This article is written by Prateek Mudgal, Faculty of Law, Aligarh Muslim University. The article deals with the legal aspects of data theft by social media apps and authorities.
Nobody likes it when a pair of eyes tries to trespass your private space, it definitely makes one feel uncomfortable. But what happens when somebody steals away your private information, your private data, without even letting you know it has been done so? Probably, then you might be at ease mentally, but your data is at risk of getting stolen. Social Media giants and various applications indulge in the process of illegal acquisition of data and use the collected data for various purposes. Data resources are used by various companies in marketing, which ensure the various companies’ monetary benefits. Acquiring data from the users, without letting the user know the purpose of acquisition seems unethical. Apart from ethics, this practice has certain legal issues as well. With the growing usage of the internet and information boom, the data is vulnerable to threats, therefore the risk of privacy has become a chief issue. In this article, I will highlight the various issues and legal provisions surrounding them.
Why and how do they collect data?
Data is collected because it acts as a gold mine for data analysts, using the same data, data researchers further make various business strategies. If we note the revenue of Facebook in 2016, $26 billion revenue is collected through advertising, these advertising strategies are planned through a large pool of collected data.
If it still puzzles you that, which information on social media can help data analysts, you will be amazed to know that behavioural information through Facebook was used by an app, which helped Donald Trump win the U.S Presidential election.
To explain more clearly how all this happens let’s take a simple example. Suppose there is a user ‘A’ he likes certain content on social media, follows certain pages on the basis of his activity behavioural information is gathered. This gathered information is used by data analysts in the advertisement, those ads are shown which interest the user. This is how your personal data helps the giants to make a million dollars. It is just an example, there are various other methods that are used by social media and apps to further their gains and breach the privacy of users.
The easiest way to tackle any legal issue is to obtain a general legal awareness surrounding that particular issue, reiterating Foucault’s concept of Knowledge is Power. Therefore proper awareness regarding social media and internet policies and other state laws is very necessary to prevent any legal issue which may arise at any step. Therefore a few laws regarding the use of the internet and data security have been discussed hereafter.
Laws regarding data security and internet
Sadly, Indian Laws do not provide specific provisions regarding the illegal acquisition of information/ data by apps, social media, and authorities (though it must be noted that in certain cases Right to Privacy is used to address such issues). Therefore, I must not hesitate to point out that in this aspect India may learn a lot from specific laws in other countries. A few such laws are discussed:
General Data Protection Regulation (GDPR)
Due to continuous instances of breach of data and other offences related to data violation. European Union decided to implement GDPR. This is the most recent law on data protection and privacy, which is formulated keeping in mind the growing needs of this inter-connected internet world.
This act provides protection to user data and attempts to provide a symbiotic ecosystem for both users and businesses. A few Policies of the GDPR which help in safeguarding the interest of users are as follows:
- The users must have information regarding which company is extracting information and for what purpose (here the user is referred to as the data subject).
- A company must not extract user’s data without the consent of the user.
- If a user wants their data to be deleted, they should have the right
- If the data of the user is hacked, he must be informed within 72 hours otherwise one might be penalized with $16 billion or 4% of his annual revenue.
- Parental consent is necessary by companies whenever the user is below the age of 16 years.
Electronic Communications Privacy Act (ECPA)
Electronic Communication Privacy Act was introduced by the U.S Congress in 1986 which was primarily intended to put restrictions on wiretapping (secret monitoring of conversations) by the government. Growing technology led to the requirement of new laws and with a few amendments the ECPA was updated to prevent it from being anachronistic.
Post amendment ECPA, protects:
- Wire Communication
- Oral Communication
- Electronic communication
Information regarding the same might either be just made, in transit or when stored on a computer.
The act applies to email, telephonic conversations, and storing electronic data.
It is necessary to understand that some information has higher privacy interests and some information has lower privacy interests. For eg. Information shared using electronic mails is a higher privacy interest where information about a subscriber’s account is a lower privacy interest. The same was kept in mind by the drafters of the act, and a therefore varying amount of legal protection is provided depending upon the privacy interest, for instance, some information may be asked via subpoena, some information might require a special court order, and some information with very high privacy interest might even require a special warrant.
Finally, the ECPA involves three Statutes:
- Wiretap Act (1968): This act provides exceptions for service providers, or persons authorized by law for electronic surveillance the communication which may be telephonic or electronic, apart from this it also provides provisions for state and federal and other government officials to obtain judicial permission to intercept and wiretap.
- Stored Communication Act (1986): This act protects the data stored by service providers, along with information and record regarding the subscribers. Information for eg. I.P address and bills are included.
- Pen Register Statute (1986): To understand the statute, firstly it is important to understand what pen register and trap/trace devices are. Pen Register is a device that stores information like dialled numbers and other outgoing communication, whereas trap/trace devices store information regarding who called the subject (incoming) and what is his dialling number.
