1. Identify the relevant legal issues and challenges that arise in the allotted topic and devise
original analysis and/or solutions for the same
Impact Of Cyber Warfare On Privacy,
Identity Theft
2. What is Cyber Ware Fare
Cyber warfare can be described as - actions by a nation or international organization to
attack countries or institutions' computer network systems with the intention of
disrupting, damaging, or destroying infrastructure by computer viruses or denial-of-service
attacks.
Cyber warfare is also usually defined as a cyber attack or series of attacks that target a
country. It has the potential to wreak havoc on government and civilian infrastructure and
disrupt critical systems, resulting in damage to the state and even loss of life.
5. Privacy is one of the most important aspects which need to be protected from Cyber
attacks.
There are three international treaties that are widely recognized as the basis for the
protection of Privacy.
1. Article -12 of the Universal Declaration of Human Rights, 1948,
2. Article -17 of the International Covenant on Civil and Political Rights (ICCPR).
3. Article-8 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms, (ECHR). The Organization for Economic Development &
Cooperation (OECD),
7. Guidelines for the (Protection of privacy and Trans Border of Data) also has equal relevance
as it protects the right to privacy among its members. The Preamble of the Australian
Privacy Charter also provides that
People have the Right to Privacy of their own body, Private Space, Privacy of
Communication, Information Privacy Rights Concerning Information about a Person and
Freedom Surveillance
The holy book of Quran also contains a 'verse'-(24:27)
“Believers Enter not houses other than your own houses, until you have obtained the
permission of the inmates of houses and have the greeted term with peace.
This is better for you, it is expected that you will observe this.
9. Today we are depended extensively and excessively on our computer / Mobiles electronic
devices, as a tool for gathering information, sharing and retention of data. We also depend
on the use of internet as a medium for data transfer.
There are various invaders who indulge in the act of stealing the information, as shared
through online by the user, either by use of malicious spyware, or by various computer
bugs, or the data as collected from the website which is stored in the cookies folder of the
computer.
The information that the user shares in the social networking profile i.e. Linkedin, Twitter,
Facebook, Instagram, etc. are very prone to be accessed by any intruder and are easily
manipulated and misused causing privacy intrusion issues to the concerned social media
user. Threats also like email attachment containing malware that discloses personal
information of the recipient of the mail to the sender or any intruder.
Children, who use the internet, are also easy prey of the intruders because all the
information fed by a child can be easily tracked by cybercriminals.
11. Today companies are hiring third parties to collect information about the peoples who are
using the internet and social sites, to pile up their data records, about such peoples and
their vital information, so that they can use the same for advertisement purpose or for
selling it to some other companies. Viz, Zomato, Banks, Automobile companies
The protection of privacy and data of the peoples using the internet is the major issue
nowadays, many countries have passed many laws to protect the privacy of their people.
15. Since a long period of time, India did not have any special law dealing with cyber crimes
and cyber privacy issues, jurisdiction issues, and intellectual property rights issues, and a
number of other issues. It was the only around the year 2000, that the The Indian
Legislature enacted the Information Technology Act, 2000 to deal with cyber crimes and
cybercriminals. IT Act lays down penalty and punishment provisions for violation of certain
laws which amounts as an offense.
The act was later on amended again in the year 2008 and now known as the Information
Technology Amendment Act 2008. The Act contains a number of provisions which protects
the privacy of a person from online intrusion and exploitation.
The Act provides both a fine and punishment by imprisonment in case of
1. Hacking (Section 43, 66),
2. Three years imprisonment for violation of privacy(section 66E),
3. Identity theft(Section-66 C) and
4. Cheating by personation (Section 66 D),
5. Offensive email (Section 66A).
17. • Section 72A of the IT Act penalizes the unauthorized disclosure of personal
information by any person who has obtained such information under a lawful contract
and without consent of the person from whom such information belonged or taken.
Apart from this the IT Act also provides provision for data safety.
