Download privacy & the internet

PRIVACY & THE
INTERNET
ILI/Lecture –Cyberlaws-27 Jan06
By –Karnika Seth, Partner
Seth Associates
For queries you may write in at
[email protected]
What are "online communications?"

"Online communications" are communications over telephone,
cable networks, or wireless systems using computers. Examples of
online communications include connecting to the Internet through
an Internet Service Provider (ISP) such as America Online or
Earthlink, or accessing the Internet from a public library or
community computer center. Mobile access to the Internet is
increasing via hand-held PDAs, pagers, and other devices.

The Internet raises some unique privacy concerns. Information
sent over this vast global network may pass through dozens of
different computer systems on the way to its destination. Each of
these systems is operated by its own administrator and may be
capable of capturing and storing online communications.
Furthermore, your online activities can potentially be monitored
by your Internet Service Provider (ISP) and by web sites that you
visit.
Issue of Privacy concerns…










Personal privacy Rights of individuals/entities
Informational /database protection
Government Regulation & surveillance
Workplace Privacy
Children’s online privacy
Freedom of Speech & Expression
Anonymity online
Phising
Privacy Encryption methods,spywares,
Filtering tools,spam….
There are virtually no online activities or services that
guarantee absolute privacy.



Public Activities
Many online activities are open to public inspection.
Engaging in these types of activities does not normally
create an expectation of privacy. In fact, according to
federal law, it is not illegal for anyone to view or disclose an
electronic communication if the communication is "readily
accessible" to the public (Electronic Communications
Privacy Act, 18 USC § 2511(2)(g)(I)).
Newsgroups. For example, a message you post to a public
newsgroup or forum is available for anyone to view, copy,
and store. In addition, your name, electronic mail (e-mail)
address, and information about your service provider are
usually available for inspection as part of the message
itself.
There are virtually no online activities or services that
guarantee absolute privacy

Listserves. Other public activities may allow your message to be sent to
multiple recipients. Online newsletters and "listserves" are sent to a
mailing list of subscribers. If you wish to privately reply to an individual
who has posted a message in an online newsletter or listserve, be sure
you address it specifically to that person's address, not to the newsletter
address.

Subscriber directories. You should not assume that your service account
information will be kept private. Most ISPs provide online member
directories that publicly list all subscribers to the service. Some of these
directories may list additional personal information. Most service providers
will allow users to remove their information from these directories upon
request. Be aware that some service providers may sell their membership
lists to direct marketers.

Domain registration. Many individuals obtain their own website name,
called domain names, for example, www.XYZfamily.org. Domain
registrations are public information. Anyone can look up the owner of a
domain name online by using a service such as www.checkdomain.com or
www.internic.net/whois.html.
"Semi-Private" Activities


The presence of security or access safeguards on forums or
services can lead you to believe that communications made
within these services are private. Some forums are
restricted to users who have a password. While
communications made in these forums may initially be read
only by the members with access, there is nothing
preventing those members from recording the
communications and later transmitting them elsewhere.
One example of this kind of activity is the real-time "chat"
conference, in which participants type live messages
directly to the computer screens of other participants. Often
these activities are described as "private" by the service
provider. However, chat room users may capture, store, and
transmit these communications to others outside the chat
service.
"Private" Services



Virtually all online services offer some sort of "private" activity that allows subscribers to send
personal e-mail messages to others. The federal Electronic Communications Privacy Act (ECPA)
makes it unlawful under certain circumstances for someone to read or disclose the contents of an
electronic communication (18 USC § 2511). This law applies to e-mail messages.
But, ECPA is a complicated law and contains many exceptions. It makes a distinction between
messages in transit and those stored on computers. Stored messages are generally given less
protection than those intercepted during transmission. Here are some exceptions to the ECPA:
The online service may view private e-mail if it suspects the sender is attempting to damage the
system or harm another user. However, random monitoring of e-mail is generally prohibited.

The service may legally view and disclose private e-mail if either the sender or the recipient of the
message consents to the inspection or disclosure. Many ISPs require a consent agreement from
new members when signing up for the service.