Pen Register Statute requires government entities to take judicial permission to install a pen register or a trap/trace device. A certificate of authorization is provided only after it is shown that such a device is necessary for the criminal investigation.
Computer Fraud and Abuse Act (CFAA)
Computer Fraud and Abuse Act is another U.S based law enacted in 1986, though the law initially was very narrow and mostly ‘hackers centric’, but with the evolution of technology cyber crimes reciprocated. Therefore to keep CFAA updated several amendments have been introduced. In very simple terms, this law prohibits access to computers without authorization or in its excess.
In theory, the law only includes ‘Protected Computers’ which means government or financial computer, but in practice, it includes every computer and now includes even cellphones.
Key points of the act are as follows:
- Hacking a computer from a governmental or a financial institution without authorization or excessive authorization.
- Damaging a computer of a governmental or financial institution using a virus or any other form of cyber attack
- Password trafficking in the protected computers
- If a computer is accessed to commit espionage
It should be kept in mind that there is wide opposition to this capricious law in academia, pertaining to its unproportionate punishment for various criminal acts.
Cyber Intelligence Sharing And Protection Act, 2011 (CISPA)
This is also a U.S based law. The Act specifically talks about self-protected entities which include Google, Facebook, etc. This is a very prudent act, a few provisions of the act are discussed hereafter:
- CISPA allows the self-protected entities to share private information of users with the government.
- It allows every type of personal information to be shared if such information poses a cyber threat
- Cyber threat information involves any information which makes an effort to harm private or public system or network, or wrongfully possess private or public data, or intellectual property
- CISPA allows the sharing of personal information of individuals in a way that companies deem fit, they may also maintain the anonymity of users while sharing such information.
- CISPA restricts the sharing of each other’s information for unfair business advantage.
Children’s Online Privacy Protection Act, 1998 (COPPA)
In the Policy, the website has to provide users with the following information.
- Type of information collected from children
- How the collected information will be used
- Whether the information is shared with other advertising agencies.
Depending on the circumstances such websites are required to send a private notice to the parents of children and ask parents to act on behalf of children.
Apart from this the website in adherence to the above act has to follow the following rules:
- It is important to get parents’ consent before collecting, disclosing, and storing any information relating to children aged 12 years or below.
- Websites must allow parents to review the collected information
- Websites must allow parents to revoke the consent and must heed to the request of parents to delete certain information.
The above-mentioned laws provide various provisions to tackle the issue of theft of information by various social media giants and apps. But it must be noted that the above-discussed laws are from the U.S and one from the EU (European Union).
Precautions while using Social Media and Downloading apps
It is always better to search for prevention then making a run for remedies, therefore it is important to take a few precautions while using Social media and various apps.
- Safe Website Practices: Not all websites are safe, a few with short URLs and other conspicuous aberrations in their URL often ask for personal information and are malicious, such sites should not be used. To prevent such issues a good antivirus and a reliable web browser should be used.
- Internet cookies are bitter: Cookies are used by various sites to keep your data the way it was when first accessed, sometimes the same cookies are used by third parties to use the same for their gains. To prevent this make sure to delete cookies.
- HTTPS instead of HTTP: While entering personal information, always make sure that the site has ‘https//:’ or a padlock sign this ensures that the site is protected and is safe to be used
- Make sure to download certified apps from authorized platforms, third-party websites often provide applications intended to harm your privacy.
- Make sure that you don’t share every personal information on social media.
- Applications often ask for permission to access your cellphone, be cautious while giving such permission, a few apps might use that permission to meet their ends.
- Apart from this, it is necessary to check the policy of the social media site you are using, we often tick ‘I Agree’ many times without even understanding what we are agreeing to.
With growing technology, the threat to privacy has increased. It, therefore, becomes necessary to take appropriate precautions while using such websites and apps. Apart from this, it has to be pointed out that Indian Laws regarding data privacy have failed to keep up their pace with the vagaries of technological threats. The U.S is definitely leading in these specific types of laws, and therefore can be an inspiration for nations trying to cope up with growing cyber threats. Apart from this legal awareness regarding such issues is very important, it is really sad to see that our generation in want of free entertainment and information is getting itself caught in the cyber trap. We Indians still have to wait for more elaborated laws on the above-mentioned issue, since the technology is not going to wait for these laws, the common man has to take certain precautions on its own.
- What is GDPR? Everything you need to know about the new general data protection regulations, available at https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
- Electronic Communications Privacy Act (ECPA), available at https://epic.org/privacy/ecpa/
- Appendix D, Text of the Computer Fraud and Abuse Act available at https://onlinelibrary.wiley.com/doi/pdf/10.1002/9781119231899.app4
- Protecting Children’s Privacy Under COPPA: A Survey on Compliance, available at https://www.ftc.gov/sites/default/files/documents/rules/children%E2%80%99s-online-privacy-protection-rule-coppa/coppasurvey.pdf
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: