Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
PRIVACY & THE INTERNET ILI/Lecture –Cyberlaws-27 Jan06 By –Karnika Seth, Partner Seth Associates For queries you may write in at [email protected] What are "online communications?" "Online communications" are communications over telephone, cable networks, or wireless systems using computers. Examples of online communications include connecting to the Internet through an Internet Service Provider (ISP) such as America Online or Earthlink, or accessing the Internet from a public library or community computer center. Mobile access to the Internet is increasing via hand-held PDAs, pagers, and other devices. The Internet raises some unique privacy concerns. Information sent over this vast global network may pass through dozens of different computer systems on the way to its destination. Each of these systems is operated by its own administrator and may be capable of capturing and storing online communications. Furthermore, your online activities can potentially be monitored by your Internet Service Provider (ISP) and by web sites that you visit. Issue of Privacy concerns… Personal privacy Rights of individuals/entities Informational /database protection Government Regulation & surveillance Workplace Privacy Children’s online privacy Freedom of Speech & Expression Anonymity online Phising Privacy Encryption methods,spywares, Filtering tools,spam…. There are virtually no online activities or services that guarantee absolute privacy. Public Activities Many online activities are open to public inspection. Engaging in these types of activities does not normally create an expectation of privacy. In fact, according to federal law, it is not illegal for anyone to view or disclose an electronic communication if the communication is "readily accessible" to the public (Electronic Communications Privacy Act, 18 USC § 2511(2)(g)(I)). Newsgroups. For example, a message you post to a public newsgroup or forum is available for anyone to view, copy, and store. In addition, your name, electronic mail (e-mail) address, and information about your service provider are usually available for inspection as part of the message itself. There are virtually no online activities or services that guarantee absolute privacy Listserves. Other public activities may allow your message to be sent to multiple recipients. Online newsletters and "listserves" are sent to a mailing list of subscribers. If you wish to privately reply to an individual who has posted a message in an online newsletter or listserve, be sure you address it specifically to that person's address, not to the newsletter address. Subscriber directories. You should not assume that your service account information will be kept private. Most ISPs provide online member directories that publicly list all subscribers to the service. Some of these directories may list additional personal information. Most service providers will allow users to remove their information from these directories upon request. Be aware that some service providers may sell their membership lists to direct marketers. Domain registration. Many individuals obtain their own website name, called domain names, for example, www.XYZfamily.org. Domain registrations are public information. Anyone can look up the owner of a domain name online by using a service such as www.checkdomain.com or www.internic.net/whois.html. "Semi-Private" Activities The presence of security or access safeguards on forums or services can lead you to believe that communications made within these services are private. Some forums are restricted to users who have a password. While communications made in these forums may initially be read only by the members with access, there is nothing preventing those members from recording the communications and later transmitting them elsewhere. One example of this kind of activity is the real-time "chat" conference, in which participants type live messages directly to the computer screens of other participants. Often these activities are described as "private" by the service provider. However, chat room users may capture, store, and transmit these communications to others outside the chat service. "Private" Services Virtually all online services offer some sort of "private" activity that allows subscribers to send personal e-mail messages to others. The federal Electronic Communications Privacy Act (ECPA) makes it unlawful under certain circumstances for someone to read or disclose the contents of an electronic communication (18 USC § 2511). This law applies to e-mail messages. But, ECPA is a complicated law and contains many exceptions. It makes a distinction between messages in transit and those stored on computers. Stored messages are generally given less protection than those intercepted during transmission. Here are some exceptions to the ECPA: The online service may view private e-mail if it suspects the sender is attempting to damage the system or harm another user. However, random monitoring of e-mail is generally prohibited. The service may legally view and disclose private e-mail if either the sender or the recipient of the message consents to the inspection or disclosure. Many ISPs require a consent agreement from new members when signing up for the service. If the e-mail system is owned by an employer, the employer may inspect the contents of employee e-mail on the system. Therefore, any e-mail sent from a business location is probably not private. Several court cases have determined that employers have a right to monitor e-mail