A company called Global Science Research developed an app called 'This is Your Digital Life' in 2013 with an aim of targeting Facebook users. It collected their online data and maintained track of their web surfing regime with the help of online advertisements (emphasis added). In 2016, Cambridge Analytica, a British firm, prepared a psychological profile of the users based on this data and allegedly helped Donald Trump win the 2016 presidential nomination.

This firm was widely accused of interfering with the Brexit Referendum too. Facebook apologized for its role in data harvesting and its CEO Mark Zuckerberg testified in front of Congress. In July 2019, it was announced that Facebook was to be fined $5 billion by the Federal Trade Commission due to its privacy violations. In October 2019, Facebook agreed to pay a 500,000 fine to the UK Information Commissioner's Office for exposing the data of its users to a "serious risk of harm". In May 2018, Cambridge Analytica filed for bankruptcy.

This incident makes us understand and appreciate the value of personal data in modern times. Skilled processing of the personal data of the masses can make or break governments and change the face of national policy. Such is its impact. These sorts of incidents also highlight the significance of online privacy and the protection of personal data.

Online Privacy

Computer privacy covers the way your personal information is used, collected, shared, and stored on your personal devices while you are on the internet. The Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. The Union of India (2017), declared that the Right to Privacy is a fundamental right under Article 21 of the Constitution.

People that surf the internet on a regular basis often get to see advertisements that are closely related to their surfing history. The advertisements are so on-point that sometimes the user gets surprised because the advertisement is just the product, the user required at that moment. This may seem convenient to some people, but for others, it may cast doubt.

The advertisers know a great deal about the user. This may not cut off well with some people as they value their privacy over anything. The right to not get surprised is foremost when it comes to online privacy.

How do Online Advertisements Work?

There are three entities in the online advertisement market- publishers, brokering agencies, and advertisers. The publisher is the owner of the website. He is the person who has free space on his website which he is willing to give up for advertisement in order to monetize his website. Advertisers are the people who want their product to be displayed on the publisher's website so that they get more footfall.

Advertisers and publishers, both are registered on a brokering agency such as Google Ads, so it is convenient for both of them to crack a deal without the trouble of searching for each other in the open market. The agency, in turn, charges some commission on the transaction which is its prime source of income.

The advertisers soon realized that instead of wasting their capital to display advertisements just anywhere and everywhere, it would be much more fruitful if they would target their potential customers and not just everyone. As the famous saying goes- necessity is the mother of invention, in our story, this necessity gave birth to an entity that could track the online habits of the masses and help advertisers identify their potential customers. This invention was called third-party cookies.

Cookies

The protocol we use on the internet is HTTP (Hyper-Text Transfer Protocol) which is a stateless protocol. This means that once the server sends the requested webpage to the user and the user receives the webpage, it forgets to whom it sends it. Thus, remembering the user of the web page throughout the surfing session was proving to be very time consuming and expensive for web servers.

So, an employee of Netscape Browser in 1994 invented cookies that are sent by the servers to the users along with the requested web page. These cookies get stored on the user's web browser and are sent to the server when the user requests the same web page again. The server then identifies the user from the cookie that came along with the request and the session goes on smoothly.

To understand this more clearly suppose that a user wants to log into Facebook. So, he sends his login credentials to the Facebook server and receives the requested web page as a response. Now suppose that the user wants to like a picture of his friend. He proceeds to click on the like button but the webpage demands his login credentials again. This is because HTTP is a stateless protocol and the Facebook server has already forgotten the identity of the user.

So, every time a user has to perform some action on the Facebook webpage, he has to provide his identity details to the Facebook server. This is indeed a very tiresome job. To prevent this, the Facebook server sends a unique cookie to the user's computer when he first provides his credentials and requests for the Facebook page.

This cookie stays stored on the user's web browser. Now, when the user clicks the like button, the request is sent to the Facebook server along with the unique cookie. The server immediately recognizes the user through the cookie that came along with the request. This saves the user from the pain of logging in repeatedly for every action performed. Thus, cookies are a great time, energy, and capital savers.

Third-Party Cookies and Personalized Advertisements

The cookies discussed above are first-party cookies. This means that the cookie is sent by the server of the same webpage for which the user requested, in the above case, Facebook. But when the cookies are sent not by the requested web server but by the server of a different entity, they are called third-party cookies and are also known as tracker cookies.

Third-party cookies are generally used by advertisers and ad brokering agencies to keep a track of users' activities online. This helps them to pinpoint their potential customers and serve them advertisements according to their interests. These advertisements which are displayed on the users' system after keeping a track of their online activity using third-party cookies are known as personalized advertisements.

Third-party cookies work in pretty much the same way as first-party cookies. The only difference is that the server sending the cookie to the user's computer isn't the server whose webpage the user requested. To understand this more clearly let us take an example of a publisher who is willing to rent some space on his websites for advertisements to gain some extra income. So, he approaches an agency to get a good deal.

The agency is already in contact with many advertisers who are willing to display their advertisements on the publisher's website. The agency then sends lines of code to the publisher so that he can place the advertisement on his webpage. These lines of code connect the webpage of the publisher to the server of the agency or the advertiser.

This is done so that when the user clicks on the advertisement, he will be redirected to the advertiser's website. Along with the lines of code, however, are also third-party cookies. They get stored on the user's hard disk and monitor his online activities on the behalf of the advertisers or the agency. This data is then sent back to the agency which processes it to determine what sort of ads would it serve to the user next time so that there are more chances of him buying the product.

This simple exercise in electronics could amount to surveillance and a breach of online privacy. These cookies can get access to sensitive information such as name, age, sexual orientation, occupation, income, and location that the user wouldn't otherwise disclose. Although generally, the only purpose of third-party cookies is to serve better advertisements to the user, they may be utilized to do much more harm as we saw in the Cambridge Analytica Case.

The user that generates the data has a primary right to it. Google whose browser, Google Chrome, holds as much as 64% of the traffic on the internet, has decided to phase out third-party cookies by 2023. But the trends have shown that they are continually pushing back on their self-imposed deadline. Google says that it will begin phasing them out in the mid of 2024.

Legal Aspects
Privacy is a basic human right. Legislation is the most powerful tool to counter this modern breach of privacy. Legal systems of Europe and America have answered their call and formulated two forerunner legislations to safeguard the personal data of their citizens from going into the hands of ruthless tech corporates. European Union has General Data Protection Regulation (GDPR) and the California State of USA has formulated California Consumer Privacy Act (CCPA).

The Government of India withdrew the Personal Data Protection Bill from the Parliament on the 4th of August, 2022. It had been a point of debate in the Parliament since its introduction in 2019. The state must pay heed to the current demand for online privacy and should protect its citizens from the detrimental effects that can take place upon its breach.

The Digital Personal Data Protection Bill, which the government rolled out for public suggestions, seems like the only light of hope currently. As of now, Section 43A and 72A of the Information Technology Act, 2000, are all that the citizens of India have with respect to the use of personal data online.

Cookies are only a small part of the problem with online privacy in India. Algorithms are altogether different problem that can have far-reaching economic implications. The absence of legislation on algorithms in India could have a detrimental effect on the healthy competition between market players. The Government of India needs to act swiftly, as time is of great essence.