Tag: Data security

Cyber Law

Moonlighting and data security issue for children by Dr.Debarati Halder

Photo courtesy : Internet

Off late several companies had become extremely concerned for moonlighting by their employees. Moonlighting is a term that signifies involving in a second job for profit  while being in a full time employment. The 2020 covid pandemic has increased the tendency for moonlighting for employees in several companies including the tech companies as most of the workplaces reduced the salaries of employees and this caused huge financial tension for many. Legally moonlighting may or may not be safe for many: many European countries, US, Canada, Australia etc, may allow employees for moonlighting. Even academicians including teachers, university professors may also choose for a second job when they are off duty. But the problem arises when the employees go for moonlighting with the company data.

Why and how Moonlighting becomes an offence and who are the victims? in 2022, Tesla terminated an employee for showcasing and discussing  certain automobile features in his YouTube channel. Interestingly running a YouTube channel had not been considered as moonlighting even though such activities may help the YouTuber to earn profit.  But this was considered as offensive by the company because the employee actually criticised certain products using the company data which only he could access being an employee. Now consider the other side of the coin: if this employee had secretly sold the company data to other competing company for profit or may had been engaged in moonlighting works like consumer preference analysis, product marketability analysis, business analysis or even employee data analysis with the help of the confidential data of his employer company, he would have been definitely subjected for legal liabilities and he may even have the chance for being jailed.  This may no longer remain simple harmless moonlighting. Rather, it may involve data privacy breach by the concerned employee because he may  have  violated the integrity and confidentiality of the data owned and maintained by the companies.

Here we have to understand the types of the data and the types of the ‘victims’ that may be affected:

First victim would be the company itself as the company secrets including trade secrets would be affected. The designs, company logo, manufacturing process, company policies for marketing, specific software etc, may fall within the meaning of company’s intellectual properties which many employees fail to acknowledge or may not know. 

The second typology  of the victims has a wider scope than the first: it includes individuals and their  personal data that may have been collected by the companies in the name of customer data, patient data, government beneficiary data, banking related data etc. Presently almost all companies have become body corporates who collect certain kinds of personal as well as sensitive persona data: Tesla itself collects customer data that may include sensitive personal data like birthdates, banking information, social security numbers etc. There are several big tech companies that may be involved directly or indirectly involved  in government data collection and  processing work.

Moonlighting with such data may become extremely dangerous for the second type of the victims, especially children. There are 5 basic reasons for this:

  1. Children’s data including health data, school data, parent’s financial data etc, may be misused by different types of perpetrators. This may also aide in physical space kidnapping, abduction and assault on the child.
  2. Profiles of children may be sold to criminal gangs operating in deep and dark nets for online child sexual abuse related purposes. Often job seekers or individuals looking for moonlighting opportunities may fall in the trap of such gangs who may make them sell such sensitive personal data for a handsome amount. Here the criminal gangs may finely create a very much convincing agreement for the job seekers that in reality may not have much legal value as employer-employee contract. But the language of such agreements may be so finely constructed that it may actually make the employee fall in legal trouble if the entire operation is unearthed by the law enforcement agencies while the actual criminals may escape the clutches of the law.
  3. Child and adolescent victims may not be aware of the victimhood unless they are made aware of the data breach by their peers or by the acquaintances of their parents. Resultant, their online and offline security may be hugely breached and it may be beyond repairing especially for children who may come from socio-economically challenged backgrounds.
  4. Such kind of illegal moonlighting may enlarge the risks of ransom attacks for hospital, schools, public welfare data etc.
  5.  Companies or stakeholders who are engaged in the outsourced work of data collection, processing may also have to face legal action for not providing proper security to the confidential data. In such cases these cases may be held primarily liable as the burden of proof for innocence and strict diligence complied with may fall on the companies.

What is the way out then? EU General Data Protection Regulation has emphasised on the issue of privacy, security and consent for data collection, data processing, data archiving etc. Even though EUGDPR does not mention about moonlighting with confidential data as an offensive behaviour, it however focuses on right to privacy, data collection and processing rules etc.  We also have to look into several international conventions including the 2001 Budapest cybercrime conventions which throws light on content related online crimes, intellectual property rights related crimes and online child abuse related issues. All these prohibit data theft and unethical profit gain from misuse of data. Moonlighting with public, personal and sensitive confidential personal data falls off from the line of ethical moonlighting on the basis of skills of the job seeker/employee and thereby it becomes a punishable offence. But we must note that moonlighting with data involving children can be extremely dangerous because immediate harm to children may not be repaired by restorative and reparative justice quickly. But there is still a silver lining behind the vicious cloud of malicious data and activities. Companies and body corporates who primarily deal with public and personal data of general individuals can strengthen their data protection mechanism by applying stricter surveillance on the access on the said data, purpose of access to such data and mapping footprints of the usage of such data. They may also apply stricter policies against moonlighting especially against those employees who may directly deal with confidential data. Further, punishment for such kinds of moonlighting may not be restricted to termination and other penal actions by the primary companies alone. Such employee must also be made liable for breaching the data confidentiality of the children and he must be made to cooperate with the criminal justice machinery to track the data, pull down the data from vicious domains and also should be responsible for payment of compensation. Above all, courts must also consider banning them from using multiple profiles and they must be put under surveillance for their usage of information and communication technology.