If the e-mail system is owned by an employer, the employer may inspect the contents of employee
e-mail on the system. Therefore, any e-mail sent from a business location is probably not private.
Several court cases have determined that employers have a right to monitor e-mail messages of
their employees.
Services may be required to disclose private information in response to a court order or subpoena.


The USA PATRIOT Act, passed by Congress after the terrorist attacks of September 11, 2001,
reduces the checks and balances of ECPA regarding law enforcement access to records about online
activity. And it expands the types of records that can be sought without a court order.
Can online services track and record my
activity?



Yes. Many people expect that their online activities are
anonymous. They are not. It is possible to record virtually all
online activities, including which newsgroups or files a subscriber
accesses and which web sites are visited. This information can be
collected by a subscriber's own ISP and by web site operators.
Cookies. When you "surf" the web, many web sites deposit data
about your visit, called "cookies," on your hard drive When you
return to that site, the cookie data will reveal that you've been
there before. The web site might offer you products or ads
tailored to your interests, based on the contents of the cookie
data.
Most cookies are used only by the web site that placed it on your
computer. But some, called third-party cookies, communicate data
about you to an advertising clearinghouse which in turn shares
that data with other online marketers. Your web browser and
some software products enable you to detect and delete cookies,
including third-party cookies



Web Bugs. A web bug is a graphic in a web site or an "enhanced"
e-mail message that enables a third party to monitor who is
reading the page or message. The graphic may be a standard size
image that is easily seen, or it may be a nearly invisible one-pixel
graphic. E-mail messages that include graphic displays like web
sites are known as enhanced messages, also called stylized or
HTML e-mail. The web bug can confirm when the message or web
page is viewed and record the IP address of the viewer.
You can defeat web-bugs by reading your email while offline, an
option on most email programs. You can also install a software
program that detects web bugs.
Marketing uses and "spam." Records of browsing patterns are
a potentially valuable source of revenue for online services and
commercial web site operators. Direct marketers can use such
data to develop targeted lists of online users with similar likes and
behaviors. Such data can also lead to unsolicited e-mail, known as
"spam."
Browsers..


It's important to be aware of the information transmitted to
remote computers by the software you use to browse web
sites. The major browsers are Netscape Navigator and
Microsoft Internet Explorer. Internet Explorer has P3P –
platform for Privacy Preferences.
Most web browsers invisibly provide web site operators with
information about your ISP as well as information about
other web sites you have visited. Some web browsers,
particularly if they have not been updated with security
fixes, may be tricked into reporting the user's default email address, phone number, and other information in the
"address book" if the browser also handles your e-mail.



Privacy policies and web seals. The Federal Trade Commission
urges commercial web site operators to spell out their information
collection practices in privacy policies posted on their web sites.
Most commercial web sites now post policies about their
information-collection practices. Look for a privacy "seal of
approval," such as TRUSTe (www.truste.org), on the first page of
the web site. TRUSTe participants agree to post their privacy
policies and submit to audits of their privacy practices in order to
display the logo.
Other seals of approval are offered by the Council of Better
Business Bureaus (BBB), www.bbbonline.org, the American
Institute of Certified Public Accountants, WebTrust,
www.cpawebtrust.org, and the Entertainment Software Rating
Board, www.esrb.org/privacy.
Workplace monitoring. Individuals who access the Internet
from work should know that employers are increasingly
monitoring the Internet sites that an employee visits. Be sure to
inquire about your employer's online privacy policy.

Law enforcement access. In order for law
enforcement officials to gain access to subscriber
transactional records, they usually must obtain a
court order demonstrating that the records are
relevant to an ongoing criminal investigation
(Communications Assistance for Law Enforcement
Act, 18 USC § 2703(d)). This provision prevents
"fishing expeditions" by government officials,
hoping to find evidence of crimes by accident.
But, as described in Section One above, the USA
PATRIOT Act, passed into law in November 2001
in the aftermath of the September 11 terrorist
attacks, has weakened these provisions.
Can an online service access information
stored in my computer without my
knowledge?