messages of their employees. Services may be required to disclose private information in response to a court order or subpoena. The USA PATRIOT Act, passed by Congress after the terrorist attacks of September 11, 2001, reduces the checks and balances of ECPA regarding law enforcement access to records about online activity. And it expands the types of records that can be sought without a court order. Can online services track and record my activity? Yes. Many people expect that their online activities are anonymous. They are not. It is possible to record virtually all online activities, including which newsgroups or files a subscriber accesses and which web sites are visited. This information can be collected by a subscriber's own ISP and by web site operators. Cookies. When you "surf" the web, many web sites deposit data about your visit, called "cookies," on your hard drive When you return to that site, the cookie data will reveal that you've been there before. The web site might offer you products or ads tailored to your interests, based on the contents of the cookie data. Most cookies are used only by the web site that placed it on your computer. But some, called third-party cookies, communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers. Your web browser and some software products enable you to detect and delete cookies, including third-party cookies Web Bugs. A web bug is a graphic in a web site or an "enhanced" e-mail message that enables a third party to monitor who is reading the page or message. The graphic may be a standard size image that is easily seen, or it may be a nearly invisible one-pixel graphic. E-mail messages that include graphic displays like web sites are known as enhanced messages, also called stylized or HTML e-mail. The web bug can confirm when the message or web page is viewed and record the IP address of the viewer. You can defeat web-bugs by reading your email while offline, an option on most email programs. You can also install a software program that detects web bugs. Marketing uses and "spam." Records of browsing patterns are a potentially valuable source of revenue for online services and commercial web site operators. Direct marketers can use such data to develop targeted lists of online users with similar likes and behaviors. Such data can also lead to unsolicited e-mail, known as "spam." Browsers.. It's important to be aware of the information transmitted to remote computers by the software you use to browse web sites. The major browsers are Netscape Navigator and Microsoft Internet Explorer. Internet Explorer has P3P – platform for Privacy Preferences. Most web browsers invisibly provide web site operators with information about your ISP as well as information about other web sites you have visited. Some web browsers, particularly if they have not been updated with security fixes, may be tricked into reporting the user's default email address, phone number, and other information in the "address book" if the browser also handles your e-mail. Privacy policies and web seals. The Federal Trade Commission urges commercial web site operators to spell out their information collection practices in privacy policies posted on their web sites. Most commercial web sites now post policies about their information-collection practices. Look for a privacy "seal of approval," such as TRUSTe (www.truste.org), on the first page of the web site. TRUSTe participants agree to post their privacy policies and submit to audits of their privacy practices in order to display the logo. Other seals of approval are offered by the Council of Better Business Bureaus (BBB), www.bbbonline.org, the American Institute of Certified Public Accountants, WebTrust, www.cpawebtrust.org, and the Entertainment Software Rating Board, www.esrb.org/privacy. Workplace monitoring. Individuals who access the Internet from work should know that employers are increasingly monitoring the Internet sites that an employee visits. Be sure to inquire about your employer's online privacy policy. Law enforcement access. In order for law enforcement officials to gain access to subscriber transactional records, they usually must obtain a court order demonstrating that the records are relevant to an ongoing criminal investigation (Communications Assistance for Law Enforcement Act, 18 USC § 2703(d)). This provision prevents "fishing expeditions" by government officials, hoping to find evidence of crimes by accident. But, as described in Section One above, the USA PATRIOT Act, passed into law in November 2001 in the aftermath of the September 11 terrorist attacks, has weakened these provisions. Can an online service access information stored in my computer without my knowledge? Yes. Many of the commercial online services such as AOL automatically download graphics and program upgrades to the user's home computer. The subscriber is notified of these activities. But other intrusions are not so evident. News reports have documented that some services have admitted to both accidental and intentional prying into the memory of personal computers. Companies typically explain that they collect information such as users' hardware, software and usage patterns to provide better customer service. It is difficult to detect these types of intrusions. You should be aware of this potential privacy abuse and investigate new services thoroughly before signing on. Always read the privacy policy and the service agreement of any online service you intend to use. Can hackers get into my computer? An increasing number of users are