Author: Varunendra Pandey, Student at Amity Law School, Delhi.
Data and computer security in recent years have become more vulnerable to the fact that there are actually individuals out there waiting to manipulate your data and use it against the former. The grievances regarding data threat is moreover a result of poor policy execution and sheer avoidance of the fact that data threats and cyber-attacks actually exists. The extensive role played by information technology in every field in the last few decades owing to the absence of strong policy for the protection of an individual’s data has rendered Data protection a sensitive affair. This paper focuses on the growing sensitivity upon data protection in the times of COVID, as the pandemic narrowed down roads for most individuals and entities to resort themselves to technological pathways. New technologies emerged, most of them, platforms facilitating video conferencing, and with them arrived new challenges for data security. The paper tries to bring forward the speculation and the challenges that these platforms have posed and sheer defenestration against an individual’s security.
Keywords– Data protection, Cyber Crime, Cyber Attacks, Information and Technology, COVID-19
INTRODUCTION TO CYBER SECURITY
Cybersecurity in a general sense is concerned with the protection of cyberspace and the creation of a safe virtual space, free from cyber-threats. The notion of cyber threats is rather vague and mainly revolves around the malicious use of Information and Communication Technology as a target or as a tool creating threats to cyberspace of the general public. Fundamentally the notion of cybersecurity has three-fold meanings;
- Activities and measures are taken to assure that cyberspace free from any kind of cyber threat that might affect the hardware and the software of the system and severely damaging or leaking the data stored in such a system creating a potential threat to national security.
- The quantum of protection that these measures and activities offer.
- The field associated with the implementation of these activities and measures against the hostile environment created by the malevolent actors, ensuring the restoration of cyberthreat free cyberspace is the significant element of cyber-security.
Cybersecurity is just not about data security and data privacy but much more than that, although closely related to the two buzzwords.
The existence of cybersecurity is inversely proportional to the activeness of cyber threats and cyber-attacks. The Arrival of the Internet broadened the field of Information Technology and advanced the horizons indefinitely. In the early 90s, access to the internet know-how was limited to a number of users, whereas today there is no life without the internet. Internet and its extensive role in every field have moreover made an individual so much dependent upon it that a sunny day without the internet is the epitome of Idealism.
CYBER CRIME & ITS CLASSIFICATION
Changing times have enormously changed the dynamics of cyber-crime. Back in the days when technological adequacy was limited such crimes were motivated by the personal gains of the person committing it, but ever since the rapid increment of technologies the maintenance of the data and its protection has become comparatively difficult thereby rendering cyber-crime into a more sophisticated attire formally known as Financial Crime. The term financial crime is apt in many ways as all the data theft leads to single consideration that is, money or bitcoins any one of them or both. Digitalization of data might have made affairs convenient but has also rained havoc of data overflow that leads to the difficulty of data management and data protection as most of these data are sensitive information like bank details, credit card information, and other important data, improper handling of which can cause loss to the individual as well as the entire nation. Cyber-crimes can also be referred as computer crimes. Computer crime can be classified essentially under two headings;
- Tool or;
- Target to perform an unlawful act.
The Information and technology Act 2000 categorized cyber-crimes into a few and the horizon of the act in terms of coverage has also been increased. The distinction earmarked by the Act are as follows;
- Cyber Defamation, cyber stalking/Embarrassment, Digital forgery, cyber pornography, financial Crimes.
- Crimes committed on computer services such as hacking and unauthorized denial to access.
- Crimes relating to data alteration/destruction: virus/worms/Trojan horses/logic bomb, theft of Internet hours, data diddling, salami attacks, steganography
- Crimes relating to electronic mail: spamming/bombing, spoofing.