Yes. Many of the commercial online services such as AOL
automatically download graphics and program upgrades to
the user's home computer. The subscriber is notified of
these activities. But other intrusions are not so evident.
News reports have documented that some services have
admitted to both accidental and intentional prying into the
memory of personal computers. Companies typically
explain that they collect information such as users'
hardware, software and usage patterns to provide better
customer service.
It is difficult to detect these types of intrusions. You should
be aware of this potential privacy abuse and investigate
new services thoroughly before signing on. Always read the
privacy policy and the service agreement of any online
service you intend to use.
Can hackers get into my computer?

An increasing number of users are accessing the
Internet via high-speed cable modems and
telephone-based DSL connections. When you are
using a broadband "always-on" service, you are
particularly vulnerable to attacks by hackers. You
should install a firewall device that monitors your
network activity and allows only the activities you
have authorized. You should also check with your
provider's website for instructions on securing
your computer by removing unnecessary services
and installing security updates to protect your
computer. A free firewall software product is
provided by Zonelabs, www.zonelabs.com.
What is spyware and how can I know
if it's on my computer?



Spyware is any software or hardware device that
reports your activity. "Adware" spyware is
installed by software companies as an additional
source of income. "Monitoring" spyware was
originally intended for parents and employers to
monitor computer activity, including file access
and keystroke logging, to protect against
improper usage by children and employees.
"Diagnostic" spyware is used by software
companies to log errors and usage habits to
improve the next generation of software.
The user is usually not aware that spyware has
been installed - hence, its name
What about cybercafes, airports, and other publicly-available
Internet terminals?


You should avoid using public terminals to access
your bank account, check your credit card
statement, pay bills, or access any other
personally or financially sensitive information.
Publicly-available Internet terminals are not likely
to be closely supervised to ensure online privacy
and security. They are used by many individuals
every day. Ask the company that operates the
public terminal how often they check their
computers for spyware.
Find out if they have installed a program that
clears Internet caches, deletes cookies, erases
surfing history, and removes temporary files.
What can I do to protect my privacy
in cyberspace?




password change
Look for the privacy policy of the online services you use. Most
Internet Service Providers (ISP) have adopted privacy policies that
they post on their web sites and other user documentation. When
you surf the web, look for the privacy policies posted on the web
sites you visit. Also look for a privacy "seal" such as TRUSTe or
BBBOnline.
Check your browser's cookie settings. you may accept or reject
all cookies, or you may allow only those cookies generated by the
website you are visiting. You may want to set a security level for
trusted websites while blocking cookie activity for all others.
Shop around. Investigate new services before using them. Post a
question about a new service in a dependable forum or
newsgroup. Use a search engine such as
http://groups.google.com to find archived discussions and
newsgroup postings about the service that you are considering
Notes of Caution…



Assume that your online communications are not private unless
you use encryption software. But most encryption programs are
not user-friendly and can be inconvenient to use. If you do not
use encryption, at least take the following precautions: Do not
provide sensitive personal information (phone number, password,
address, credit card number, Social Security number, your health
information, date of birth, vacation dates, etc.) in chat rooms,
forum postings, e-mail messages, or in your online biography
Be cautious of "start-up" software that registers you as a
product user and makes an initial connection to the service for
you. Typically, these programs require you to provide financial
account data or other personal information, and then upload this
information automatically to the service. These programs may be
able to access records in your computer without your knowledge.
Contact the service for alternative subscription methods.
Use a pseudonym and a nondescriptive e-mail address when you
participate in public forums. Consider obtaining an e-mail address
from one of the free web-based e-mail services such as
www.hotmail.com or www.yahoo.com.
Notes of Caution…




