Introduction:
In today’s era of peaking digitalization, our day-to-day activities such as searching for or doing jobs, acquiring education and skill-training, carrying out transactions, shopping for commodities, interacting with peers, etc. are all carried out using online platforms. The internet has made life simple, manageable, and hassle-free. Convenience is at its best. This dependence on cyber technology has increased multifold now because of the pandemic. The new normal involves working from home, e-learning, e-courts, e-commerce, etc. all of which is done using various websites and web applications.
While being able to access any piece of information and doing otherwise time-consuming tasks in just a click seems like a great deal, it poses a huge threat to our data privacy. When we step into the web world, we knowingly or unknowingly leave behind traces of information about ourselves as a result of our online activities. These bits of data are called Digital Footprints. This data consists of the websites we visit, the information we submit to online services, emails and text messages that we send, our posts on social media, and so on. This information can be easily tapped into and collected by interested parties and used for several reasons. One of the biggest reasons for collecting people’s digital footprints is Cyber Espionage.
Cyber espionage has become a growing concern in the present netizen’s world, wherein obtaining, mining and deep learning of data has gained utmost importance in each and every field. Cyber espionage is a form of cyber-attack that indulges in spying and stealing classified or sensitive data, without the permission of the holder of that data, in order to gain an advantage over a competitive company or a government entity. This practice is clandestine and unwelcome, and may or may not be lawful depending on a few factors which will be explained as we move forward.
In this article, the focal point would be to discuss the recent lawsuit faced by a professional platform called LinkedIn for spying on user data through device apps, to understand why and by whom cyber espionage is done, and to elaborate on the laws concerning cyber espionage in India.
Case Summary: Bauer v. LinkedIn Corp.
Microsoft Corp’s LinkedIn was sued by New York-based user Adam Bauer for allegedly snooping and reading users’ sensitive information from Apple Inc’s Universal Clipboard feature, available on the latest iOS 14, without their consent or knowledge. According to Apple’s website, this Universal Clipboard allows users to copy texts, images, photos, and videos on one Apple device and paste the content onto another Apple device. And, Apple’s latest privacy feature alerts users whenever the Clipboard is accessed with a banner saying “pasted from Messages”. Bauer’s lawsuit alleged that these “reads” (done by LinkedIn) are interpreted as a “paste” command by the Universal Clipboard.[1]
As per the class-action lawsuit, LinkedIn programmed its iPhone and iPad applications to divert users’ sensitive content, such as emails, texts, photos, and medical records, without notifying them. These privacy violations were first exposed by Apple and some independent program developers. These developers and testers found out that LinkedIn’s application on Apple devices was secretly reading users’ clipboard information “a lot. Constantly, even”. [2]
The complaint further goes on to state that, “LinkedIn has not only been spying on its users, but it has even been spying on their nearby computers and other devices and has been circumventing the Clipboard’s timeout which removes the information after 120 seconds”. [3]
LinkedIn spokesman Greg Snapper has announced that the lawsuit is under review by the company. Erran Berger, head of engineering at LinkedIn, posted a tweet on 2nd July 2020 which states that “the company had traced the problem to a code path that performs an “equality check” between the content on the Clipboard and the content that is currently being typed in the text box and that they do not store or transmit the Clipboard content”. A LinkedIn executive had also reached out on Twitter and said that the company has released a new version of its app to put a stop to this practice. [4]
This lawsuit, filed in the San Francisco federal court, seeks to represent a class of users whose privacy has been violated as per the Federal and California privacy laws, and against whom there has been a breach of contract claim. [5]
In this complaint, Bauer has even stated that he was completely unaware about the fact that his Clipboard information was so easily accessible to mobile apps “without his affirmative consent by means of a mere paste command” and adds that “had he known about this, he would not have used the LinkedIn app”. Therefore, this is not only a case of breach of privacy but also a case of violation of social norms. [6]
This case has brought into the spotlight about the already growing concern regarding mass surveillance of social media accounts and how this results in the blatant breach of common citizens’ Right to Privacy by large companies for gaining profits and other advantages. In the internet realm, transparency has always been an issue, due to the evolution of new and advanced methods to exploit, spy, and steal data mushrooming day-by-day, while the laws centralizing around cybersecurity and cybercrimes remain to be poorly formed, implemented, and executed, especially in India.