The extension of cyber-crimes in the last decade has explored unexpected Horizon thereby furnacing growing concern over privacy issues around the globe. Many organizations like OECD around the globe have been working in consonance to achieve the ideal data security protection. Based on the deliberations of OECD UK has drafted DPA (Data Protection Act 1988) which include 8 principles and issues like what is personal information and sensitive information, information about the data owner, data processor and who shall be held responsible for the data leak. In Indian context, it is the unavailability of effective legislation that has brought the individual’s data into the public domain and had rendered it highly vulnerable. There is no fundamental law safeguarding the data from cyber-attacks and the government has been using proxy laws for the same.
EFFICIENCY OF CYBER SECURITY IN INDIA
Cyberspace comprises the IT networks of the country’s computer systems and all the fixed-mobile networks connected to the global internet. A country’s cyberspace is just not its own, but global cyberspace, the virtual outreach of the internet is borderless and this feature makes it unique. It is inseparable by geographical boundaries such as land, water, and sea. Lately, it has been seen that the governments are working on providing their citizens or ‘netizens’ access to faster internet by enhancing their bandwidths and are intensively investing in ICT (Information communication technology) projects.
Users highly appreciate the visionary advancements by the government, but the answers that we seek from the authorities is whether the data that we provide in common parlance to banking services or for availing other e-services are those data safe enough? Or is it out in an open field for anyone to manipulate? Answers that we all need to seek from the legislators.
An Inadequate set of legislations that are vague in nature and often fails miserably to address issues related to cyber threats currently govern Indian cybersecurity. The authorities constituted regulate compliance and enforce penalties for non-compliance under the Information Technology Act 2000 and Information Technology Amendment Act 2008 which has been inactive for years till 2017. However, the jurisprudence of cyber laws in India is unclear. In 2013 Government came up with a much-anticipated national cybersecurity policy, the Act was visionary and had global outreach but lost its grip after the failure on the part of the government to frame any rigorous laws ensuring enough sanction against any cyber threat.
The government constituted a 10-member committee on the reports of cyberthreat and for recommendations on policy drafting. The committee submitted an extensive report along with Personal Data Protection Bill 2018. The Government introduced a Personal data protection bill in 2019 in Lok Sabha and is currently under a joint parliamentary committee subject to changes.
VIDEO CONFERENCING APPS – A NEW TOOL OR TARGET
It is the sudden uprising of COVID 19 that has put the entire population across the globe to a brief halt. The workers around the globe have been compelled to work remotely, many of them for the first time. Meetings, businesses, schools, universities international conferences everything is been conducted on online platforms.
It would not be an exaggeration to state that what we expected the world to accept was the paradigm shift from paper-based affairs to a completely digitalized world and it is pertinent to mention that the world did accept it gracefully only to realize that with the upheaval of new technologies and platforms, came a plethora of opportunities for the miscreants and malicious operators to explore the dancing vulnerabilities at the other end. What today we see is a completely digitalized world what we cannot see is the assurances for effective protection of the data that an individual gave up for establishing this digital equilibrium.
Video Conferencing Apps Curse or Boon
It is in the last few years that usage of these platforms increased and the uprising of pandemic just accentuated the pattern. Zoom, classroom, cisco, WebEx, etc. have been in existence for the past few years but the current situation legitimized people’s dependency upon them. There has been a widespread adaptation of these technologies in daily life affairs, official and unofficial as well without giving much consideration to the security settings and the safety protocols followed by the platform to protect the user’s data.
The Inception of technology in the educational field has been significant throughout the years, today’s educational system works in such a way that a profile-based database of every student is prepared. This Database is managed on software and is at disposal of software developers. This has compelled many users to demand more accountability and ample transparency from the developers especially in the cases where developers sell the data to the third party for unspecified uses.While the major concern of the educational institutions remains the security of the student’s data, it is the businesses that have shown a greater shift and are at the sensitive side of the story. Last year, Slack created a series of cyber threats including the traditional methods of cyberattacks such as malware, ransomware, password spraying, phishing, credential stuffing, and Denial of services attacks (DOS).
Zoom and vulnerabilities around it.
