Tag: Data security

The great Facebook hack: Liability of Facebook as service provider


Photo curtsy: Google

By the late evening of 28th September, 2018 almost all of Facebook users would have received messages in their electronic devices that their “session expired”. It indicated that the subscriber needs to log in again to continue the Facebook activities. Many of the users felt it was a hoax, many felt it was a hackers act and some could understand it was an alert alarm as they were always ‘online’ and never logged off even when their phones were ‘sleeping’ or switched off. By late night-early morning on 29th September, 2018 the Facebook subscribers got an official information from Facebook help center stating that the company had discovered that there was an attack on their system and the attackers had illegally accessed Facebook access tokens which would give way to access the subscribers’ data. On an emergency precautionary step, Facebook logged off all users so that they can log on again with a secured code provided by Facebook. It was confirmed that Facebook was trying to exercise due diligence to protect the data of the users and in the course of the same users were directed to log off.
Due diligence has been addressed by  S.512 © of the Digital Millennium Copyright Act, 1998 which indicates that the intermediary may be saved from third party liabilities (especially for copyright infringements) if  the intermediary practiced due diligence, i.e., it   did not have the requisite level of information about the said infringement, it must not have been financially benefited from such infringement, it must have taken expeditious measures to take down the content concerned or block the access to the material concerned upon receiving the information of the infringement. The same has also been addressed by S.79 (3) of the Information Technology Act, 2000 (amended in 2008) and has been further explained in Information Technology intermediary guidelines Rules, 2011 whereby the term cyber security incident has been defined as follows:
Rule .2(d) “Cyber security incident” means any real or suspected adverse
event in relation to cyber security that violates an explicit or implicity
applicable security policy resulting in unauthorised access, denial of
service or disruption, unauthorised use of a computer resource for
processing or storage of information or changes to data, information
without authorisation;
The rules further goes on to explain what are the due diligence practices that should be adopted by the intermediary under Rule.3(3), which states that  The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Interestingly Rule. 4 of the Intermediary Guidelines Rule further provides a clear direction to the intermediaries as what is to be done and within how much time when the intermediary has come to know about any information which harms the interest of users or threatens the security of the nation etc (which are mentioned in rule 3), by stating that The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.
This Rule 4 (read with Rule 3) mentions that the intermediary should either remove the offensive content or block the access to the content. Facebook in its action in practicing due diligence and exercising reasonable security practices (in India, the guiding principle in this regard is mentioned in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011), had alerted the users, logged them off and logged them in with fresh code and also expressed that they are not aware whether any individual has been affected by such unauthorised access to the Facebook system as a whole.
By doing this Facebook actually tried to escape its liability as a ‘negligent body corporate’ or a company which may be brought to the courts under S.43A of the Information Technology Act, 2000(amended in 2008). Compare the incident of Facebook- Cambridge analytica data breach and how the EU parliament addressed the issue by accusing Facebook for having extremely poor cyber security measures compared to Europe. Facebook users were also advised by an Illinois court to go for a class suit against the company (Facebook) for unethically scanning and storing personal photos and information of the users.[1]The recent news also suggests that in the US Facebook users have started going for class actions against Facebook for data breach which occurred apparently because of  the company’s negligence in securing the data.[2]Under the Indian information technology Act, 2000(amended in 2008), S.43A empowers the victims of privacy (including data ) breach to claim compensation from the faulting body corporate to a maximum limit of Rs. 5 Crores, which however is subject to modification depending upon the damage suffered by the victims, reputation harm etc and the discretion of the adjudicator. Not many users have applied this law for bringing big companies under the Indian scanners. There are however some cases of bank’s liability or hospital managements liability which are now coming up because of the awareness among the users/data owners and their lawyers.
However, web companies like Google, Facebook etc may have another option to shred the liability: they may always shift the major burden to the data owners or data managers, i.e. the private individuals who upload data almost every minute in average to expose their private information.[3]It is for this that we need to be vigilant on our own practices of data sharing.
Stay safe, play safe.
Please Note: Do not violate copyright of this blog. If you would like to use informations provided in this blog for your own assignment/writeup/project/blog/article, please cite it as “Halder D. (2018), “ The great Facebook hack : Liability of Facebook as service provider”  30thSeptember, 2019 , published in http://debaraticyberspace.blogspot.com