accessing the Internet via high-speed cable modems and telephone-based DSL connections. When you are using a broadband "always-on" service, you are particularly vulnerable to attacks by hackers. You should install a firewall device that monitors your network activity and allows only the activities you have authorized. You should also check with your provider's website for instructions on securing your computer by removing unnecessary services and installing security updates to protect your computer. A free firewall software product is provided by Zonelabs, www.zonelabs.com. What is spyware and how can I know if it's on my computer? Spyware is any software or hardware device that reports your activity. "Adware" spyware is installed by software companies as an additional source of income. "Monitoring" spyware was originally intended for parents and employers to monitor computer activity, including file access and keystroke logging, to protect against improper usage by children and employees. "Diagnostic" spyware is used by software companies to log errors and usage habits to improve the next generation of software. The user is usually not aware that spyware has been installed - hence, its name What about cybercafes, airports, and other publicly-available Internet terminals? You should avoid using public terminals to access your bank account, check your credit card statement, pay bills, or access any other personally or financially sensitive information. Publicly-available Internet terminals are not likely to be closely supervised to ensure online privacy and security. They are used by many individuals every day. Ask the company that operates the public terminal how often they check their computers for spyware. Find out if they have installed a program that clears Internet caches, deletes cookies, erases surfing history, and removes temporary files. What can I do to protect my privacy in cyberspace? password change Look for the privacy policy of the online services you use. Most Internet Service Providers (ISP) have adopted privacy policies that they post on their web sites and other user documentation. When you surf the web, look for the privacy policies posted on the web sites you visit. Also look for a privacy "seal" such as TRUSTe or BBBOnline. Check your browser's cookie settings. you may accept or reject all cookies, or you may allow only those cookies generated by the website you are visiting. You may want to set a security level for trusted websites while blocking cookie activity for all others. Shop around. Investigate new services before using them. Post a question about a new service in a dependable forum or newsgroup. Use a search engine such as http://groups.google.com to find archived discussions and newsgroup postings about the service that you are considering Notes of Caution… Assume that your online communications are not private unless you use encryption software. But most encryption programs are not user-friendly and can be inconvenient to use. If you do not use encryption, at least take the following precautions: Do not provide sensitive personal information (phone number, password, address, credit card number, Social Security number, your health information, date of birth, vacation dates, etc.) in chat rooms, forum postings, e-mail messages, or in your online biography Be cautious of "start-up" software that registers you as a product user and makes an initial connection to the service for you. Typically, these programs require you to provide financial account data or other personal information, and then upload this information automatically to the service. These programs may be able to access records in your computer without your knowledge. Contact the service for alternative subscription methods. Use a pseudonym and a nondescriptive e-mail address when you participate in public forums. Consider obtaining an e-mail address from one of the free web-based e-mail services such as www.hotmail.com or www.yahoo.com. Notes of Caution… The "delete" command does not make your e-mail messages disappear. They can still be retrieved from back-up systems. Software utility programs can retrieve deleted messages from your hard drive. If you are concerned about permanently deleting messages and other files on your program, you should use a file erasing program such as the freeware program at http://cleanup.stevengould.org or the cleanup features of general utility software such as Norton's (http://www.symantec.com/sabu/ncs/) CleanSweep. Your online biography, if you create one, may be searched system-wide or remotely "fingered" by anyone. If for any reason you need to safeguard your identity, don't create an online "bio." Ask the system operator of your ISP to remove you from its online directory. If you publish information on a personal web page, note that marketers and others may collect your address, phone number, e-mail address and other information that you provide. If you are concerned about your personal privacy, be discreet in your personal web site Be aware that online activities leave electronic footprints for others to see. Your own ISP can determine what search engine terms you use, what web sites you visit, and the dates, times, and durations of your online sessions. Web site operators can often track the activities you engage in by placing "cookies" on your computer. They can learn additional information if they ask you to register on their site. Your web browser also can transmit information to web sites. "anonymizing" services Take advantage of privacy protection tools, often called