(The trial for the case Bauer v. LinkedIn Corp is still underway).
Understanding ‘Cyber Espionage’ (Cyber Spying) & Why it is Done
Cyber espionage, also known as cyber spying, is the act of obtaining confidential information without the due consent and knowledge of the holder of that information. It typically involves the use of access to such secret and classified information in order to gain a strategic advantage. More recently, cyber-crime has started to involve the analysis of public activity on social networking sites such as Facebook, Twitter, etc. and even professional networks such as LinkedIn. [7] Here, we will be focusing on cyber spying done by corporate firms and cyber spying done by governments using these social and professional networking platforms.
Two major reasons that can be attributed to cyber spying done by two of the main parties in concern, corporate giants and governments, are as follows:
(1) In today’s world, where there is cut-throat competition in every sphere of life, simply maintaining a user database with just basic user credentials such as name, age, sex, etc. is not enough for a company, in order to gain a competitive advantage, companies use online platforms to go a step further by delving deep into getting to know their users in order to provide them with the best, individual-customized experience ever, making them more user-friendly. They use digital footprints (such as posts on social networking platforms like Instagram, Facebook, and Twitter, and professional networks such LinkedIn, Glassdoor, etc.) to tap into every little detail that they can learn about an individual including their demographic traits, sexual orientation, race, religious views, political views, personality, etc. and the user gets absolutely no hint of this ongoing operation. They then use this information to provide users with a personalized experience based on their apparent likes and preferences. The user, when using the services of the respective company, is provided with whatever he/she likes in a platter (for example, customized combo services, personalized coupons/vouchers/discounts on items of interest, recommendations on similar items that the user may like, professional networks may suggest more relevant jobs/internships for the user, etc.) and therefore, need not put any effort into searching for their desired preferences. The company, in turn, gains the customers’ goodwill, and an increased probability of turning that customer into a regular one.
(2) The various government entities and intelligence agencies do this to derive intelligence from otherwise unobjectionable data. According to an article by Forbes, ‘many of the automated tools use leveraging AI and pattern analytics to map relationships between people “through link analysis”, use natural language processing to “assign meaning or attitude to social media posts”, and these tools are used to mine data about the “past, present, or future locations”. Intelligence agencies and governments thus use it to fuel investigations into serious crimes. Governments also use it to regulate mass-scale population monitoring and population control and suppression, for example, when The U.S. turned to social media as a means of evaluation and investigation for immigration threats. [8]
Now, there is an important fact which must be kept in mind when dealing with the imperatives of understanding and critically analyzing the practice of cyber espionage. In order to judge whether, in a particular case, cyber espionage, with respect to parties mentioned above, is done lawfully or not, these three things must strike a balance in order of level of importance: 1) In the case of governments and law enforcement agencies, their duty to tackle serious crimes like terrorism, people and drug trafficking, child abuse, white-collar crimes, etc.; 2) In the case of large companies, their need to earn profits in order to maintain the cost of production of goods, services, and operations, while being able to expand and grow; 3) And finally, the Right to Privacy of billions of citizens which must be respected and protected and whether the capabilities given to these agencies infringe upon the legal restrictions pertaining to this Right or not. [9]
Laws Pertaining to Data Privacy in India
As of today, India does not have any specific laws pertaining to cybersecurity or data protection, or even cyber espionage. For now, India’s regulatory mechanism for the protection of data privacy includes the Information Technology Act, 2000 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011- SPDI/IT Rules. There exist some remedies and penalties for violation of data privacy in these “laws”. Apart from this, the Right to Privacy has now been declared as a Fundamental Right and an integral part of Article 21 (Right to Life) of the Indian Constitution in the case of Justice K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors.
The relevant sections of the IT Act which are applicable to this discussion are:
(i) Section 43A – It states that “Where a corporate body, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls and operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body shall be liable to pay damages by way of compensation to the person so affected”. [10]
(ii) Section 72 A – It states that “Any person including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to 3 years, or with fine which may extend to 5 lakh rupees, or with both”. [11] (This is the only penalty laid out for data breach in this Act).
But there are certain limitations to these provisions, these are as follows:
- The scope of the provisions of the IT Act on data privacy is very narrow and limited.
- The prime concern of the Act itself is not to provide data privacy.
- No specifications regarding the responsibilities of government agencies for data privacy and protection have been made.
