As on first week of September, 2021, India has
reportedly vaccinated more than 67, 09, 59,968 people and several of them have
also got fully vaccinated. Noticeably Covid vaccination drive is being conducted
by the government and it necessarily includes sharing of certain sensitive
personal data that have been included in the Aadhar data of every individual.
Expectantly vaccination data is connected with the personal information
including health information of the beneficiary as well.
Let me now explain how we the beneficiaries of Covid
vaccination drive have knowingly shared our personal data and have invited
risks of privacy infringement.
In 2020 when I was affected by Covid and wanted to be
reassured that I am carrying the virus, I had sought for Covid testing like
millions of us who have survived Covid. The government testing agencies were
over flowing and this had happened in all cities across India. Medical shops
got many of us connected with private labs who would be testing us ‘at the
earliest’ to help us recover faster. Several people reported that even though
they did not have symptoms, they were tested positive. Everyone suspected foul
play, but we had to accept that the pandemic has touched all of us very dearly.
Whether it was government labs or private labs, the individuals who would be
taking the swab test were directed to mandatorily collect Aadhar data of the
persons who were taking the tests. There were series of data sharing from private
agencies to government agencies and in majority of the cases the data owners
were never asked for their explicit permission for sharing their data. Added
with this, we the general users of social media companies have shared about our
levels of infections and recovery on social media platforms without giving it a
thought that we are generating data that have potential to put us on risk for
numerous kinds of cybercrimes including ransom attacks, bullying, stalking and
doxing to name a few. During the very first phase of Covid-19 we have seen
social exclusion with the Covid 19 victims and their families. There had been
several cases of shaming on the social media for victims of Covid-19. Somehow
such ‘harassments’ of victims of Covid and their families may be attributed to
the data generated by people who had been infected and survived Covid.
Most of us would never understand how such data
sharing would have affected us. Resultant, most people have shared about their
vaccination details, which should have been considered as part of sensitive
personal health data. Let me explain how we have unknowingly shared such data
and have invited risks:
Many people who had vaccine may have taken selfies or
may have allowed their family members to take photographs of being vaccinated.
These images may have been immediately shared on social media profiles with
date of vaccination and the name of the vaccine. Further, several vaccination
centers had also offered galleries for taking photographs. Some may argue that
vaccine beneficiaries may not have shared the personal data including secret
numbers or registration details that may be availed from the government
platforms. But not to forget, this is an age of social engineering. Hackers and ransom attackers are smart to
connect facial images, geo-locations, Aadhar details with date and time stamp
to access sensitive personal data stored on platforms which may not provide
much security to the privacy of the data owners.
Such apprehensions are not
baseless. In December, 2020, Pfitzer had
reportedly shared the bad news of being targeted by cyber criminals.[1]
Again, in June, 2021 news about possible hacking of CoWin platform made the
government to consider for investigation of the entire issue.[2]
Why we need to be considered
for this issue and what does the law say? The answer basically centers on the
liability of the websites/social media companies to protect our data. Two issues
must be understood here: the liability of the companies/body corporates (especially
the vaccine production companies and the vaccine administering stakeholders) in
whose data base our sensitive health data including the vaccine data is being
stored, and the liability of the social
media companies on whose platform we are sharing our own data in the form of
selfies, pictures etc. S.43A of the Information Technology Act, 2000(amended in
2008) makes the body corporates liable for protection of the data of the
clients/customers/beneficiaries. If the integrity and confidentiality of the
data is infringed, the body corporates need to compensate the damages. There may
be huge legal battles for this and body corporates may always prima facie deny
their negligence. Not to forget, they may outsource the entire work of data
generation, data storing and maintaining the confidentiality of the data to the
third parties and resultant, they may need to face layers of liability charges.
This does not happen in case of social media companies. The later have explicit
policies and agreement clauses that majority of the users of the platforms
ignore. These clauses and policies clearly demonstrate the company’s due
diligence clauses. In other words, the companies very clearly state that they
will remove some posts if the same are offensive and fall within their own
category of offensive posts. They would also bear the liability of securing confidentiality
of the profiles. But they would not take
any liability if the users themselves “knowingly” post something which is self-damaging.
For understanding this, we have take close look on S.79 of the Information
Technology Act, 2000(amended in 2008) which elaborates website liabilities and
immunity clauses for the websites from third party liabilities. In short,
websites will not be liable for any ransom attack, hacking or any other forms
of online harassment if the users “knowingly” upload some contents which may
attract perpetrators. “Knowingly” here corresponds with the meaning of “awareness”.
The websites expect their users to be aware of the risks of posting certain
contents which would be self-damaging.
We should rejoice the winning
over the pandemic but not at the cost of our privacy and security. Be aware,
stay safe and spread positive awareness.
Please note: Please note: Please do not violate the copyright of this writeup.
Please site it as Halder Debarati (2021) Hurray … I am
vaccinated: know the risks for updating vaccine-posts @https://debaraticyberspace.blogspot.com/2021/09/hurray-i-am-vaccinated-know-risks-for.html
[1] See in
Stubbs.J(2021) Hackers steal Pfizer/BioNTech COVID-19 vaccine data in Europe,
companies say . published in https://www.reuters.com/article/uk-ema-cyber/hackers-steal-pfizer-biontech-covid-19-vaccine-data-in-europe-companies-say-idUKKBN28J1VF
on December 10,2020.
[2] See for
more in Jaswal M(June 2021) Claims of Cowin system, hacking, data breach
baseless: Health ministry . Available @ https://www.livemint.com/news/india/claims-of-cowin-system-hacking-data-breach-baseless-health-ministry-11623489372000.html
published on June 12,2021