The "delete" command does not make your e-mail messages disappear. They can
still be retrieved from back-up systems. Software utility programs can retrieve
deleted messages from your hard drive. If you are concerned about permanently
deleting messages and other files on your program, you should use a file erasing
program such as the freeware program at http://cleanup.stevengould.org or the
cleanup features of general utility software such as Norton's
(http://www.symantec.com/sabu/ncs/) CleanSweep.
Your online biography, if you create one, may be searched system-wide or
remotely "fingered" by anyone. If for any reason you need to safeguard your identity,
don't create an online "bio." Ask the system operator of your ISP to remove you from
its online directory.
If you publish information on a personal web page, note that marketers and others
may collect your address, phone number, e-mail address and other information that
you provide. If you are concerned about your personal privacy, be discreet in your
personal web site
Be aware that online activities leave electronic footprints for others to see. Your
own ISP can determine what search engine terms you use, what web sites you visit,
and the dates, times, and durations of your online sessions. Web site operators can
often track the activities you engage in by placing "cookies" on your computer. They
can learn additional information if they ask you to register on their site. Your web
browser also can transmit information to web sites.
"anonymizing" services





Take advantage of privacy protection tools, often called privacy-enhancing
technologies (PET). Discussed here are encryption, anonymous
remailers, anonymous surfing services, and storage protection
software.
Encryption programs such as PGP (Pretty Good Privacy) are available
online.
Anonymous remailers. It is relatively easy to determine the name and
e-mail address of anyone who sends e-mail or who posts messages on
public forums. Anonymous remailers are intermediaries that receive email, strip off all identifying information, then forward the mail to the
appropriate address.
Anonymous surfing services. By combining the functions of remailers,
disposable email addresses, and proxy servers, these ISP services mask
your identity by acting as an agent to transfer data between an Internet
website and your browser.
Storage security and protection software. Software security programs
help prevent unauthorized access to files on your personal computer. For
example, one program encrypts every directory with a different password
so only the person who knows the password can open it. These programs
may include an "audit trail" that records all activity on the computer's
drives. Steganos Security Suite is an example, at
www.steganos.com/en/sss/features.htm
Additional information..





Several public interest groups have sponsored the online Computer
Privacy Guide at www.consumerprivacyguide.org. This site offers
extensive tips, a glossary of terms, and video tutorials with step-by-step
instructions on how to take advantage of privacy settings for the programs
you use online
Cookies. To learn more about cookies blockers and other types of online
filters, visit www.junkbusters.com, www.consumerprivacyguide.org,
www.cookiecentral.com, and www.spamblocked.com/proxomitron.
Demonstration. To see a demonstration of the kind of information that
can be captured about your computer via your browser when you surf the
web, visit www.privacy.net/analyze.
Privacy-enhancing technologies. The EPIC web site provides a section
on software products that you can use to add extra layers of protection
when you surf the web, www.epic.org/privacy/tools.html. Also, visit the
Privacy Links page of the Privacy Rights Clearinghouse for more software
tools and products, www.privacyrights.org/links.htm.
Spam. Find tips on how to reduce unsolicited e-mail messages at
www.spamcop.net or www.stop-spam.org.. To learn about state spam
laws, go to www.spamlaws.com.
Privacy in work place


Federal law, which regulates phone calls with persons outside the
state, does allow unannounced monitoring for business-related
calls. (See Electronic Communications Privacy Act, 18 USC 2510,
et. seq., www.law.cornell.edu/uscode .)An important exception is
made for personal calls. Under federal case law, when an
employer realizes the call is personal, he or she must immediately
stop monitoring the call. (Watkins v. L.M. Berry & Co., 704
F.2d 577, 583 (11th Cir. 1983)) However, when employees are
told not to make personal calls from specified business phones,
the employee then takes the risk that calls on those phones may
be monitored .
In Smyth v. Pillsbury, the employee's termination was upheld by
the court, even though the company had a policy of allowing email use for personal communications. In this case, the employee
had sent messages to co-workers that were deemed highly
inappropriate for workplace communications. (Smyth v. Pillsbury,
C.A. NO. 95-5712, U.S. District Court for the Eastern District of
Pennsylvania, Jan.18, 1996, Decided, Jan. 23, 1996, Filed.
www.Loundy.com/CASES/Smyth_v_Pillsbury.html )
children's privacy on the Internet