Uncategorized

The great Facebook hack: Liability of Facebook as service provider

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER

Photo curtsy: Google

By the late evening of 28th September, 2018 almost all of Facebook users would have received messages in their electronic devices that their “session expired”. It indicated that the subscriber needs to log in again to continue the Facebook activities. Many of the users felt it was a hoax, many felt it was a hackers act and some could understand it was an alert alarm as they were always ‘online’ and never logged off even when their phones were ‘sleeping’ or switched off. By late night-early morning on 29th September, 2018 the Facebook subscribers got an official information from Facebook help center stating that the company had discovered that there was an attack on their system and the attackers had illegally accessed Facebook access tokens which would give way to access the subscribers’ data. On an emergency precautionary step, Facebook logged off all users so that they can log on again with a secured code provided by Facebook. It was confirmed that Facebook was trying to exercise due diligence to protect the data of the users and in the course of the same users were directed to log off.
Due diligence has been addressed by  S.512 © of the Digital Millennium Copyright Act, 1998 which indicates that the intermediary may be saved from third party liabilities (especially for copyright infringements) if  the intermediary practiced due diligence, i.e., it   did not have the requisite level of information about the said infringement, it must not have been financially benefited from such infringement, it must have taken expeditious measures to take down the content concerned or block the access to the material concerned upon receiving the information of the infringement. The same has also been addressed by S.79 (3) of the Information Technology Act, 2000 (amended in 2008) and has been further explained in Information Technology intermediary guidelines Rules, 2011 whereby the term cyber security incident has been defined as follows:
Rule .2(d) “Cyber security incident” means any real or suspected adverse
event in relation to cyber security that violates an explicit or implicity
applicable security policy resulting in unauthorised access, denial of
service or disruption, unauthorised use of a computer resource for
processing or storage of information or changes to data, information
without authorisation;
The rules further goes on to explain what are the due diligence practices that should be adopted by the intermediary under Rule.3(3), which states that  The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Interestingly Rule. 4 of the Intermediary Guidelines Rule further provides a clear direction to the intermediaries as what is to be done and within how much time when the intermediary has come to know about any information which harms the interest of users or threatens the security of the nation etc (which are mentioned in rule 3), by stating that The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.
This Rule 4 (read with Rule 3) mentions that the intermediary should either remove the offensive content or block the access to the content. Facebook in its action in practicing due diligence and exercising reasonable security practices (in India, the guiding principle in this regard is mentioned in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011), had alerted the users, logged them off and logged them in with fresh code and also expressed that they are not aware whether any individual has been affected by such unauthorised access to the Facebook system as a whole.
By doing this Facebook actually tried to escape its liability as a ‘negligent body corporate’ or a company which may be brought to the courts under S.43A of the Information Technology Act, 2000(amended in 2008). Compare the incident of Facebook- Cambridge analytica data breach and how the EU parliament addressed the issue by accusing Facebook for having extremely poor cyber security measures compared to Europe. Facebook users were also advised by an Illinois court to go for a class suit against the company (Facebook) for unethically scanning and storing personal photos and information of the users.[1]The recent news also suggests that in the US Facebook users have started going for class actions against Facebook for data breach which occurred apparently because of  the company’s negligence in securing the data.[2]Under the Indian information technology Act, 2000(amended in 2008), S.43A empowers the victims of privacy (including data ) breach to claim compensation from the faulting body corporate to a maximum limit of Rs. 5 Crores, which however is subject to modification depending upon the damage suffered by the victims, reputation harm etc and the discretion of the adjudicator. Not many users have applied this law for bringing big companies under the Indian scanners. There are however some cases of bank’s liability or hospital managements liability which are now coming up because of the awareness among the users/data owners and their lawyers.
However, web companies like Google, Facebook etc may have another option to shred the liability: they may always shift the major burden to the data owners or data managers, i.e. the private individuals who upload data almost every minute in average to expose their private information.[3]It is for this that we need to be vigilant on our own practices of data sharing.
Stay safe, play safe.
Please Note: Do not violate copyright of this blog. If you would like to use informations provided in this blog for your own assignment/writeup/project/blog/article, please cite it as “Halder D. (2018), “ The great Facebook hack : Liability of Facebook as service provider”  30thSeptember, 2019 , published in http://debaraticyberspace.blogspot.com

