Online Payment Systems Beyond RBI: A Threat To National Financial Security
Prerna Robin & Meenakshi Sukhesh
26 Jan 2021 12:22 PM IST
"Data is the new oil". This is the premise used to underline the economic value of data in the modern age. Given this backdrop, and the recent developments concerning companies whose activities of using customer data without consent, casts an imminent danger to the privacy, security and even safety of the user in the digital age. Several litigations have arisen throughout the...
"Data is the new oil". This is the premise used to underline the economic value of data in the modern age. Given this backdrop, and the recent developments concerning companies whose activities of using customer data without consent, casts an imminent danger to the privacy, security and even safety of the user in the digital age.
Several litigations have arisen throughout the country over the last few years, and amid these litigations, online payment systems such as WhatsApp and Google Pay etc. have been given the go-ahead to launch their payment services in India. They have managed to launch, set up and roll out its payments systems with full force in India. The new Privacy Policy and Terms of Use of WhatsApp have mentioned that it shares the customer data with Facebook and other partner companies, which is the last red signal we will witness before all fictions of security and accountability come crumbling down.
The recent hue and cry, that has led to the mass exodus of users from WhatsApp to alternate messaging platforms like Telegram and Signal, stem from the new Privacy Policy of WhatsApp, that it shall share the data of the users with Facebook, its parent company. Yet, for anyone even mildly aware of the policies and practices of these foreign entities would have seen it coming for quite some time. The basic question which kindles our curiosity in the matter, the source of revenue that has enabled WhatsApp to function for so many years devoid of advertisements and other generally understood sources of income, remains unanswered.
Had we done an in-depth reading of the Privacy Policy and Terms of Service of many online payment gateways, it would have come as no surprise to us, that data has always been shared with many entities, and other unnamed partner companies. How does WhatsApp operate, when until now, it did not even have a Head Office in India? And the most pertinent question, what can we do about it? Not using technology because of these dangers is not an acceptable answer in this digital era. What can be done, is becoming aware of these issues, and getting them answered and resolved. We have witnessed the Orkut era, Facebook era, WhatsApp era, and now, the WhatsApp Pay age, and history bears testimony to the fact that evolution leads to smarter and more manipulative generations.
As of March 2020, WhatsApp had a whopping 2 billion monthly active users around the globe.[1] India had 340 million WhatsApp users as of September 2019 making it the largest market for WhatsApp in the world. 68% of all the smartphones in India had WhatsApp installed in them at that time[2]. What started off as an independent, free-to-use online chat service quickly grew additional features such as calling and photo-sharing and branched into products such as WhatsApp Business and more recently, a payments platform. In 2014, WhatsApp was acquired by Facebook at $19 billion – its largest acquisition till date[3].
The click-contracts, that allow the user to either accept the Terms and Conditions of these applications or not use them at all, is not the most ideal way that a data principal and data fiduciary should interact. Identifiers which serve as a tool to track advertising and marketing activities will be collected by payment gateways, which are related to other social media and user data accessed through use of third parties will be shared with such parties even though the user is not directly using them. In a time where the world is moving towards data sovereignty and greater autonomy for users about how their data is used, this aspect will dilute users' power over their own data. Similar concerns were shared by WhatsApp co-founder Jan Koum in 2014 when the Facebook acquisition happened and he expressed concerns over Facebook's 'attempts to use its personal data and weaken WhatsApp's encryption'.[4] The only difference now, is that WhatsApp has openly stated what they are going to do.
It should also not be forgotten that Facebook has had a chequered past with respect to data security, and it passed on these traits to WhatsApp upon acquisition. From the Cambridge Analytica scandal of Facebook to the Pegasus incident of WhatsApp, we're witnessing continuous security breaches, and these giants have continued to exploit the digital assets of the country. Had we listened to Justice B.N Srikrishna Committee's recommendations a few years back, we might have been more equippedand could have avoided, or at least been able to keep a check on the outright theft of our critical and sensitive data. The new updated Privacy Policy of WhatsApp is not applicable in the Europian Region, which is governed by the GDPR. However, India does not have that layer of protection by law, at least for the time that the Data Protection Bill that was presented before the Parliament in 2019 does not get the force of law. This allows companies like WhatsApp and Facebook to operate without authority and scrutiny, and get access to critical and sensitive financial data of the user.
The Information Technology Act, 2000 is primarily for the facilitation of e-commerce, and it says so right in the title of the statute. However, the government may exercise its powers under Section 79 (2) (c) [read with Section 87 (2) (zg)] of the Information Technology Act and ensure that WhatsApp does not share any data of its users with any third party or Facebook and its companies for any purpose whatsoever.
Why, then, does this article not rope in Indian companies like Paytm and PhonePe, when they have been operating in the payment services arena long before WhatsApp walked in? Out of the several reasons, here are a couple: Paytm and PhonePe are Indian entities with Head Offices in India. Therefore, they already comply with a majority of norms and requirements required for a third-party application that operates in the UPI ecosystem. Additionally, Paytm also operates as a bank and is scrutinized by the RBI. The most basic requirement in the UPI ecosystem expected of a third-party application was to comply with the data localization norms, and ensure that all transactional data was stored on a server in India. This would be beneficial from the point of view of security and investigation because, in the absence of specific laws and treaties, it is difficult to extradite data from a foreign country. Moreover, all applications in the UPI ecosystem were to have the UPI logo visible in order to establish authenticity and the UPI name.
With the entry of these social media institutions into the financial space, there is an ever-increasing apprehension of privacy and security breaches. However, due to lack of laws governing them, and the easy user interface these applications provide, the user, until now, found that he had little to complain about. Now with the institution of cases in the public's interest, news reports and social media itself, users have begun to question and retort to the blatant misuse of digital assets by these corporations. WhatsApp and Facebook have together created a monopoly over the social media market, and are using that market to create a customer base for its new feature, WhatsApp Pay.
Given the ubiquity of social media giants, it is astonishing as to how the questions asked at the beginning of this article, remain unanswered. We are living in an era where all answers and connections can be found at the click of a button, but when the repository of answers and connection "plays God", we shall be forced to surrender ourselves to their mercy, and lose our right to demand answers. Regulation of companies on privacy breach is essential in the digital economy, without which, we become defenceless and blind in a crowd full of crooks, and our pockets full of data.
"Everything we do in the digital realm-from surfing the web to sending an email to conducting a credit card transaction to yes, making a phone call-creates a data trail. And if that trail exists, chances are someone is using it-or will be soon enough."
- Douglas Rushkoff