- The IT Rules are applicable only in the case of electronically generated and transmitted information.
- The IT Rules are applicable only to body corporates and not to any government/state. Also, they come into effect only in case if a contractual agreement is not already made. Hence, they can be easily evaded by entering into a contract. [12]
To tackle some of these existing challenges, The Government of India tabled the Personal Data Protection Bill in 2019. This legislation covers the mechanisms for data protection and also suggests for the setting up of a Data Protection Authority (DPA).
This Bill provides for the protection of data privacy, and regulates the collection, processing, and storing of personal data. It protects the fundamental rights of individuals whose personal data is being processed. This Bill governs the processing of sensitive data by the government, all companies incorporated within India, and even all foreign companies that deal with the processing of sensitive data of the citizens of India. [13]
It provides that personal data of an individual cannot be accessed or processed without the due consent of that individual. It lays down norms for the protection of data posted on social media and data subject to cross-border transfer, it lays down accountability for entities involved in the processing of personal data and also provides for remedies in case of unauthorized or wrongful processing.
But this Bill is also subject to criticism on the grounds that:
- It allows the central government to exempt any of its agencies from the provisions of this Bill in the interest of state security, public order, sovereignty and integrity of India, and maintaining good relations with other countries.
- Processing of personal data is exempted from provisions of this Bill even for other purposes such as prevention or investigation of serious crimes by intelligence agencies or the military, monitoring suspicious activity, research, etc.
- Also, personal data of an individual can be processed without their consent in case if the government is required to provide any sort of benefits to that individual, in legal proceedings, in medical emergencies, etc. [14]
Conclusion
It is now a popular opinion that “Data is the new oil”. Just like mineral oil was the most remunerative commodity in the world, and every country was competing to establish control over this resource, similarly data has become the most valuable commodity in the 21st century. The 5 most profitable and successful companies in the world, that is to say, Google, Amazon, Apple, Microsoft, and Facebook are all a part of the data sector. Raw data can be processed and analyzed to extract all kinds of information such as financial information, employment information, personal information, geolocation information, etc.
This increasing importance of collecting and owning data has led to large-scale exploitation and extraction of data, resulting in a threat to data privacy. It seems to be that we have all unintentionally opted into being a part of a huge database trap which can easily be accessed and information contained in it, exposed. While all social and professional networking platforms claim to encrypt our data to protect it from being monitored, the reality is that most of this data is easily available and can be accessed by simply using mass scraping tools and some knowledge about software programming.
As mentioned before, there should be a balance when it comes to talking about data monitoring and surveillance. All these agencies must first evaluate where public consent starts and where a line must be drawn with respect to the citizens’ Right to Privacy. Even other particulars such as how much and what kind of information is too much, who is eligible to access this information, when exactly can it be classified as an infringement upon data privacy, etc. must be determined.
The laws pertaining to data privacy need to undergo critical analysis and changes. To ensure that cyber technology grows in a healthy manner, new and relevant cyber laws need to be enacted because the existing laws in India, even when interpreted most liberally, do not address all aspects of different activities in cyber-space. The laws need to be made more stringent, and this highly debatable issue must be taken up and scrutinized more seriously because violation of a person’s Right to Privacy exposes that person to unprecedented repression of his/her basic Fundamental Rights and Freedoms as a citizen.
References:
[1] https://www.bloombergquint.com/business/linkedin-sued-for-spying-on-users-with-apps-for-apple-devices
[2] Supra note 1.
[3] Supra note 1.
[4] Supra note 1.
[5] Supra note 1.
[6] https://www.forbes.com/sites/daveywinder/2020/07/11/iphone-user-sues-linkedin-for-reading-clipboard-data-after-ios-14-alert-revelations-apple-ipad-class-action-privacy-lawsuit/#18b032304c54
[7] https://en.wikipedia.org/wiki/Cyber_spying
[8] https://www.forbes.com/sites/zakdoffman/2019/11/06/new-government-spy-report-your-social-media-is-probably-being-watched-right-now/#3869fc2d4f99
[9] Supra note 8.
[10] https://indiankanoon.org/doc/76191164/
[11] https://indiankanoon.org/doc/69360334/
[12] https://www.lexology.com/library/detail.aspx?g=08197ebe-aeb4-41d6-a855-ce57a313ea6d
[13] https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know
[14] Supra note 13.
0 Comments