Secure it! Else, pay
Setting up appropriate security measures is inconvenient, but protecting a company’s reputation makes it all worthwhile
It is a tragedy that Facebook, with more than 2 billion active users, has allowed itself to be taken for a ride by an upstart Cambridge Analytica, a London-based political consulting company, incorporated in 2013 in the U.K. CA had the gumption to call itself a technology firm. ‘Data drives all we do’ was the slogan that it cleverly employed to give itself an aura of respectability.
In retrospect, it did not possibly deserve the label.
The controversy is snowballing across the globe. FB CEO Mark Zuckerberg has admitted to a few mistakes, and is possibly underplaying the disaster. His accountability cannot, however, be diluted.
A blown cover
The question that needs to be asked is more to Analytica: whether it was driven by data or lucre. A whistle-blower has uncovered it all, highlighting the commercial nexus between Analytica and US politicians in predicting and shaping voting preferences.
Closer home there are already charges that Analytica is no stranger to us, and had at least been approached, if not used, for crass politics. Therefore, we need to sit up and send several posers to Zuckerberg.
The gravamen of the charge against Cambridge Analytica is that it managed to harvest data from Facebook users to build psychological profiles of more than 50 million individuals. There is no charge as yet that the data in question was obtained through hacking of the Facebook website or by any other unethical technological means. It emerges that the modus operandus involved was simple.
A company called Global Science Research (GSR) used a personality App with the permission of Facebook for what the former claimed was academic research purposes. With the help of this, Aleksandr Kogan, a psychology lecturer at Cambridge University and a co-director of GSR, managed to harvest data of millions of FB subscribers who used the personality App. What was sinister was GSR’s subsequent sale of the data to Analytica which was running data analytics for Donald Trump’s presidential campaign. FB’s stand is that GSR gained access in a legitimate manner, but it violated the rules of agreement by passing on the secured information to a third party, namely, the Republican Party. In its eyes, Kogan was the villain of the piece. If, ultimately, FB is vindicated, it is Analytica and Kogan who will have to bear the cross.
Ignoring security concerns
While FB may get away, reports indicate that it had given no serious thought to security as an important ingredient of what it dishes out to subscribers. It is reported that its chief security officer, Alex Stamos, had always been unhappy with the management’s response to all his entreaties for greater sensitivity to security. He is said to have advised his superiors to admit that its platform had been misused by the Russians during the 2016 US presidential elections, and set up a team to investigate the matter. An outspoken advocate for tightening all-round security, he is known to have once openly challenged the national security adviser, and also had a rough time at Yahoo, his previous employer. In his view, FB should organise security on par with any defence contractor, and not run the company like a college campus with skimpy security.
There are several lessons to be learnt. First, it is clear that it is not hacking alone that brings disaster to a well-established company. It is people within the organisation or those who interact with it intimately, who have to be kept in mind while structuring security. No background check is going to reveal whether you are dealing with a bad guy or a good guy. It is a certain native circumspection built over the years that is critical. Also, every fast-rising company will have to draw a healthy balance between winning clients (subscribers in FB’s case) and the expenditure involved in nursing privacy and protecting data.
The experience world over is that many corporations are averse to installing even basic security if it involves investment. It is ultimately the management that has to take the call. High security is inconvenient and painful but is worth the money spent on it if the reputation of an organisation has to be protected.
The writer was CBI director and security adviser to Tata Consultancy Services Ltd