[1]See Halder Debarati (2018), FB, Its content regulation policies & photo matching tech: boon or bane for Indian women from privacy law aspect. Published in LiveLaw on April, 20018 @https://www.livelaw.in/fb-its-content-regulation-policies-photo-matching-tech-boon-or-bane-for-indian-women-from-privacy-law-aspects/
[2]See for instance, see Knoop Joseph (2018), Facebook sued over data breach that involved 50 million accounts . available @ https://www.dailydot.com/layer8/facebook-breach-lawsuit/
[3] For better understanding about this see Halder & Jaishankar ((November 2016). Cyber Crime against Women in India. New Delhi: SAGE. ISBN: 978-93-859857-7-5.

Hacking is no fun


This December we got to see a bout of hacking attacks on renowned politicians, journalists, business magnets in India. Apparently their purpose was to reveal corrupted people who are disrupting good governance in India. Almost all the news media channels ran stories on who these hackers are, why the targeting specific people are and what may be their next target etc.  Very recently I got to meet  a group of people who hack for various reasons. While most of us are concerned about our own digital data security, it is interesting to know why our accounts in social media or email may get hacked.  There is a difference between unauthorised access of financial data, social media profiles, emails and digital data that may be stored in our own devices. They may be interconnected. But definitely their motives may be different. In my recently published monograph “Cyber crime against women in India’ (https://in.sagepub.com/en-in/sas/cyber-crimes-against-women-in-india/book253900) I showed that  revenge porn may be a result of unauthorised access of social media profiles as well as digital albums for revenge to destroy the reputation. Similarly there are hackers who may access  financial data for illegal monetary gain.
However, there is a group of people who hack for fun. This ‘voyeuristic pleasure’ is exercised especially when the hacker/s may want to establish how an organisation or particular individuals may poorly maintain their  cyber security . I do often get to hear from senior citizens and women that their social media accounts or emails or Whatsapp profiles have been hacked.  An in-depth research may reveal that hackers may have done this for fun. To me, it relates to those pre internet  days when youngsters took pleasure in peeping into well guarded private diaries maintained by young girls and boys or individuals who loved to treasure their secrets. But hacking is no fun especially when the information thus gathered can be used for various detrimental causes including extortion and sextortion. Especially Women may feel extremely traumatised when such hackers for fun target them. The reason is, if a woman’s digital data is unauthorisedly accessed, it may misused and damage to her reputation may compel her to take extreme steps like suicide due to fear of social taboo. What I strongly condemn is teaching school children about hacking with the tag line that hacking is for fun. It is like giving a loaded gun to children to experiment it and learn it for fun. It is indeed a fact that ethical hackers are used for many positive reasons and internet companies may pay them a hefty amount too. But, teaching hacking to children must be done with utmost concern. We definitely do not need Frankensteins . It must be understood that any individual who may not understand the responsibilities attached with power may definitely misuse the power.  We need to understand that our Information Technology Act, 2000(amended in 2008) has recognised unauthorised access to digital data, tampering of the data etc as penal offences and the provisions are wide enough to cover offenders of all age. Further, our Indian Penal Code also recognises cyber stalking and voyeurism as an offence which may necessarily involve hacking. Any child psychology expert or educator may understand that children tend to experiment (often with disastrous first few results) for a better understanding of the subject. Hacking is such a tool which may at the outset show the child how to gain illegal profit by using it if he/she is not told about the risks that may be caused to others as well as to his target victims.  
This Christmas let all take a vow that our knowledge must be used for positive purposes and not for victimising others. We must remember that if we use our knowledge and expertise to check the weakness of others, that must be done in a prescribed way and not to humiliate the later.
Please Note: Do not violate copyright of this blog. If you would like to use informations provided in this blog for your own assignment/writeup/project/blog/article, please cite it as “Halder D. (2016), “Hacking is no fun
25th December 2016, published in http://debaraticyberspace.blogspot.com/