Photo curtsy: Google
By the
late evening of 28th September, 2018 almost all of Facebook users
would have received messages in their electronic devices that their “session
expired”. It indicated that the subscriber needs to log in again to continue
the Facebook activities. Many of the users felt it was a hoax, many felt it was
a hackers act and some could understand it was an alert alarm as they were
always ‘online’ and never logged off even when their phones were ‘sleeping’ or
switched off. By late night-early morning on 29th September, 2018 the
Facebook subscribers got an official information from Facebook help center
stating that the company had discovered that there was an attack on their
system and the attackers had illegally accessed Facebook access tokens which
would give way to access the subscribers’ data. On an emergency precautionary
step, Facebook logged off all users so that they can log on again with a
secured code provided by Facebook. It was confirmed that Facebook was trying to
exercise due diligence to protect the data of the users and in the course of
the same users were directed to log off.
Due
diligence has been addressed by S.512 ©
of the Digital Millennium Copyright Act, 1998 which indicates that the
intermediary may be saved from third party liabilities (especially for
copyright infringements) if the
intermediary practiced due diligence, i.e., it
did not have the requisite level
of information about the said infringement, it must not have been financially
benefited from such infringement, it must have taken expeditious measures to
take down the content concerned or block the access to the material concerned
upon receiving the information of the infringement. The same has also been
addressed by S.79 (3) of the Information Technology Act, 2000 (amended in 2008)
and has been further explained in Information Technology intermediary
guidelines Rules, 2011 whereby the term cyber security incident has been
defined as follows:
Rule .2(d)
"Cyber security incident” means any real or suspected adverse
event
in relation to cyber security that violates an explicit or implicity
applicable
security policy resulting in unauthorised access, denial of
service
or disruption, unauthorised use of a computer resource for
processing
or storage of information or changes to data, information
without
authorisation;
The
rules further goes on to explain what are the due diligence practices that
should be adopted by the intermediary under Rule.3(3), which states that The
intermediary shall not knowingly host or publish any information or shall not initiate
the transmission, select the receiver of transmission, and select or modify the
information contained in the transmission as specified in sub-rule (2):
Interestingly
Rule. 4 of the Intermediary Guidelines Rule further provides a clear direction
to the intermediaries as what is to be done and within how much time when the
intermediary has come to know about any information which harms the interest of
users or threatens the security of the nation etc (which are mentioned in rule
3), by stating that The intermediary, on
whose computer system the information is stored or hosted or published, upon
obtaining knowledge by itself or been brought to actual knowledge by an affected
person in writing or through email signed with electronic signature about any such
information as mentioned in sub-rule (2) above, shall act within thirty six
hours and where applicable, work with user or owner of such information to disable
such information that is in contravention of sub-rule (2). Further the intermediary
shall preserve such information and associated records for at least ninety days
for investigation purposes.
This Rule
4 (read with Rule 3) mentions that the intermediary should either remove the
offensive content or block the access to the content. Facebook in its action in
practicing due diligence and exercising reasonable security practices (in
India, the guiding principle in this regard is mentioned in the Information
Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011), had alerted the users, logged them off and
logged them in with fresh code and also expressed that they are not aware
whether any individual has been affected by such unauthorised access to the
Facebook system as a whole.
By doing
this Facebook actually tried to escape its liability as a ‘negligent body
corporate’ or a company which may be brought to the courts under S.43A of the
Information Technology Act, 2000(amended in 2008). Compare the incident of Facebook-
Cambridge analytica data breach and how the EU parliament addressed the issue
by accusing Facebook for having extremely poor cyber security measures compared
to Europe. Facebook users were also advised by an Illinois court to go for a
class suit against the company (Facebook) for unethically scanning and storing
personal photos and information of the users.[1]
The recent news also suggests that in the US Facebook users have started
going for class actions against Facebook for data breach which occurred apparently
because of the company’s negligence in
securing the data.[2]
Under the Indian information technology Act, 2000(amended in 2008), S.43A
empowers the victims of privacy (including data ) breach to claim compensation
from the faulting body corporate to a maximum limit of Rs. 5 Crores, which
however is subject to modification depending upon the damage suffered by the
victims, reputation harm etc and the discretion of the adjudicator. Not many
users have applied this law for bringing big companies under the Indian
scanners. There are however some cases of bank’s liability or hospital
managements liability which are now coming up because of the awareness among
the users/data owners and their lawyers.
However,
web companies like Google, Facebook etc may have another option to shred the
liability: they may always shift the major burden to the data owners or data managers,
i.e. the private individuals who upload data almost every minute in average to
expose their private information.[3]
It is for this that we need to be vigilant on our own practices of data
sharing.
Stay safe,
play safe.
Please Note: Do not violate
copyright of this blog. If you would like to use informations provided in this
blog for your own assignment/writeup/project/blog/article, please cite it as
“Halder D. (2018), " The great Facebook hack : Liability of
Facebook as service provider” 30th
September, 2019 , published in http://debaraticyberspace.blogspot.com
[1]
See Halder Debarati (2018), FB, Its content regulation policies & photo
matching tech: boon or bane for Indian women from privacy law aspect. Published
in LiveLaw on April, 20018 @https://www.livelaw.in/fb-its-content-regulation-policies-photo-matching-tech-boon-or-bane-for-indian-women-from-privacy-law-aspects/
[2]
See for instance, see Knoop Joseph (2018), Facebook sued over data breach that
involved 50 million accounts . available @ https://www.dailydot.com/layer8/facebook-breach-lawsuit/
[3] For
better understanding about this see Halder & Jaishankar ((November 2016).
Cyber Crime against Women in India. New Delhi: SAGE. ISBN: 978-93-859857-7-5.
No comments:
Post a Comment