privacy-enhancing technologies (PET). Discussed here are encryption, anonymous remailers, anonymous surfing services, and storage protection software. Encryption programs such as PGP (Pretty Good Privacy) are available online. Anonymous remailers. It is relatively easy to determine the name and e-mail address of anyone who sends e-mail or who posts messages on public forums. Anonymous remailers are intermediaries that receive email, strip off all identifying information, then forward the mail to the appropriate address. Anonymous surfing services. By combining the functions of remailers, disposable email addresses, and proxy servers, these ISP services mask your identity by acting as an agent to transfer data between an Internet website and your browser. Storage security and protection software. Software security programs help prevent unauthorized access to files on your personal computer. For example, one program encrypts every directory with a different password so only the person who knows the password can open it. These programs may include an "audit trail" that records all activity on the computer's drives. Steganos Security Suite is an example, at www.steganos.com/en/sss/features.htm Additional information.. Several public interest groups have sponsored the online Computer Privacy Guide at www.consumerprivacyguide.org. This site offers extensive tips, a glossary of terms, and video tutorials with step-by-step instructions on how to take advantage of privacy settings for the programs you use online Cookies. To learn more about cookies blockers and other types of online filters, visit www.junkbusters.com, www.consumerprivacyguide.org, www.cookiecentral.com, and www.spamblocked.com/proxomitron. Demonstration. To see a demonstration of the kind of information that can be captured about your computer via your browser when you surf the web, visit www.privacy.net/analyze. Privacy-enhancing technologies. The EPIC web site provides a section on software products that you can use to add extra layers of protection when you surf the web, www.epic.org/privacy/tools.html. Also, visit the Privacy Links page of the Privacy Rights Clearinghouse for more software tools and products, www.privacyrights.org/links.htm. Spam. Find tips on how to reduce unsolicited e-mail messages at www.spamcop.net or www.stop-spam.org.. To learn about state spam laws, go to www.spamlaws.com. Privacy in work place Federal law, which regulates phone calls with persons outside the state, does allow unannounced monitoring for business-related calls. (See Electronic Communications Privacy Act, 18 USC 2510, et. seq., www.law.cornell.edu/uscode .)An important exception is made for personal calls. Under federal case law, when an employer realizes the call is personal, he or she must immediately stop monitoring the call. (Watkins v. L.M. Berry & Co., 704 F.2d 577, 583 (11th Cir. 1983)) However, when employees are told not to make personal calls from specified business phones, the employee then takes the risk that calls on those phones may be monitored . In Smyth v. Pillsbury, the employee's termination was upheld by the court, even though the company had a policy of allowing email use for personal communications. In this case, the employee had sent messages to co-workers that were deemed highly inappropriate for workplace communications. (Smyth v. Pillsbury, C.A. NO. 95-5712, U.S. District Court for the Eastern District of Pennsylvania, Jan.18, 1996, Decided, Jan. 23, 1996, Filed. www.Loundy.com/CASES/Smyth_v_Pillsbury.html ) children's privacy on the Internet Studies by the Federal Trade Commission and public interest groups in the mid-1990s revealed that commercial web sites aimed at children were collecting a significant amount of personal information and targeting them with advertising. In 1998 Congress passed the Children's Online Privacy Protection Act (COPPA), which took effect in April of 2000. (15 U.S.C. 6501, or 16 C.F.R §312, www.ftc.gov/ogc/coppa1.htm) COPPA covers web sites that are developed expressly for children. But it also covers any online service which has knowledge that it collects information from children. This includes sites that allow children to use interactive communication tools. So, even if the site is not collecting information about children, if a child's personal information can be made public on the site (such as through IM instant messaging or a message board), and the site has knowledge of this, it may be held liable under COPPA. COPPA –salient features COPPA requires that web sites and online services directed to children under age 13 must: Post a clearly written privacy policy with links to the notice provided on the home page and at each area where the site or online service collects personal information from children. Describe the kinds of information collected from children, for example, name, address, e-mail address, hobbies, and age (note, this requirement applies to all information, not just "personal information"). Explain how the information is collected - whether directly from the child and/or behind the scenes through cookies (explained below). Explain how the web site operator uses the personal information (marketing to the child? notifying contest members?), and whether it is disclosed to third parties. Provide parents with contact information - address, phone number, and e-mail address - for all operators collecting or maintaining children's personal information. Obtain parental consent before collecting, using, or disclosing personal information about a child. Provide parents with