Dispelling the clouds over data security

The past few years have seen a tremendous growth in the number of mobile applications. Another industry that has grown alongside the mobile application sector is data collection and processing.

By Sajai Singh

Often, mobile apps are designed to collect information available on the mobile device such as name, age, location, internet browsing history, etc. This information is then stored on a central server, and is processed and utilised. Certain other mobile apps also provide the user with an option to store data in a remote manner (cloud computing).

The key challenge while developing and marketing such applications is that of data security. Consumers need to be made conscious of the fact that the data on their mobile device is being collected and processed. Typically, permission is sought at the time of downloading the application from the relevant app store.

However, the permissions requested are seldom explained in detail, thus leaving the user unaware of the nature of information being collected, or the process or purpose for the same.
In the recent past, we have encountered several instances of data being stolen and being used for unlawful purposes. Internet trolling, whereby illegally extracted information is posted on social media networks and the source individual is subjected to public ridicule and insult, is also a trend which is on the rise.

The necessity to protect one’s data from being accessed by these ‘internet trolls’ cannot be emphasised enough, in light of the increased usage of cloud computing. The latest hacking of the iCloud has only established what was being said by privacy advocates around the world—data can never truly be secure and private when stored in a remote manner.

This and other similar experiences have app developers scrambling to ensure that their apps, as well as the data collected from these apps are sufficiently protected.

The Indian legislations which govern offences relating to unlawful exfiltration of data contained on a mobile device/cloud include the Information Technology Act, 2000 (IT Act), the Indian Penal Code, 1860, the right to life and personal liberty under Article 21 of the Constitution of India, the tort law and possibly the Indecent Representation of Women (Prohibition) Act, 1986. Claims may be raised based on a breach of confidence, violation of privacy, trust and confidence. There are also several criminal offences under the IT Act, such as unlawful access to computer resources, disclosure of computer record and altering computer data without permission, which may apply in such situations.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules) provides protection to personal information. Rule 3 of the Rules provides an aggregated definition of sensitive personal data including within its ambit information such as a person’s financial information, medical records, biometric information, etc.

The IT Act, in Sections 43 and 66, deal with hacking a computer system which is punishable with imprisonment up to 3 years, or with a fine which may extend up to R5 lakh, or with both. Section 67 of the IT Act penalises publication or transmission of lascivious material. Such an act is punishable with imprisonment up to 5 years and with fine.

Indian law does not determine what privacy is, but only what situations where privacy will be afforded legal protection. Here, ‘privacy’ would be understood as the claim of ‘aggrieved’ parties, who have determined for themselves when, how and to what extent their personal information is to be communicated to others. An argument that may be used by the ‘victims’ is that the information has been acquired by some form of hacking (or unlawful access to a computer resource), therefore, any viewer of such information may be assumed to known the information was confidential.

It is also pertinent to note that the IT Act applies to offences committed outside India by any person so long as the offence involves a computer, computer system or computer network located in India. While the IT Act does have extra-territoriality, it may not be possible to easily identify the jurisdiction (and consequently the laws) for raising a claim in such a situation. The hacker, the cloud provider, the data and the victim may all be in different countries (and subject to different laws).

The question is whether the data controller can be held responsible for data exfiltration in India? A data controller would need to establish that it followed the provisions under the Rules with regard to reasonable security practices and procedures in order to have a defense against any claim against it. Then there is the question of what were the terms and conditions of use of the services provided.

Typically, terms of such services specifically provide that the service provider does not represent or guarantee that the service will be free from loss, corruption, viruses, hacking, or other security intrusion, and that it disclaims any liability relating thereto. It is unlikely that an action would lie under the Indian Consumer Protection Act, claiming that such terms were unreasonable.

Some simple safeguards that may be adopted to mitigate the risk of data exfiltration include multi-factor authentication and frequent change of passwords. One could also consider encryption of data/ files prior to placing the same on the cloud. This will ensure that no one other than the holder of the encryption key (you) will easily manage to gain access to your files.

As can be seen, the law in relation to data security in India is in a nascent stage of development. There is yet scope to strengthen the laws in relation to service providers, as well as provide effective remedies for persons who are victims of data theft or exfiltration. The enactment of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules), which provide for mandatory reporting of specified cyber incidents as well as operation of a 24 hour incident response help desk, seems to be a step forward in this regard.
The author is Partner, J Sagar Associates. Views are personal