Big Data & Privacy Issues

By Zaynab Aumeer,  Saffiyah Goolam Hossen, Jannat Mamode, Pritima Ramroop, and Pamela Ravina.

Investopedia defines big data as “the large, diverse sets of information that grow at ever-increasing rates. It encompasses the volume of information about user’s autobiography and often comes from multiple sources. Big data can also be categorized as structured or unstructured.
Big data is collected from social media platforms and websites, through product purchases, electronic check-ins, locations, interests and questionnaires. Big data has its importance in the marketing area mainly as it has the potential to provide companies with profitable insights into their customers. These further enable marketers to refine marketing campaigns maximize customer engagement and conversion rates.
The realm of big data is a million dollar generating business considering how it is an important tool used in the marketing industry to affect the decision making of people. More often internet users receive an advertisement in mail or online that is quite relevant to their situation or their interest. Today there are over 4,000 data brokering companies worldwide that sell these data to leading companies across the world which explains the relevancy of advertisements to users. Acxiom is one of the largest data brokering companies in the world has over 23,000 servers that collect and analyze data for 500 million consumers worldwide.
Every search is monitored by data brokering companies and the information will be sold to companies so that they can create online ads to catch the attention of the user.
Now data brokering is a 200 million dollar industry.

Issues related to Big Data

Cyberbullying takes place over digital devices and can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content like photos, messages, or pages that don’t get taken down, even the person has been asked to do so. It includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behaviour.
Cyberbullying statistics (2019) worldwide reveal alarming facts about virtual harassment, its impact, and the many different shapes and forms it can take.

Examples of Cyberbullying cases are:

  • Tyler Clementi: A shy 18-year-old university freshman with a passion for playing the violin, jumped to his death from the George University Bridge.
  • Ryan Halligan: He committed suicide on the 7th October 2003 where they found that he was humiliated by peers at school and online

The Mauritian Cybercrime Online Reporting System (MAUCORS) is a national online system that allows the public to report cybercrimes occurring on social media securely. It also provides advices to help recognizing and avoid common types of cybercrimes which takes place on social media websites.
Mauritius amends Information and Communication Technologies Act (ICTA) to include clause to impress heavy sentences for online messages that may be considered aggravating. Here is a screenshot showing a case of bullying which happens in Mauritius; a young man, Atish Ramnaraynan who died because of cyberbullying.

The screenshots below are some examples of cyberbullying and this is happening in Mauritius where we can see in the comment sections where people are attacking the TikTok users Arjoon and his cousin Deepti on their physical appearances which is part of online bullying.

Interconnectedness- Connecting phones to PCs
An important word that we need to know is ‘Tethering’ which means connecting two things, which is basically used for sharing the data connection of our smartphone to PC or Laptop.
This feature enables us to share information from one device to another but connecting phones to PCs/Laptops has its drawbacks. This gives the possibility to have full access to your information and beyond. How is that possible? It can be done by a legacy system of commands called AT-commands which can be used by attacker to get your phone number and downloads the contacts which are stored in the SIM card.
A lot of information are being exchanged between two devices which include phones name, the manufacturer as well, the serial number, file system, etc. So, hacker break into a smart-phone and take control of it and that’s why as mentioned above, there is a risk of data loss and driving balance to red.

Malwares & Virus
Malware is designed to cause trouble by gaining access to your device. It does not only having access to your information but sometimes it is made to steal information.
Computer can become infected in several ways. Firstly, by clicking on links to malicious sites in email messages and on messages on social media. Confidential data such as passwords are a key target of cybercriminals. Data lost and theft can occur because of malwares. The damage caused by a successful attack that erases a user’s data can be measured in terms of the value of the erased information to the user. The often neglected way to prevent data loss is by taking regular backups.