Studies by the Federal Trade Commission and public interest
groups in the mid-1990s revealed that commercial web sites
aimed at children were collecting a significant amount of personal
information and targeting them with advertising. In 1998
Congress passed the Children's Online Privacy Protection Act
(COPPA), which took effect in April of 2000. (15 U.S.C. 6501, or
16 C.F.R §312, www.ftc.gov/ogc/coppa1.htm)

COPPA covers web sites that are developed expressly for children.
But it also covers any online service which has knowledge that it
collects information from children. This includes sites that allow
children to use interactive communication tools. So, even if the
site is not collecting information about children, if a child's
personal information can be made public on the site (such as
through IM instant messaging or a message board), and the site
has knowledge of this, it may be held liable under COPPA.
COPPA –salient features












COPPA requires that web sites and online services directed to children under age 13
must:
Post a clearly written privacy policy with links to the notice provided on the home page and at each
area where the site or online service collects personal information from children.
Describe the kinds of information collected from children, for example, name, address, e-mail
address, hobbies, and age (note, this requirement applies to all information, not just "personal
information").
Explain how the information is collected - whether directly from the child and/or behind the scenes
through cookies (explained below).
Explain how the web site operator uses the personal information (marketing to the child? notifying
contest members?), and whether it is disclosed to third parties.
Provide parents with contact information - address, phone number, and e-mail address - for all
operators collecting or maintaining children's personal information.
Obtain parental consent before collecting, using, or disclosing personal information about a child.
Provide parents with the ability to review, correct, and delete information about their children
collected by such services.
Maintain reasonable procedures "to protect the confidentiality, security, and integrity of personal
information collected from children."
Further, web sites cannot require a child to provide personal information as a condition of
participating in online, games, contests, or other activities when it is not necessary to do so.
The Federal Trade Commission oversees the implementation of this law. Its web site provides
extensive information on COPPA:
FTC's FAQ on COPPA, www.ftc.gov/privacy/coppafaqs.htm



Several software programs can also be used to block the outgoing
transmission of children's personally identifying information, such as
names, addresses, and telephone numbers. These programs can also
block the use of online chat systems and instant messaging (IM). Parental
control software packages include CyberPatrol, CyberSitter, and NetNanny.
The CAN-SPAM Act, Controlling the Assault of Non-Solicited
Pornography and Marketing Act of 2003 effective January 2004,
contains provisions which may help parents concerned by the amount of
inappropriate e-mail their children receive. The law is primarily aimed at
eliminating deceptive unsolicited commercial e-mail, but also addresses
the problem of sexually oriented unsolicited e-mail.
The Act requires that any e-mail messages which contain sexually explicit
material must be labeled in the subject line with an abbreviation or
marking. On May 19, 2004, the Federal Trade Commission (FTC) began
requiring all commercial e-mail containing sexually-oriented content to
have the label "SEXUALLY-EXPLICIT" in the e-mail's subject line. E-mails
found to be in violation of this rule face civil lawsuits with civil and criminal
penalties including imprisonment and penalties up to $500,000 (see
http://www.ftc.gov/opa/2004/05/sexexplicit.htm). In turn, concerned
parents can use filtering techniques to block e-mail that contains the
required text.
What is the debate about filtering software?




The filtering debate revolves around the First Amendment. Those who
support mandated filtering in schools and libraries want to prevent
children from encountering harmful material online. Critics of filtering are
concerned about censorship of political, social and business viewpoints by
the software developers. In addition, some critics believe young people
should have rights to privacy, especially those in their mid- to late-teens.
Congress has weighed in on this issue. It passed the Children's Internet
Protection Act (CIPA) in 2000,
In May 2002 a federal court struck down the rules on First Amendment
grounds, stating that the programs blocked too much as well as too little.
The U.S. District Court for the Eastern District of Pennsylvania noted that
web filters had erroneously labeled as adult material the web sites of
orphanages, political candidates, and churches. The American Library
Association, the American Civil Liberties Union, and the conservative Free
Congress Foundation were among the organizations bringing the suit.
But on June 23, 2003, the Supreme Court reviewed the federal court's
decision and reversed it, reinstating the requirements of CIPA



