Twitter’s move should make the online ad industry garner support for itself during the passage of the Personal Data Protection Act as a strong lobby will oppose the use of personal data for profiling
By Na Vijayashankar
The intriguing announcement by Twitter of stopping all political advertising is interesting. It opens up discussion on online advertising regulations and the role of privacy and data protection in consumer profiling for targeted advertising.
Though the reason stated by Twitter for its revenue-sacrificing decision is that it believes that a “political message reach should be earned, not bought”, many in the industry speculate that this is a strategic move to bring pressure on its social media rival, Facebook, to follow suit and forego revenue opportunities during the next US elections.
Facebook, when compared to Twitter, enjoys better efficiency in ad delivery and provides a higher per ad return to the advertiser and consequently enjoys a higher market share.
Hence, if political advertising is stopped by Facebook and Twitter, it will hurt Facebook more than Twitter. Facebook is unlikely to take the bait and, despite the controversies surrounding Cambridge Analytica and the advent of General Data Protection Regulation (GDPR), it will continue political advertising. As efficient AI-based profiling by Facebook appears to be contributing to its better ad performance, it will look for ways to retain and improve its profiling rather than stop its ad business.
The California Consumer Protection Act, which provides clear permissions for sale of personal data, allows for the possible review of data protection principles in other state laws in the US, enabling Facebook to continue its profiling. With WhatsApp also in its kitty, Facebook has a formidable opportunity to harness the political ad business during the US elections. This is estimated to be $6 billion, of which 20 percent may be invested in online media.
For Twitter, it may be a business strategy to give up a losing business vertical in the hope that its competitors would take the bait.
Let us now focus on the impact of Twitter’s decision in the Indian context. It is necessary to remember that Facebook had, during the last Indian elections, imposed self-restrictions on political advertising by insisting on registration of political advertisers by following Know Your Customer (KYC) norms. The idea was to curb fake news and false propaganda during the pre-election period and to observe the campaign silence period before the elections as per the directions of the Election Commission of India. This was a good step in improving the reliability of advertising on Facebook.
Hounding WhatsApp for Pegasus
The Pegasus issue will shortly reach the Supreme Court. It may have to adjudicate if the Government of India did indeed purchase the malware for a cost of around $7-8 million to carry out surveillance on around 50 persons at any point of time (which is the limit of the malware) and whether WhatsApp was guilty of hiding the outbreak ofthe malware.
Politicians who are expressing their views don’t seem to understand the nature of the security incident that the Pegasus attack in India represents. Pegasus is a technology tool created by an Israeli company called NSO and has the capability to read text messages, track calls, trace the location of the phone, access the device’s microphone and video cameras, gather information from apps, and so on.
It can read not only WhatsApp but also Telegram, Facebook, Skype and so on. It has been seen since 2016, and has affected many people outside India as well.
There are thousands of pieces of malware similar to Pegasus. Many of them were created for one purpose but impacted society differently. Two notable examples are the Stuxnet malware created to attack Iranian nuclear facilities which was also found in India and the “I Love You” virus created by a student in the Philippines as his educational project spreading all over the world.
NSO says that they sell it only to government agencies, but everybody knows that malware is stolen by the dark web and used without the permission of the creators.
Hence we cannot conjecture that the Indian government must have used it for surveillance against political opponents.
It is premature, without positive evidence, to blame Pegasus on either WhatsApp or on the Indian government. There are many court cases in the US that will soon throw some light on the truth about Pegasus. We should, therefore, show maturity in waiting for the truth to unfold rather than making a song and dance about something that we don’t fully understand.
—Na Vijayashankar
There is now continued discussion on whether social media platforms should link Aadhaar to the user’s identity and use KYC norms for all users. While some privacy activists think that insisting on KYC for registration on social media platforms would lead to curbs on free speech, a majority feel that stemming the spread of fake messages is a larger necessity and a permitted exception to the right of free speech.
It is important to examine if imposing regulations on digital advertising is one of the measures to prevent fake messaging and if so, whether it should be self-regulation by the industry or statutory regulation imposed through laws. There is a debate on whether these regulations should be imposed on “intermediaries” under the Information Technology Act, 2000 (ITA-2000), through the proposed Personal Data Protection Act (PDPA) or through regulation in the advertising industry under the Advertising Standard Council of India (ASCI).