The aim of hackers is to exploit computers illegally to steal people’s data. Hackers usually parse breach information that already exist for passwords, usernames, and emails and try to reuse those data on famous websites. Hackers use the ‘checker’ scripts, created for test batches of username: password combinations on specific websites to verify available accounts. These scripts exist for any service and are regularly updated and move within the hacker community.
Some famous hackers are:
Kevin Mitnick: He is the CEO, Team Leader, and Chief White Hat Hacker and the most popular one worldwide. Before being a trustworthy security consultant to Fortune 500 and governments around the world, he belong to the list of the FBI’s Most Wanted as he hacked into 40 big corporations. Also, he was the “most wanted computer criminal in United States history.”
Ankit Fadia: Ankit Fadia, an Indian “ethical hacker”, whose work usually include proxy websites and lifestyle, OS and networking based tips and tricks. The latter gives online certified Ethical hacking course.
Garry McKinnon: The hacker hacked 97 US military to gather data and the NASA regarding UFOs more than a decade ago.

Data breach
A data breach is the intended or unintended release of secure or private or confidential data to an environment which is not trustworthy.
Linkedln’s 167,370,910 accounts were hacked in June 2012, leaking emails and passwords. This illegal act was committed by Brandon Charles Glover and Vasile Mereacre, the one who hacked Uber.
In 2019, a bug in Google+ Exposed 500,000 users’ information for about 3 years. The bug had revealed users’ name, age, email address, occupation and some profile information shared secretly among users that should not have been obtainable. Google+ allowed an investigation to take place regarding this matter.
The Guardian revealed that Google decided to shut down user accessibility to Google+ after solving the bug to maintain their image and identity as well as ameliorate privacy protections.
However, Facebook is among the first names that crops up when the issue of data privacy is cropped up. The major leak of information is mainly through Third-Party apps.According to a study made by Na Wang, Heng Xu and Jens Grosslags, the privacy threats associated with the use of Third-Party apps on Facebook as affirmed by a Wall Street Journal that found out that numerous Third-Party apps on Facebook are extracting identifiable user information from the platform and sharing this bounty with advertising companies. There are more than 30 billion pieces of content (links, news, stories, posts, notes, photos) which is shared on Facebook on which users interact with over 900 million objects each month. By the end of the research, it became obvious that a large number of users’ personal information are being transmitted from Facebook to external entities.
Moreover, in Facebook’s Privacy Settings for apps or instant games, users can control the information sharing between them and other applications which were signed in using Facebook. Access to some information categories can be denied, however, there are some fields that cannot be denied access and are marked as “required” by Facebook as shown below:

It was also noted that there is insufficient reflection of the data requested. As an example, “Access my photos” was used to see whether the dialog would truly give the Third-Party app’s information practices. However, the dialog fails to demonstrate how by a simple “User photos” permission, the real information that the app could access is not limited to the shared photos as the permission enables the app to access all albums objects the user has created. Below is a chart of all the information that can be accessed by a simple “User Photos” permission.

Link between Cambridge Analytica and Campaign 2.0
Cambridge Analytica made headlines in March 2018 after a whistleblower came forward with some revelations about the company. However, Cambridge Analytica also do data brokerage for political purposes during electoral campaigns in which it sells political parties data about individuals so that these political parties can create ads or run their campaigns around the behavioural pattern of the public.
In 2018, Cambridge Analytica has used Facebook as a way to harvest the personal information of people so that it can be used for political advertising motives. It was then, that the public became aware of how unprotected the data they put online was unprotected and how, if it gets in the wrong hands, can be used against them and their will. When it was first reported, Facebook refused to comment on it but rather said it was being investigated. Due to this breach of data, people were targeted with political ads which were personalized based on their personal information so that they can be manipulated for Donald Trump to be voted in the 2016 election. The data was obtained through a personality test app that was on facebook so that the data of people who used the app would be pulled out, this includes the information about what their friends liked without their consent. ‘thisismydigitallife’ was a creation of Global Science Research that was run by Cambridge-based academic Aleksandr Kogan which was quickly used by 320,000 by facebook users. The data of around 50 million users was harvested in just two months by accessing those users’ friends networks. This data gained allowed Trump to score an upset win against Hillary Clinton. Through that campaign, Trump used the data to spread narratives on social media aiming to ignite a culture war, suppress black voter turnout and exacerbate racist views by using the help of cambridge analytica to create online personalised ads.
We can observe similarities with the Mauritian Campaign 2.0 where the is the use of social media platforms for political campaigns. The rise of social media has made it possible for political parties to use them as a way to advertise about their motives and parties. Campaign 2.0 allows the political parties to have a strong presence online trying to influence the online users’ decisions during election period.