the ability to review, correct, and delete information about their children collected by such services. Maintain reasonable procedures "to protect the confidentiality, security, and integrity of personal information collected from children." Further, web sites cannot require a child to provide personal information as a condition of participating in online, games, contests, or other activities when it is not necessary to do so. The Federal Trade Commission oversees the implementation of this law. Its web site provides extensive information on COPPA: FTC's FAQ on COPPA, www.ftc.gov/privacy/coppafaqs.htm Several software programs can also be used to block the outgoing transmission of children's personally identifying information, such as names, addresses, and telephone numbers. These programs can also block the use of online chat systems and instant messaging (IM). Parental control software packages include CyberPatrol, CyberSitter, and NetNanny. The CAN-SPAM Act, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 effective January 2004, contains provisions which may help parents concerned by the amount of inappropriate e-mail their children receive. The law is primarily aimed at eliminating deceptive unsolicited commercial e-mail, but also addresses the problem of sexually oriented unsolicited e-mail. The Act requires that any e-mail messages which contain sexually explicit material must be labeled in the subject line with an abbreviation or marking. On May 19, 2004, the Federal Trade Commission (FTC) began requiring all commercial e-mail containing sexually-oriented content to have the label "SEXUALLY-EXPLICIT" in the e-mail's subject line. E-mails found to be in violation of this rule face civil lawsuits with civil and criminal penalties including imprisonment and penalties up to $500,000 (see http://www.ftc.gov/opa/2004/05/sexexplicit.htm). In turn, concerned parents can use filtering techniques to block e-mail that contains the required text. What is the debate about filtering software? The filtering debate revolves around the First Amendment. Those who support mandated filtering in schools and libraries want to prevent children from encountering harmful material online. Critics of filtering are concerned about censorship of political, social and business viewpoints by the software developers. In addition, some critics believe young people should have rights to privacy, especially those in their mid- to late-teens. Congress has weighed in on this issue. It passed the Children's Internet Protection Act (CIPA) in 2000, In May 2002 a federal court struck down the rules on First Amendment grounds, stating that the programs blocked too much as well as too little. The U.S. District Court for the Eastern District of Pennsylvania noted that web filters had erroneously labeled as adult material the web sites of orphanages, political candidates, and churches. The American Library Association, the American Civil Liberties Union, and the conservative Free Congress Foundation were among the organizations bringing the suit. But on June 23, 2003, the Supreme Court reviewed the federal court's decision and reversed it, reinstating the requirements of CIPA Another law, the Child Online Protection Act (COPA), was also challenged by the ACLU, the American Library Association, EPIC, and other free speech advocates. COPA was struck down for the second time by the Third Circuit Court of Appeals in March 2003. The Court found that the law, by requiring commercial web sites to obtain proof of age before delivering material which might be harmful to minors, imposed too much of a burden on adults who were trying to access material protected by the First Amendment. Passed in 1998, COPA has never been enforced due to injunctions and lower court rulings won by the ACLU on behalf of 17 plaintiffs. On June 29, 2004, the Supreme Court upheld the earlier court decision blocking enforcement of COPA by the U.S. Department of Justice. The Court found that the government has not shown that there are no "less restrictive alternatives" to COPA, for example, filters, and that "there is a potential for extraordinary harm and a serious chill upon protected speech" if the law goes into effect. The ruling enables the trial to go forward in federal district court in Philadelphia. The Electronic Privacy Information Center maintains a resource on COPA (including the text of the act), at www.epic.org/free_speech/copa. What should be included in the privacy policy? When creating a privacy policy, you should be as accurate as possible. Privacy policies should state what type of information is collected as well as who will have access to the information. There are several different types of information that your web site can collect from its visitors, including the Internet Protocol (IP) addresses of web users, their browser information, and information obtained via cookies. Your organization should carefully consider whether it wishes to employ capabilities such as cookies. Such information does not necessarily identify visitors by name. Nonetheless, you should explain how you use such data, if at all. If you plan to use cookies or other information-gathering techniques, you should explain this in your privacy policy. Be sure to list what types of information your organization collects and exactly what it is used for. Explain if information is collected automatically from all visitors or only from specific users. For example, a site may collect information about viewers who reach the site through a specific link, but not through other