Another law, the Child Online Protection Act (COPA), was also challenged
by the ACLU, the American Library Association, EPIC, and other free
speech advocates. COPA was struck down for the second time by the Third
Circuit Court of Appeals in March 2003. The Court found that the law, by
requiring commercial web sites to obtain proof of age before delivering
material which might be harmful to minors, imposed too much of a burden
on adults who were trying to access material protected by the First
Amendment. Passed in 1998, COPA has never been enforced due to
injunctions and lower court rulings won by the ACLU on behalf of 17
plaintiffs.
On June 29, 2004, the Supreme Court upheld the earlier court decision
blocking enforcement of COPA by the U.S. Department of Justice. The
Court found that the government has not shown that there are no "less
restrictive alternatives" to COPA, for example, filters, and that "there is a
potential for extraordinary harm and a serious chill upon protected
speech" if the law goes into effect. The ruling enables the trial to go
forward in federal district court in Philadelphia.
The Electronic Privacy Information Center maintains a resource on COPA
(including the text of the act), at www.epic.org/free_speech/copa.
What should be included in the
privacy policy?




When creating a privacy policy, you should be as accurate as possible.
Privacy policies should state what type of information is collected as well
as who will have access to the information.
There are several different types of information that your web site can
collect from its visitors, including the Internet Protocol (IP) addresses of
web users, their browser information, and information obtained via
cookies. Your organization should carefully consider whether it wishes to
employ capabilities such as cookies. Such information does not necessarily
identify visitors by name. Nonetheless, you should explain how you use
such data, if at all.
If you plan to use cookies or other information-gathering techniques, you
should explain this in your privacy policy. Be sure to list what types of
information your organization collects and exactly what it is used for.
Explain if information is collected automatically from all visitors or only
from specific users.
For example, a site may collect information about viewers who reach the
site through a specific link, but not through other channels. If your
organization does not use cookies and collects no personal information
from web visitors, explain this in your privacy policy too.




If you obtain personally identifiable information through online application forms,
online surveys, interest lists, inquiry forms, and e-mail subscription forms, your
policy must also describe what you use that information for, how long it is retained,
how it can be updated or removed, and how it is protected from illegitimate access.
Your policy should explain who will have access to any information that is collected
such as your web site administrator, organization staff, and board members. The
policy should explain if information is shared with third parties or other members and
for what purpose or under what circumstances. Providing those who give personal
information the opportunity to opt in to the sharing of their information with third
parties is a "best practice" that allows them to better control how their information is
distributed.
Your policy should note whom visitors can contact with privacy concerns and how
long it usually takes your organization to comply with a request for information
removal. And don't forget to explain how individuals can access the information that
you keep about them.
These are the basic elements of a good privacy policy, one that is specific to your
web site. As we explained above, we advise that you adopt an overall privacy policy
for the entire organization and all of its information-gathering functions, not just your
web site. The larger policy will include information about how you handle paper and
printed files in your office and whether you rent or sell your mailing list to other
organizations
Are there any privacy laws about handling
personal information online?

California computer security breach law.
California has a law that affects any company,
organization, or government agency that believes
its electronic data files with personal information
about Californians may have been compromised.
In such cases, the organization must send those
who are affected a notice about the security
breach (California Civil Code Sections 1798.29
and 1798.82-1798.84). The California Office of
Privacy Protection (OPP) offers information and
recommendations about this law at
www.privacy.ca.gov/recommendations/secbreach
.pdf.