Safety Measures for Big Data
Referring to the Cambridge Analytica issue, we found that Mark Zuckerberg has listed some changes and updates concerning the protection of data and they are as follows:

  • On 19th March 2018, a forensic audit of Cambridge Analytica and other parties that were involved in the misuse of date were being pursued.
  • On March 21st, Facebook promised to investigate profoundly all apps that have access to large amounts of data and information through the platform, audit any suspicion activity and would ban any developer who misused personally identifiable information and data.
  • On August 22, a spokeswoman stated that third party apps were being investigated and more than 400 were suspended.
  • On the 1st of May, Facebook created the ‘clear history’ tool that would allow users to force Facebook to delete all the information that it gathers about users while the browse through the web. No information would be contained about any users who use the clear history tool.

Other than the safety measures that Facebook stated: a user has other ways of protecting his/her data online. The following are the types of safety measures that can be used to protect online data.

  • Installing good anti-virus software capable of scanning HTTPS traffic can protect users from phishing attacks. The antivirus will be able to scan through encrypted web communication that will analyze the content of website a user has been browsing and it will try to identify patterns that can be linked to potential malicious websites.
  • A user is advised not to open suspicious email, not to download pirated software and to access only e-commerce websites that support HTTPS. This will enhance the protection of their data online.
  • Do not connect to unknown networks because those can perform middleman attacks against you by intercepting the sensitive data you transfer online.

Laws in Mauritius Regarding Data Privacy
A huge amount of information is being shared through online platforms, and a big proportion of this amount is about personal data. Mauritian citizens have the right to privacy which is expressed in Sections 3 and 9 of the Constitution of Mauritius and Article 22 of the Mauritian Civil Code.
The General Data Protection Regulation was published in the Official Journal of the EU in May 2016 and came into force on the 25th of May 2018. It a law with extraterritorial reach which protects privacy rights and has obligations for example, consent requirements, data breach notification, appointment of data processors and new processes. This means that the GDPR is relevant to Mauritius as it applies to every data controller and processor regardless of geographical location. Online actions such as sending marketing emails and adverts using big data have to comply with the GDPR and this led to some changes, for example, targeting adverts for baby products at someone who searches for “morning sickness” online may be unlawful profiling based on the collection of special category personal data. Purchase marketing lists also must be subject to critical scrutiny under the GDPR.
The Data Protection Act 2017 came into force on the 15th of January 2018. The role of the DPA 2017, is shaped by the principles of GDPR, that is to aim at protecting and safeguarding privacy rights of individuals during the processing and storing process. The missions of the Data Protection Act are to “ensure lawfulness, fairness and transparency such that individuals are well informed and afforded protection for the confidentiality of their personal data in order to reduce the growing risks of data leaks in an age of ‘e-society’.

According to these laws, a data subject must provide unambiguous consent and must express by a statement or a clear affirmative action to have their data be recorded and stored by any physical or virtual platform. Opting out also must be clear and simple, such as a checkbox and further barriers like confirm in writing cannot be put in place. Moreover, prior to a collection of data, a data processor or controller must first assess the data protection impact whereby the impact of the planned processing operations on the protection of personal data is analyzed and studied. This must include an assessment of the potential risks to the rights and freedoms of individuals and envisage measures to address these risks by providing security mechanisms in case there is a breach.
Consequently, in the case of a breach, the data processor has a maximum of 72 hours to notify the breach to the Commissioner and the controller. Therefore, if the controller deems the breach to result in a high risk to the rights of the subject, the controller needs to notify the subject without delay with a clear and accurate communication exchange. This exchange is not required if appropriate and effective technical and organizational protection measures are put in place and the breach does not affect the subject.

Rights of Individuals regarding processing of their data

  • Right to erasure
  • Right to object to automated profiling
  • Right to data portability
  • Right to request data
  • Right to rectification
  • Right to restriction

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s