channels. If your organization does not use cookies and collects no personal information from web visitors, explain this in your privacy policy too. If you obtain personally identifiable information through online application forms, online surveys, interest lists, inquiry forms, and e-mail subscription forms, your policy must also describe what you use that information for, how long it is retained, how it can be updated or removed, and how it is protected from illegitimate access. Your policy should explain who will have access to any information that is collected such as your web site administrator, organization staff, and board members. The policy should explain if information is shared with third parties or other members and for what purpose or under what circumstances. Providing those who give personal information the opportunity to opt in to the sharing of their information with third parties is a "best practice" that allows them to better control how their information is distributed. Your policy should note whom visitors can contact with privacy concerns and how long it usually takes your organization to comply with a request for information removal. And don't forget to explain how individuals can access the information that you keep about them. These are the basic elements of a good privacy policy, one that is specific to your web site. As we explained above, we advise that you adopt an overall privacy policy for the entire organization and all of its information-gathering functions, not just your web site. The larger policy will include information about how you handle paper and printed files in your office and whether you rent or sell your mailing list to other organizations Are there any privacy laws about handling personal information online? California computer security breach law. California has a law that affects any company, organization, or government agency that believes its electronic data files with personal information about Californians may have been compromised. In such cases, the organization must send those who are affected a notice about the security breach (California Civil Code Sections 1798.29 and 1798.82-1798.84). The California Office of Privacy Protection (OPP) offers information and recommendations about this law at www.privacy.ca.gov/recommendations/secbreach .pdf. California Online Privacy Protection Act. The more commercial your site, the more likely it will be subject to laws aimed at commercial sites. For example, California's Online Privacy Protection Act covers anyone who collects information via its web site from residents of California, including businesses that do not physically reside in California. This Act goes into effect on July 1, 2004, and requires commercial web sites that collect personally identifiable information about individuals residing in California to conspicuously post its privacy policy on its web site. (California Business and Professions Code, Section 22575) (Part 10, Resources).The law requires commercial web sites to include four things in their privacy policy: The type of information that is collected and with whom the information may be shared. Whether or not subjects may review and update and/or change the information after it has been collected. A description of the way in which the operator will notify persons when it makes any change to its privacy policy. The date the policy is in effect. Federal Trade Commission Act. The Federal Trade Commission Act covers all business' unfair trade practices but generally does not cover actions of non-profit organizations, However, a recent Supreme Court decision found that where there is substantial economic benefit to its members, the site may be deemed commercial and governed by the Federal Trade Commission Act (15 USC 45). (FTC v. California Dental Association 526 U.S. 756 (1999)) Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail San Diego, CA, April 6, 2004 (Updated April 19) -- The World Privacy Forum and 30 other privacy and civil liberties organizations have written a letter calling upon Google to suspend its Gmail service until the privacy issues are adequately addressed. The letter also calls upon Google to clarify its written information policies regarding data retention and data sharing among its business units. The 31 organizations are voicing their concerns about Google’s plan to scan the text of all incoming messages for the purposes of ad placement, noting that the scanning of confidential email for inserting third party ad content violates the implicit trust of an email service provider. The scanning creates lower expectations of privacy in the email medium and may establish dangerous precedents. Other concerns include the unlimited period for data retention that Google’s current policies allow, and the potential for unintended secondary uses of the information Gmail will collect and store. Phising and privacy For a demonstration of how a real phishing scheme works, visit www.identitytheftsecrets.com. The Privacy Rights Clearinghouse (PRC) is warning consumers about another form of fraud that can happen when online users reply to phishing emails. The personal information they provide might be used to register web site domains that bilk unwitting online users out of funds they believe are being used for legitimate transactions. DATA PROFILING Description of issue. As we make our way through everyday life, data is collected from each of us, frequently without our consent and often without our realization. We pay our bills with credit cards and leave a data trail consisting