California Online Privacy Protection Act. The more
commercial your site, the more likely it will be subject to laws
aimed at commercial sites. For example, California's Online
Privacy Protection Act covers anyone who collects information via
its web site from residents of California, including businesses that
do not physically reside in California. This Act goes into effect on
July 1, 2004, and requires commercial web sites that collect
personally identifiable information about individuals residing in
California to conspicuously post its privacy policy on its web site.
(California Business and Professions Code, Section 22575) (Part
10, Resources).The law requires commercial web sites to include
four things in their privacy policy:
The type of information that is collected and with whom the
information may be shared.
Whether or not subjects may review and update and/or change
the information after it has been collected.
A description of the way in which the operator will notify persons
when it makes any change to its privacy policy.
The date the policy is in effect.

Federal Trade Commission Act. The Federal
Trade Commission Act covers all business' unfair
trade practices but generally does not cover
actions of non-profit organizations, However, a
recent Supreme Court decision found that where
there is substantial economic benefit to its
members, the site may be deemed commercial
and governed by the Federal Trade Commission
Act (15 USC 45). (FTC v. California Dental
Association 526 U.S. 756 (1999))
Thirty-One Privacy and Civil Liberties Organizations
Urge Google to Suspend Gmail



San Diego, CA, April 6, 2004 (Updated April 19) -- The World
Privacy Forum and 30 other privacy and civil liberties
organizations have written a letter calling upon Google to suspend
its Gmail service until the privacy issues are adequately
addressed. The letter also calls upon Google to clarify its written
information policies regarding data retention and data sharing
among its business units.
The 31 organizations are voicing their concerns about Google’s
plan to scan the text of all incoming messages for the purposes of
ad placement, noting that the scanning of confidential email for
inserting third party ad content violates the implicit trust of an
email service provider. The scanning creates lower expectations of
privacy in the email medium and may establish dangerous
precedents.
Other concerns include the unlimited period for data retention that
Google’s current policies allow, and the potential for unintended
secondary uses of the information Gmail will collect and store.
Phising and privacy


For a demonstration of how a real phishing
scheme works, visit
www.identitytheftsecrets.com. The Privacy Rights
Clearinghouse (PRC) is warning consumers about
another form of fraud that can happen when
online users reply to phishing emails.
The personal information they provide might be
used to register web site domains that bilk
unwitting online users out of funds they believe
are being used for legitimate transactions.
DATA PROFILING










Description of issue. As we make our way through everyday life, data is
collected from each of us, frequently without our consent and often without our
realization.
We pay our bills with credit cards and leave a data trail consisting of purchase
amount, purchase type, date, and time.
Data is collected when we pay by check.
Our use of supermarket discount cards creates a comprehensive database of
everything we buy.
When our car, equipped with a radio transponder, passes through an electronic toll
booth, our account is debited and a record is created of the location, date, time,
and account identification.
We leave a significant data trail when we surf the Internet and visit websites.
When we subscribe to a magazine, sign up for a book or music club, join a
professional association, fill out a warranty card, give money to charities, donate
to a political candidate, tithe to our church or synagogue, invest in mutual funds,
when we make a telephone call, when we interact with a government agency .
with all of these transactions we leave a data trail that is stored in a computer.
Legal instruments/Guidelines on data protection- OECD guidelines on
Protection of Privacy and Tran border Flow of personal data-1980
Council Of Europe-Convention for protection of Individuals with Regard
to Automatic processing of Personal data (1981)
European Union-Data Protection directive(1995
Right to privacy…..legal instruments







Constitution of India-Article 19(1)( a) and 21
IT Act,2000
Chapter V Secure Electronic records and secure digital signatures
14 Secure electronic record
15 Secure digital signature
16 Security procedure
Section 72. Breach of confidentiality and privacy.- Save as otherwise
provided in this Act or any other law for the time being in force, if any
person who, in pursuance of any of the powers conferred under this Act,
rules or regulations made thereunder, has secured access to any electronic
record, book, register, correspondence, information, document or other
material without the consent of the person concerned discloses such
electronic record, book, register, correspondence, information, document
or other material to any other person shall be punished with imprisonment
for a term which may extend to two years, or with fine which may extend
to one lakh rupees, or with both.
Section 43, IT Act,2000










