Tag: S.43A Information technology Act

The great Facebook hack: Liability of Facebook as service provider


Photo curtsy: Google

By the late evening of 28th September, 2018 almost all of Facebook users would have received messages in their electronic devices that their “session expired”. It indicated that the subscriber needs to log in again to continue the Facebook activities. Many of the users felt it was a hoax, many felt it was a hackers act and some could understand it was an alert alarm as they were always ‘online’ and never logged off even when their phones were ‘sleeping’ or switched off. By late night-early morning on 29th September, 2018 the Facebook subscribers got an official information from Facebook help center stating that the company had discovered that there was an attack on their system and the attackers had illegally accessed Facebook access tokens which would give way to access the subscribers’ data. On an emergency precautionary step, Facebook logged off all users so that they can log on again with a secured code provided by Facebook. It was confirmed that Facebook was trying to exercise due diligence to protect the data of the users and in the course of the same users were directed to log off.
Due diligence has been addressed by  S.512 © of the Digital Millennium Copyright Act, 1998 which indicates that the intermediary may be saved from third party liabilities (especially for copyright infringements) if  the intermediary practiced due diligence, i.e., it   did not have the requisite level of information about the said infringement, it must not have been financially benefited from such infringement, it must have taken expeditious measures to take down the content concerned or block the access to the material concerned upon receiving the information of the infringement. The same has also been addressed by S.79 (3) of the Information Technology Act, 2000 (amended in 2008) and has been further explained in Information Technology intermediary guidelines Rules, 2011 whereby the term cyber security incident has been defined as follows:
Rule .2(d) “Cyber security incident” means any real or suspected adverse
event in relation to cyber security that violates an explicit or implicity
applicable security policy resulting in unauthorised access, denial of
service or disruption, unauthorised use of a computer resource for
processing or storage of information or changes to data, information
without authorisation;
The rules further goes on to explain what are the due diligence practices that should be adopted by the intermediary under Rule.3(3), which states that  The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Interestingly Rule. 4 of the Intermediary Guidelines Rule further provides a clear direction to the intermediaries as what is to be done and within how much time when the intermediary has come to know about any information which harms the interest of users or threatens the security of the nation etc (which are mentioned in rule 3), by stating that The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.
This Rule 4 (read with Rule 3) mentions that the intermediary should either remove the offensive content or block the access to the content. Facebook in its action in practicing due diligence and exercising reasonable security practices (in India, the guiding principle in this regard is mentioned in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011), had alerted the users, logged them off and logged them in with fresh code and also expressed that they are not aware whether any individual has been affected by such unauthorised access to the Facebook system as a whole.
By doing this Facebook actually tried to escape its liability as a ‘negligent body corporate’ or a company which may be brought to the courts under S.43A of the Information Technology Act, 2000(amended in 2008). Compare the incident of Facebook- Cambridge analytica data breach and how the EU parliament addressed the issue by accusing Facebook for having extremely poor cyber security measures compared to Europe. Facebook users were also advised by an Illinois court to go for a class suit against the company (Facebook) for unethically scanning and storing personal photos and information of the users.[1]The recent news also suggests that in the US Facebook users have started going for class actions against Facebook for data breach which occurred apparently because of  the company’s negligence in securing the data.[2]Under the Indian information technology Act, 2000(amended in 2008), S.43A empowers the victims of privacy (including data ) breach to claim compensation from the faulting body corporate to a maximum limit of Rs. 5 Crores, which however is subject to modification depending upon the damage suffered by the victims, reputation harm etc and the discretion of the adjudicator. Not many users have applied this law for bringing big companies under the Indian scanners. There are however some cases of bank’s liability or hospital managements liability which are now coming up because of the awareness among the users/data owners and their lawyers.
However, web companies like Google, Facebook etc may have another option to shred the liability: they may always shift the major burden to the data owners or data managers, i.e. the private individuals who upload data almost every minute in average to expose their private information.[3]It is for this that we need to be vigilant on our own practices of data sharing.
Stay safe, play safe.
Please Note: Do not violate copyright of this blog. If you would like to use informations provided in this blog for your own assignment/writeup/project/blog/article, please cite it as “Halder D. (2018), “ The great Facebook hack : Liability of Facebook as service provider”  30thSeptember, 2019 , published in http://debaraticyberspace.blogspot.com

[1]See Halder Debarati (2018), FB, Its content regulation policies & photo matching tech: boon or bane for Indian women from privacy law aspect. Published in LiveLaw on April, 20018 @https://www.livelaw.in/fb-its-content-regulation-policies-photo-matching-tech-boon-or-bane-for-indian-women-from-privacy-law-aspects/
[2]See for instance, see Knoop Joseph (2018), Facebook sued over data breach that involved 50 million accounts . available @ https://www.dailydot.com/layer8/facebook-breach-lawsuit/
[3] For better understanding about this see Halder & Jaishankar ((November 2016). Cyber Crime against Women in India. New Delhi: SAGE. ISBN: 978-93-859857-7-5.