of purchase amount, purchase type, date, and time. Data is collected when we pay by check. Our use of supermarket discount cards creates a comprehensive database of everything we buy. When our car, equipped with a radio transponder, passes through an electronic toll booth, our account is debited and a record is created of the location, date, time, and account identification. We leave a significant data trail when we surf the Internet and visit websites. When we subscribe to a magazine, sign up for a book or music club, join a professional association, fill out a warranty card, give money to charities, donate to a political candidate, tithe to our church or synagogue, invest in mutual funds, when we make a telephone call, when we interact with a government agency . with all of these transactions we leave a data trail that is stored in a computer. Legal instruments/Guidelines on data protection- OECD guidelines on Protection of Privacy and Tran border Flow of personal data-1980 Council Of Europe-Convention for protection of Individuals with Regard to Automatic processing of Personal data (1981) European Union-Data Protection directive(1995 Right to privacy…..legal instruments Constitution of India-Article 19(1)( a) and 21 IT Act,2000 Chapter V Secure Electronic records and secure digital signatures 14 Secure electronic record 15 Secure digital signature 16 Security procedure Section 72. Breach of confidentiality and privacy.- Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Section 43, IT Act,2000 43. Penalty for damage to computer, computer system, etc.- If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, - accesses or secures access to such computer, computer system or computer network downloads, copies or extracts any data, computer data base information from such computer, computer system or computer network including information or data held or stored in any removable storage medium. Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; damages or causes to be damaged and computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network; disrupts or causes disruption of any computer, computer system or computer network; denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder ;charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. Expl to Section 43,IT Act,2000 Explanation.-For the purposes of this section.(i) "computer contaminant" means any set of computer instructions that are designed – (a) to modify, destroy, record, transmit date or programme residing within a computer, computer system or computer network; or(b) by any means to usurp the normal operation of the computer, compute system, or computer network; (ii) "computer database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepare in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; (iii) "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades adversely affects the performance of a computer resources or attaches itself to another itself to another computer resources and operates when a programme, date or instruction is executed or some other even takes place in that computer resource; (iv) "damage" means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means. Section 65,IT Act,2000 65. Tampering with computer source documents. Whoever knowingly or intentionally conceals, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. Explanation - For the purposes of this section, "computer source code" means the listing of programmes, compute commands, design and layout and programme analysis of computer resource in any form. Section 66 ,IT Act ,2000 66. Hacking with Computer System. - (1) Whoever with the intent of cause or knowing that is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking. (2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. Proposed changes in IT Act,2000 Proposal at Sec. 43(2) related to handling of sensitive personal data or information with reasonable security practices and procedures thereto Gradation of severity of computer related offences under Section 66, committed dishonestly or fradulently and punishment thereof Proposed additional Section 72 (2) for breach of confidentiality with intent to cause injury to a subscriber. Proposed changes in IT Act,2000 Section 67 related to Obscenity in electronic form has been revised to bring in line with IPC and other laws but fine has been increased because of ease of such operation in electronic form; link-up with Section 79 w.r.t. liability of intermediary in certain cases has been provided. A new section on Section 67 (2) has been added to address child pornography with higher punishment, a globally accepted offense. A new phenomenon of video voyeurism has emerged in recent times where images of private area of an individual are captured without his knowledge and then transmitted widely without his consent thus violating privacy rights. This has been specifically addressed in a new proposed sub-section 72(3). A new Section 68(A) has been proposed for providing modes and methods for encryption for secure use of the electronic medium, as recommended by earlier Inter Ministerial Working Group on Cyber Laws & Cyber Forensics (IMWG). Proposed changes in IT Act,2000 A new section 78 A (Examiners of Electronic Evidence) has been added to notify the examiners of electronic evidence by the Central Government. This will help the Judiciary/Adjudicating officers in handling technical issues. Section 69 related to power to issue directions for interception or monitoring or decryption of any information through any computer resource has been amended