At present, Indian advertising is largely regulated and controlled by the ASCI, a non-statutory voluntary body established in 1985 and consisting of representatives from the stakeholder industry. It adopts a self-regulatory code but is often unable to ensure implementation of the regulations. The Code, however, complements the other relevant statutory laws such as those of defamation, free speech, contempt of court, consumer protection, trademark and copyright as well as many industry- specific laws which apply to food, drugs, chit funds, tobacco, liquor, and so on, and those applicable for professions such as medical and legal.
By virtue of Section 4 of the Information Technology Act, 2000, any law applicable to a print publication automatically becomes applicable in the electronic form. The ASCI guidelines can also be interpreted as due diligence requirements and adopted as a legal provision under Section 79 of ITA-2000. There may, therefore, be no need for a separate law for regulating digital advertising though an efficient mechanism to implement the regulations in a media which is new and has its own complexities would be desirable.
At present, ASCI has developed a mechanism for regulating digital advertising and takes up complaints on advertisements appearing on any online platform. In practice, however, it is difficult to say if the ASCI has built up a capability for monitoring and enforcing discipline in this area. Online platforms are too big and influential and are capable of even taking on the government or courts as has been seen in the issue of tax on advertising revenue or when some content is ordered to be removed. It is, therefore, ideal if ASCI works with the ministry of electronics and information technology and develops an effective regulatory framework for online advertising. This should cover some of the concerns people may have over the misuse of the online advertising platform without totally sacrificing privacy principles.
It is difficult to discuss online advertising without discussing the implications of profiling of the target audience and the impact of privacy laws on such profiling. Facebook is still reeling under the impact of the Cambridge Analytica controversy. GDPR is extremely circumspect on the use of profiling for ad targeting. On the other hand, the California Consumer Privacy Act has recognised the needs of the online marketing and advertising industry by regulating the sale of personal information. In India, we are on the threshold of PDPA being passed into law. The draft PDPA available now will be interpreted differently by different people and a strong lobby will oppose the use of personal data for profiling purposes. This will definitely have an adverse impact on all online advertisers.
It is expected that the data governance framework that is likely to come out in due course as a guideline to the management of non-personal data may provide some clarity on the use of anonymous or partially de-identified personal data.
But even this framework may not address the problems of profiling for ad targeting. The online ad industry, therefore, needs to protect its interests by properly representing its requirements during the passage of PDPA.
While privacy enthusiasts swear against any form of profiling, it is necessary for all industry regulators to reflect on the theory of marketing and advertising. Privacy activists need to be convinced that marketing and advertising are not concepts that are evil but have a beneficial purpose. Just like we balance the right to privacy with the right to free speech and national security, we need to also balance privacy rights with the legitimate business interests of the online advertising industry.
It is a fundamental aspect of marketing that advertising is communication with a prospective consumer where the benefits of a product are explained and, to be effective, it should be targeted. Targeting is through market segmentation and catchy advertisement copy. Though some creative innovation is part of advertising, the strategy for selection of the target audience is based on market segmentation and choosing the content is based on the identified purchase behaviour of the consumer.
Hence, consumer behaviour research is the foundation of marketing and advertising. It is this research which privacy laws try to paint as profiling and curb. Those privacy enthusiasts who came down heavily on Facebook for targeting political ads during the last US presidential elections or during the UK referendum on Brexit are ignoring the fact that profiling of consumers is basic to any marketing activity and just because we do not like the end result of a targeted ad campaign, we cannot stop it.
Even in India, there have been ad campaigns of note during the Rajiv Gandhi and Vajpayee times. The success of political marketing strategy consultants such as Prashant Kishor and the booth-level targeting of voters inherent in Amit Shah’s election strategy, indicate the role of profiling for political campaigns. Such profiling activity like that of Amazon or Google are activities which are essential for economic development and should not be curbed in the name of privacy.
The withdrawal by Twitter of political ads should not, therefore, be converted into a demand for Facebook also to withdraw from political ads. What we need to debate is how to develop a regulatory framework for online ads. Perhaps it is time for the government and the ASCI to put together an expert committee to study the regulatory requirements of the online ad industry before the implementation of PDPA and ensure that data protection regulations do not place impossible restrictions around the digital marketing and advertising industry.
If the digital marketing industry in India does not act now, it will regret its complacency later after the PDPA becomes law.