• Section 43A of the Information Technology Amendment Act 2008, lays down that all corporate
bodies and intermediaries who possess, handle or collect any sensitive personal data shall
maintain reasonable security practices and in case of failure they shall be liable to the person
who is aggrieved by such misuse of data.
18. The government had notified the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The Rules dealt with protection of Sensitive personal data or information of a person,
which includes such personal information which consists of information relating to:
1. Passwords
2. Financial information such as bank account or credit card or debit card or other
payment instrument details.
3. Physical, physiological and mental health condition
4. Sexual orientation
5. Medical records and history
6. Biometric information.
19. Parliamentary Report on Cyber Security & Right to Privacy Issued by the 2013 -2014
Standing Committee on Information Technology on February 12th 2014.
The Standing Committee stated that a significant increase in cyberspace activities and
access to internet use in India coupled with lack of user end discipline, inadequate
protection of computer systems, and the possibility of anonymous use of ICT allowing
users to impersonate and cover their trends of crime has emboldened more number of
users experimenting with ICT abuse for criminal activities.
The Committee is of the opinion that this aspect has a significant impact in blunting the
deterrence effect created by the legal framework in the form of the Information
Technology Act, 2000, and allied laws.
21. The Government of India, therefore in 2019, constituted a committee to propose a draft statue
on data protection. The committee proposed draft law and the govt. of India has issued
the Personal Data protection Bill 2019 (PDP) Bill based on the draft proposed by the
committee. This will be India first law on the protection of data and it will repeal section-43A
of the IT Act.
The PDP Bill, proposes a broader reach. It will not only apply to persons in India but also to
persons outside India in relation to business carried out in India. The PDP Bill, proposes to
apply both on manual and electronic records. The PDP bill proposes creating a Data Protection
Authority in India. The Authority will be responsible for protecting the interest of data
principals, preventing misuse of personal data and ensuring compliance within the new law.
The PDP Bill proposes to protect Personal Data relating to the identity, characteristics trait,
attribute of a natural person and Sensitive Personal Data such as financial data, health data,
official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status,
intersex status, caste or tribe, religious or political beliefs.
22. Pursuant to the PDPB being enacted into an Act, there are several compliances to be
followed by organizations processing personal data in order to ensure the protection of
privacy of individuals relating to their Personal Data. Consent of the individual would be
required for the processing of personal data.
Based on the type of personal data being processed, organizations will have to review and
update data protection policies, codes to ensure these are consistent with the revised
principles such as update their internal breach notification procedures, implement
appropriate technical and organizational measures to prevent misuse of data, Data
Protection Officer to be appointed by the Significant Data Fiduciary, and instituting grievance
redressal mechanisms to address complaints by individuals.
The government decided that they would need to implement new rules which would
"empower the ordinary users of social media" and their enactment had become necessary
due to widespread concerns about issues relating to increased instances of abuse of social
media and digital platforms.
23. Landmark Judgement
•Justice K.S Puttaswamy (Retd.) Versus Union
of India (Case NO- WP (C) 494/2012 ), the
Hon'ble Supreme Court through its 9 Judge
Bench held that the fundamental right to
privacy is guaranteed under the Constitution
of India.
24. The need of the hour was to bring forward a special law to deal with the privacy-
related issue, at par with the international standards and as like most of the other
developed nations have already enacted. The recently enacted Information Technology
(Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules, 2021")
was aimed at doing exactly the same.
The IT Rules, 2021, inter alia, aim to serve a dual-purpose: (1) increasing the
accountability of the social media platforms (such as Facebook, Instagram, Twitter
etc.); and (2) empowering the users of social media by establishing a three-tier
redressal mechanism for efficient grievance resolution.
The New IT Rules 2021 have faced severe restrictions from various digital media
platforms. Compliance with the provisions of the IT Rules, 2021 is being questioned by
digital media platforms as an attempt to restrict the freedom of speech and expression
and various petitions have been filed across India challenging the legal validity of the IT
Rules, 2021.
