Facebook breach shows need for data privacy law, say rights experts
KARACHI: Following the massive data breach to Facebook, digital rights experts in Pakistan have reminded authorities of the pressing need for specific laws in the country to protect private data of individuals.
On Friday, Facebook revealed that 50 million accounts were breached in a security flaw exploited by hackers, which had prompted 90 million users across the globe to change their passwords.
The breach, it said, had taken place a few days earlier, on the afternoon of Sept 25. While Facebook claims that it has plugged the loophole, it has not stated what the consequences of the hack are.
In a telephonic briefing by Facebook’s executives later, it was revealed that the flaw affected more than just Facebook. If an account was impacted it meant that a hacker could have accessed any third-party application such as Instagram that was logged in using Facebook. Facebook Login is the tool that allows users to sign in with a Facebook account instead of traditional login credentials and many users choose it as a convenient way to sign into a variety of apps and services.
Millions of users had to change passwords after social media giant revealed that 50m accounts were breached in hack
Among the 50 million accounts comprised in the hack, various users were logged out of Facebook in Pakistan as well. According to a digital report by global social media company, We Are Social and Hootsuite, there are 35 million active Facebook users in Pakistan in 2018 — a 13 per cent rise from the previous year.
Given the popularity of the social media giant in Pakistan, digital rights experts have expressed concern over the potential risks to the user’s private data.
“Access tokens which were [potentially] stolen in the hack are used to generate uninterrupted access to accounts without having to provide passwords every time. If these tokens were compromised than that means the hackers can fully control the account, including private posts and pictures,” said Asad Baig, executive director of NGO Media Matters for Democracy.
The breach also indicated that even Facebook — one of the largest digital service providers in the world — wasn’t safe from data breaches, he added. Baig pointed out that it was too early to predict the extent of damage this breach has done in terms of user data.
Generally, users input personal information — which may be at risk — on their profile, including date of birth, phone number, family members, and credit card information for business activities as well as professional details.
Way forward
Speaking to Dawn, Director of Bolo Bhi, an advocacy forum for digital rights, Usama Khilji said the breach was a reminder for enacting data protection laws in Pakistan for it would allow the country to potentially hold companies accountable for having security loopholes that compromise private data of individuals.
“Under the law, consumers could have a legal channel to claim damages for breach of privacy, something they deserve when their data is misused without their consent,” he said.
Earlier this year in July, the Ministry of Information Technology and Telecommunication drafted the Personal Data Protection Bill 2018, proposing maximum punishment of up to two years imprisonment and five million rupees fine on unlawful processing of personal data. This proposed legislation applies to processors and any person who has control over the processing of any personal data.
The Constitution, the bill highlights, grants privacy of home alongside dignity of every man and woman as their fundamental right under its Article 14.
The draft bill identifies that in today’s digital age, personal data has become an extremely valuable commodity and for many businesses the sole source of their income is the personal data of users they generate. The personal data is often being collected, processed and even sold without knowledge of the person.
Section 35 of the data protection draft titled ‘Corporate Liability’ states: “A person shall be held liable for a criminal offence committed on his instructions or for his benefit or lack of required supervision by any individual, acting either individually or as part of a group of persons, who has a leading position within it, based on a power of representation of the person; an authority to take decisions on behalf of the person; or an authority to exercise control within it. The person shall be punished with fine not exceeding five million rupees.”
The draft proposes that within six months of coming into force of the law, the federal government shall establish a Commission for Personal Data Protection (CPDP), which citizens can access easily in case of data breach.
“We need to consider an Asian Data Protection Regulation ratified and implemented by Asian countries, on the design of the General Data Protection Regulation (GDPR) (which standardises data protection law across 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information),” Baig suggested, adding this way if the Asian market was at risk from Facebook, it was likely that data protection and privacy would be taken seriously by and for the region’s users.
Published in Dawn, September 30th, 2018