43. Penalty for damage to computer, computer system, etc.- If any person without
permission of the owner or any other person who is in charge of a computer, computer system or
computer network,
- accesses or secures access to such computer, computer system or computer network downloads,
copies or extracts any data, computer data base information from such computer, computer system
or computer network including information or data held or stored in any removable storage
medium.
Introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
damages or causes to be damaged and computer, computer system or computer network, data,
computer database or any other programmes residing in such computer, computer system or
computer network;
disrupts or causes disruption of any computer, computer system or computer network;
denies or causes the denial of access to any person authorised to access any computer, computer
system or computer network by any means;
provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made
thereunder
;charges the services availed of by a person to the account of another person by tampering with or
manipulating any computer, computer system or computer network
he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the
person so affected.
Expl to Section 43,IT Act,2000





Explanation.-For the purposes of this section.(i) "computer contaminant" means any set of computer instructions that
are designed – (a) to modify, destroy, record, transmit date or programme
residing within a computer, computer system or computer network; or(b)
by any means to usurp the normal operation of the computer, compute
system, or computer network;
(ii) "computer database" means a representation of information,
knowledge, facts, concepts or instructions in text, image, audio, video that
are being prepared or have been prepare in a formalised manner or have
been produced by a computer, computer system or computer network and
are intended for use in a computer, computer system or computer
network;
(iii) "computer virus" means any computer instruction, information, data
or programme that destroys, damages, degrades adversely affects the
performance of a computer resources or attaches itself to another itself to
another computer resources and operates when a programme, date or
instruction is executed or some other even takes place in that computer
resource;
(iv) "damage" means to destroy, alter, delete, add, modify or re-arrange
any computer resource by any means.
Section 65,IT Act,2000


65. Tampering with computer source documents. Whoever knowingly or intentionally conceals, destroy, or
alter any computer source code used for a computer,
computer programme, computer system or computer
network, when the computer source code is required to be
kept or maintained by law for the time being in force, shall
be punishable with imprisonment up to three years, or with
fine which may extend up to two lakh rupees, or with both.
Explanation - For the purposes of this section, "computer
source code" means the listing of programmes, compute
commands, design and layout and programme analysis of
computer resource in any form.
Section 66 ,IT Act ,2000


66. Hacking with Computer System. - (1)
Whoever with the intent of cause or knowing that
is likely to cause wrongful loss or damage to the
public or any person destroys or deletes or alters
any information residing in a computer resource
or diminishes its value or utility or affects it
injuriously by any means, commits hacking.
(2) Whoever commits hacking shall be punished
with imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or with
both.
Proposed changes in IT Act,2000



Proposal at Sec. 43(2) related to handling of
sensitive personal data or information with
reasonable security practices and procedures
thereto
Gradation of severity of computer related
offences under Section 66, committed
dishonestly or fradulently and punishment
thereof
Proposed additional Section 72 (2) for breach
of confidentiality with intent to cause injury
to a subscriber.
Proposed changes in IT Act,2000




Section 67 related to Obscenity in electronic form has been
revised to bring in line with IPC and other laws but fine has
been increased because of ease of such operation in electronic
form; link-up with Section 79 w.r.t. liability of intermediary in
certain cases has been provided.
A new section on Section 67 (2) has been added to address
child pornography with higher punishment, a globally accepted
offense.
A new phenomenon of video voyeurism has emerged in recent
times where images of private area of an individual are
captured without his knowledge and then transmitted widely
without his consent thus violating privacy rights. This has
been specifically addressed in a new proposed sub-section
72(3).
A new Section 68(A) has been proposed for providing modes
and methods for encryption for secure use of the electronic
medium, as recommended by earlier Inter Ministerial Working
Group on Cyber Laws & Cyber Forensics (IMWG).
Proposed changes in IT Act,2000
A new section 78 A (Examiners of
Electronic Evidence) has been added to
notify the examiners of electronic
evidence by the Central Government. This
will help the Judiciary/Adjudicating officers
in handling technical issues.
 Section 69 related to power to issue
directions for interception or monitoring or
decryption of any information through any
computer resource has been amended