25. • Agij Promotion of Nineteenonea Media Pvt. Ltd. & Ors., vs. Union of India [W.P. (L.) No.
14172 of 2021], the IT Rules, 2021 were challenged on the ground that the IT Rules,
2021 are "ex facie draconian, arbitrary and patently ultra vires" the provisions of the
Information Technology Act, 2000 ("IT Act") and the provisions of Articles 14, 19(1)(a)
and 19(1)(g) of the Indian Constitution, which guarantees fundamental rights to the
petitioners.
• The public interest litigation was moved by the Carnatic musician TM Krishna and a
second petition was filed by the Digital News Publishers Association (DNPA), comprising
of thirteen media outlets, as well as journalist Mukund Padmanabhan4 wherein the
petitioners contended that the IT Rules, 2021 are ultra vires, inter alia, to Articles 14
and 19 of the Constitution of India.
Judgement against the 2021 Act
26. Though the idea pertaining to the protection of data is very old but due to the immerging
trend of technological dependence and use of personal data is manifold, hence this new
trend needs a new law to deal within tracking and controlling the techno-savvy peoples
and organizations by providing guidelines to prevent misuse of personal data.
Peoples using online medium for sharing data or transferring information while doing e-
commerce transaction or any other communication purpose treasure their privacy and link
it to personal freedom and so have a right to control data about them. It is further required
that every e-organization privacy practices should be bench marked against national and
international standards for privacy and fair information practices to meet the emerging
challenges.
27. Although customer's easily share their personal data while doing online transactions or by
interchanging communications but still it is the state's responsibility to look and protect the
interest of its citizens. As because due to lack of specific statutory law dealing with the
protection of data in India, the courts measurably fails to protect the information as shared to
the companies by punishing them for violation of trust.
Hence, it is highly required and need of the hour, that the Protection of Personal Data Bill 2019
which is pending in the parliament for approval and ascent of the president be immediately
passed and approved so as to protect the personal data of the citizens from being misused.
The Personal Data Protection Bill, first proposed by the government in 2018, has been pending
for close to three years now. It has seen several changes to the original draft drawn by retired
Supreme Court judge Justice B N Srikrishna, who also said that the revised Bill was “a blank
cheque to the state”
29. Today there is no control or check on who sells the data to whom the Rules only deals with
protection of Sensitive personal data or information of a person, which includes such
personal information which consists of information relating to:
• Passwords;
• Financial information such as bank account or credit card or debit card or other payment
instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information.
No technology or standard can eliminate the risk of a cyberattack, but Companies and
individuals must the adoption of modern standards that incorporate MFA (Multi Factor
Authntication) can be an important step that meaningfully reduces cyber risk. By following
these eight principles, governments can create a policy foundation for MFA that not only
enhances our collective cyber security, but also helps to ensure greater privacy and
increased trust online.
30. Some pointers which can be followed by companies and individuals to avoid cyber attacks on
privacy and to prevent Identity Theft
1.Have a plan that explicitly addresses authentication.
2.Recognize the security limitations of shared secrets.
3.Ensure authentication solutions support mobile.
4.Don’t prescribe any single technology or solution — focus on standards and outcomes.
5.Encourage widespread adoption by choosing authentication solutions that are easy to use.
6.Understand that the old barriers to strong authentication no longer apply.
7.Know that privacy matters.
8.Use biometrics appropriately.
31. As individuals grow more dependent on and connected to the cyberspace, they will
become more reliant on organizations' effective implementation of cyber security and
sensitivity to privacy. The following are some of the key areas in which an increased
emphasis on privacy protection could help support, advance and augment cyber security
activities.
a) Building privacy values into cyber security policy directions
b) Legislative approaches that incentivize cyber security preparedness
c) Facilitating broader dialogue on cyber security that acknowledges its importance for
privacy, trust, and responsible data stewardship