Zoom Video Communications, a California-based company that combines meetings, chats, and collaborations has shown a widespread uptick in usages during this endeavor of a pandemic. Work from home culture and the sudden upsurge of cases across the globe contributed to it. With the considerable use of the platform, zoom has also witnessed a number of breaching attempts bringing it in skeptical shadow.
Last year ZOOM was removed from macs over a serious vulnerability issued that “allowed any website to start zoom video conferencing call switching on the webcam”. Even if the App was uninstalled the webserver remained active and re-installed the software . In recent research published by checkpoint, a cybersecurity giant that in the recent years ZOOM has witnessed significant numbers of malicious domain registrations. The miscreants have found a new technique in which the app fails to stop a third person from entering the unknown calls and create a nuisance and make illicit representations, this entire process in the technical term is known as Zoombombing. Boston Bureau of FBI has warned in its reports against making the meeting link public or posting it on social media after two individuals disrupted an ongoing school session.
In march 2020 ZOOM was sued for illegally disclosing the user’s data to Facebook to which it later apologized and said that the disclosed data have been removed from Facebook. The new policy introduced by ZOOM mentions that user’s user names and phone numbers have been registered but is still silent upon whether the facial data or video footage is being stored for Artificial Intelligence affairs or not. Zoom states that it has secured collaborations end to end encryption which is the most discreet form of securing data but it is notable that the connection between the Zoom app running on a user’s system or phone and Zoom’s server is encrypted similar to the connection between a user’s web browser and any website is encryption. This type of encryption is called transport encryption and these are not as secure as an end-to-end encryption. These types of encryption are open to the hosting platform as well and they have complete access to unencrypted videos and audio.
LEGAL AND TECHNOLOGICAL CHALLENGES
In the Indian context lack of efficient legislation is the primary reason behind the data threat and cyber-attacks experienced by the individuals as well as the entities. The lacuna in the legal framework is what has enabled the miscreants in causing rampant illegal activities such as data theft, phishing, cyber defamation, etc.
Certain legal frameworks that provide indirect support to the privacy and data theft laws in India are; Article 21 of the Indian constitution, Indian contract act 1872, Information and technology Act 2000, Indian copyright Act 1957, Indian penal Code1860, Indian telegraph Act 1885.
Following are the lacuna in the Indian legal framework concerning privacy laws,
- No comprehensive law, privacy issues are still dealt with proxy laws.
- No classification as the which information is private which one is public and what information is sensitive.
- No legal specification as to who is the owner of the specified data.
- No comprehensive storage of the data accessed from the general public which means every data accessed is on an open server.
- No law that talks about data proportionality and data transparency.
- There is no legal framework for the cross-country flow of data.
In this era of technological advancement, such loopholes in the law concerning privacy issues shows sheer avoidance of legislators as these proxy laws are not sufficient and could cause immense loss to an individual and to the nation as well.
The Globalization and Information & Technology revolution in India drastically changed the climate of Information accessibility. Heavy paperwork and a pile of files are just an idea today everything is now inside a database. Not only the corporate sector but the government bodies also imbibed the technological enhancement in their affairs. Even an individual wanted to turn agile and smart. Although the ICT might have made life easier but has rendered ample complications. Data collection through Retinal scan, Biometric, voice protocols, smart cards, surveillance technologies, and their security in a protected database is the prima facie concern. Data management and storage of large data files in a single space is what we need today to secure our data that are currently flouting back at us upon open servers. The unauthorized passing of data to a third party for unspecified use needs to be censored. That is how we will have to improvise our practices in the field of data protection.
SUGGESTIONS AND RECOMMENDATIONS
Data protection and security can be assured in a better way if the government inculcate following Ideals in the policy that lies upon its table;
- Collaborations among the government and the private sector entities to boost the transparency on the data given by the individual. The government should also discourage long terms agreements with software companies as this will rise in the market competition thereby raising the standards of the services.
- The government should see the entire issue of data theft and cybercrime from the perspective of Human rights violation and shall conduct Regular impact assessment of the data procurement.
