visit, even via other online touchpoints such as smart home assistants and other smart devices, she says. In an interview to Kumar Shankar Roy, Nadkarni, who has an engineering degree from BITS Pilani and Masters degree in management from IIM Calcutta, sheds insights into how users should navigate the digital maze and take precautions when it comes to usage.
You do a lot of privacy testing of websites. Can you tell us about your findings about popular Indian websites? Are they respectful about user privacy and personal data?
Indian websites have yet to mature when it comes to user privacy. There is very limited transparency in terms of what they do with a user’s personal data, the kinds of tracking & profiling they do, etc.
The privacy notice on a website is expected to outline to a user what is being done with their personal data – and notices in India do not do so effectively. This is not surprising because there is no Data Protection or Privacy law in India requiring them to be transparent – so there is no real push.
A lot of attention today is given to how user data is used and how social media platforms are influencing people. Can user data be utilised to manipulate people?
A user’s personal data can most certainly be used to influence them. It is important to understand that personal data of users is being collected all the time when the user is online – via the mobile apps they have installed on their phones, via the websites they visit, even via other online touchpoints such as smart home assistants and other smart devices. This is fed into vast global eco-systems of data brokers, profilers, advertisers, marketers, analytics folks, etc – based on which detailed individual profiles are built and continually updated. These profiles are then leveraged to customise what gets ‘presented’ to a user – the news that a user sees, the ads that get presented to her, even the search results that come up when she does a search online. In the world of privacy, this is known as the ‘big nudge’ – indicating how users are ‘nudged’ or manipulated with certain ideas, opinions, and beliefs.
In fact, the whole Facebook-Cambridge Analytica brouhaha was about exactly this … how users’ were manipulated using their profiles to influence the outcome of the US elections.
Much of online usage today takes place via mobile phones. What is your take on top Android Apps and their IOS counterparts in terms of privacy protection?
Our recent study on the “State of privacy” shows that of the tested Android based apps, 50% have access to camera, 69% have access to a user’s precise location and 79% have access to device ID and call details. Almost 100% of apps studied send data across the borders. In the case of IOS based apps 79% have access to camera, 88% have access to photos & 72% have access to a user’s location. Also 41% websites do not encode/encrypt username and password at the client side prior to transmission.
We are constantly dealing with digital risks – via our devices (smartphones, tablets, laptops, smart devices, etc) as well as the Apps and Online sites we use. But, the conveniences and advantages they bring are huge. How to balance the two realities?
This is a very individual choice and decision. It is ultimately about balancing convenience vis-à-vis the risks an individual is willing to take. Some people may be willing to take extra risks compared to others. What is important is that (a) people are given a choice – and not presented with a fait accompli and (b) they are aware of and cognizant of the risks involved so they take informed decisions.
When we download and install an App or when we run an App on our mobile device, it asks for your permission to access certain data or information on your device. How safe is this to allow such permissions? Some apps don't even complete installation if we don’t give permissions...
These permissions you are referring to are known as ‘Dangerous Permissions’. They are referred to as such because the kind of data they access to via the permission can severely compromise a user’s privacy. However, it is important to understand that some of these permissions are required for the app to function. For eg, a taxi hailing app needs access to your location so the taxi can pick you up. The problem comes up when apps take more permissions than they require for their functionality. Which is why it is important for a user to remain alert and aware and not give permissions which are not required.
And yes, many apps don’t necessarily ask for permissions in the first place. However, this is slowly changing – with the Android and IOS systems forcing some best practices amongst app developers. However, this needs to be supported with appropriate laws to act as the necessary deterrents.
In terms of financial transactions, many of us do online money transactions for recharges, paying bills, online shopping and ordering food. Should these be done only through debit card/net banking route, or it is okay to do them through platforms like Amazon Pay, Paytm, Mobiwik etc?
Whether you do a transaction using debit cards/ net banking or via wallets like Paytm etc – ultimately you are using a digital interface. Hence risks from data privacy and security point of view are on par. Hence when evaluating the two, it may be prudent to look at other types of risks involved – like fraud risks etc – and the recourse available to a user if things go wrong in each type of situation.
On WhatsApp and other phone messaging apps, often messages are sent saying 'click this to get 50% discount' etc. Are these ways to collect user data and later use that data with malicious intent? How can users know what is genuine and what is a scam?
More often than not, they tend to be mechanisms used to enable data collection. However, they may be genuine too. Hence one cannot paint everything with the same brush. But it is always better to be careful and think twice before availing anything that seems ‘too good to be true’.
Whether the data collected is used for malicious purposes or not is an entirely separate aspect. They may well be genuine offers made by legitimate companies to collect data – that they use for tracking & profiling a user. However, there are many fraudsters and scamsters out there who want to collect user data and use it for malicious purposes. The only thing one can do is to remain alert and aware – and critically look at any ‘lucrative’ offers.