[1]See Halder Debarati (2018), FB, Its content regulation policies & photo matching tech: boon or bane for Indian women from privacy law aspect. Published in LiveLaw on April, 20018 @https://www.livelaw.in/fb-its-content-regulation-policies-photo-matching-tech-boon-or-bane-for-indian-women-from-privacy-law-aspects/
[2]See for instance, see Knoop Joseph (2018), Facebook sued over data breach that involved 50 million accounts . available @ https://www.dailydot.com/layer8/facebook-breach-lawsuit/
[3] For better understanding about this see Halder & Jaishankar ((November 2016). Cyber Crime against Women in India. New Delhi: SAGE. ISBN: 978-93-859857-7-5.

CYBER CRIME AGAINST WOMEN IN INDIA
Uncategorized

Hacking is no fun

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER

This December we got to see a bout of hacking attacks on renowned politicians, journalists, business magnets in India. Apparently their purpose was to reveal corrupted people who are disrupting good governance in India. Almost all the news media channels ran stories on who these hackers are, why the targeting specific people are and what may be their next target etc.  Very recently I got to meet  a group of people who hack for various reasons. While most of us are concerned about our own digital data security, it is interesting to know why our accounts in social media or email may get hacked.  There is a difference between unauthorised access of financial data, social media profiles, emails and digital data that may be stored in our own devices. They may be interconnected. But definitely their motives may be different. In my recently published monograph “Cyber crime against women in India’ (https://in.sagepub.com/en-in/sas/cyber-crimes-against-women-in-india/book253900) I showed that  revenge porn may be a result of unauthorised access of social media profiles as well as digital albums for revenge to destroy the reputation. Similarly there are hackers who may access  financial data for illegal monetary gain.
However, there is a group of people who hack for fun. This ‘voyeuristic pleasure’ is exercised especially when the hacker/s may want to establish how an organisation or particular individuals may poorly maintain their  cyber security . I do often get to hear from senior citizens and women that their social media accounts or emails or Whatsapp profiles have been hacked.  An in-depth research may reveal that hackers may have done this for fun. To me, it relates to those pre internet  days when youngsters took pleasure in peeping into well guarded private diaries maintained by young girls and boys or individuals who loved to treasure their secrets. But hacking is no fun especially when the information thus gathered can be used for various detrimental causes including extortion and sextortion. Especially Women may feel extremely traumatised when such hackers for fun target them. The reason is, if a woman’s digital data is unauthorisedly accessed, it may misused and damage to her reputation may compel her to take extreme steps like suicide due to fear of social taboo. What I strongly condemn is teaching school children about hacking with the tag line that hacking is for fun. It is like giving a loaded gun to children to experiment it and learn it for fun. It is indeed a fact that ethical hackers are used for many positive reasons and internet companies may pay them a hefty amount too. But, teaching hacking to children must be done with utmost concern. We definitely do not need Frankensteins . It must be understood that any individual who may not understand the responsibilities attached with power may definitely misuse the power.  We need to understand that our Information Technology Act, 2000(amended in 2008) has recognised unauthorised access to digital data, tampering of the data etc as penal offences and the provisions are wide enough to cover offenders of all age. Further, our Indian Penal Code also recognises cyber stalking and voyeurism as an offence which may necessarily involve hacking. Any child psychology expert or educator may understand that children tend to experiment (often with disastrous first few results) for a better understanding of the subject. Hacking is such a tool which may at the outset show the child how to gain illegal profit by using it if he/she is not told about the risks that may be caused to others as well as to his target victims.  
This Christmas let all take a vow that our knowledge must be used for positive purposes and not for victimising others. We must remember that if we use our knowledge and expertise to check the weakness of others, that must be done in a prescribed way and not to humiliate the later.
Please Note: Do not violate copyright of this blog. If you would like to use informations provided in this blog for your own assignment/writeup/project/blog/article, please cite it as “Halder D. (2016), “Hacking is no fun
25th December 2016, published in http://debaraticyberspace.blogspot.com/

CYBER CRIME AGAINST WOMEN IN INDIA