- Apply privacy and data protection bills effectively.
- Protect companies or a third party to re monitor the data and protect it further from unspecified use.
- The upcoming bill shall include the fundamental segregation of sensitive data, public data, and private data.
- The upcoming law needs to contain effective sanctions against data theft or data manipulation.
- Data monetization needs to be curbed out of fashion.
These recommendations might not completely change the landscape of Indian laws on data protection but ignite hopes for a better policy.
The current scenario in the Indian paradigm in relation to data protection is not that effective as it needs to be. The country in the past few years has seen an upsurge in cybercrimes such as phishing, cyber defamation, and other financial crimes. The attacks are not just limited to territory and waters, cyber-attacks are now the real thing, to deal with them and effective legislation, free from all the encumbrances is needed. The government of India plans to bring out the bill as the country is now heavily digitalized not in just terms of payments or internet services but the administrative affairs of every small or big entity depend upon it. The new data protection bill should be one securing the individual’s data and should be one that established the ideals of privacy as reality, not a myth.
 Shrikant Ardhapurkar, “Privacy and data protection in cyber space in Indian Environment”, 2(5) International Journal of Engineering Science and technology 943 (2010).
 Debashish Bharuka and Ajit Roy, Computer Crimes 229 (Indian Law Institute, New Delhi ,2004).
 Information Sheet (Public Sector) 1, -Information Privacy Principles under the Privacy Act 1988.http://www.privacy.gov.au/materials/types/infosheets/view/6541
 Patient Safety and Quality Improvement Act, 2005
Tom Risen, “Privacy Concerns Don’t Curb Use of Classroom Apps”, US News, September 08, 2015, https://www.usnews.com/news/articles/2015/09/08/privacy-concerns-dont-curb-use-of-classroom-apps (Last visited December 01, 2020).
Catalin Cimpanu, “Slack Warns Investors of A High Risk of Cyber-Attacks Impacting Stock Performance”, ZDNet, April 27, 2019, https://www.zdnet.com/article/slack-warns-investors-of-a-high-risk-of-cyber-attacks-impacting-stock-performance/ (Last visited December 01, 2020).
 David. S. Mallow, Zoom’s Full featured UME Videoconferencing platform exceeds expectations, Telepresence Options, January 27, 2013, http://www.telepresenceoptions.com/2013/01/zooms_full_featured_ume_videoc/ (Last visited December 01, 2020)
 Supra note 6.
 Dieter Bohn, “Apple is Silently Removing Zoom’s Web Server Software from Macs”, The Verge, July 10, 2019,https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability (Last visited November 30, 2020).
 Taylor Lorenz, “Zoombombing: When Video Conferences go wrong”, The New York Times, March 20, 2020 https://www.nytimes.com/2020/03/20/style/zoombombing-zoom-trolling.html (last visited December 02, 2020).
 Andrew Griffin, “Elon Musk’s SpaceX Bans Zoom video chat App over Security and Privacy Concerns”, Independent, April 02, 2020, https://www.independent.co.uk/life-style/gadgets-and-tech/news/spacex-zoom-elon-musk-video-chat-security-privacy-coronavirus-a9441591.html (last visited December 02, 2020).
 Joel Rosenblatt, “Zoom Sued for Allegedly Illegally Disclosing Personal Data”, Bloomberg, March 31, 2020 https://www.bloomberg.com/news/articles/2020-03-31/zoom-sued-for-allegedly-illegally-disclosing-personal-data (last visited December 03, 2020).
 Micah Lee and Yael Grauer, “Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing”, The Intercept, March 31, 2020 https://theintercept.com/2020/03/31/zoom-meeting-encryption/ (last visited December 01, 2020).
 Philip. E. Agre, Marc Rotenberg, Technology and Privacy: The new Landscape (MIT press, 1998)
Danish Institute for Human Rights. Driving change through public procurement, 2020. https://www.humanrights.dk/publications/driving-change-through-public-procurement.