As the Ashley Madison controversy spirals out of control in an industry where data is money, security a nightmare, and privacy rare, would you rather take control of your online safety or let the big corporates do it for you? the guide scans the risks involved with data sharing and how you can safeguard against it. Also, gauge why India needs a robust law to protect the freedom and privacy of its citizens
A few weeks ago, details of more than 33 million accounts were stolen from AshleyMadison.com, a popular website which offers users a chance to have an affair. The group of hackers, who call themselves, The Impact Team, allegedly said, they did so to highlight how AshleyMadison.com was retaining data of its customers, after charging them $19 for the same.
But it's not the only company. There are millions of them operating as free/paid services, building profiles on their users. Whether it's via a browser (Google Chrome, Mozilla or Microsoft Edge), search engines like Google.com, Bing.com, Ask.com, etc, or simply shopping apps such as Flipkart, Amazon or Snapdeal, etc, that come pre-installed on your phone — a majority of online services are building a profile on you. So, how do users safeguard their privacy? While it's not possible to keep them out completely, users can at least restrict the collection of such data. Here's a checklist:
5 mistakes we make each time we sign up
1. Not checking the settings and opting out of constant surveillance options that are turned on by default.
2. Giving up personal data like location, address, phone number, whereabouts and photographs wrongly assuming that the information will be limited to a small group of their friends and families.
3. Mixing up work data with personal data.
4. Confusing 'tech savvy' with being able to depend on as many apps and devices
5. Not encrypting emails and other communications.
— Mishi Choudhary, Legal Director, Software Freedom Law Center
Safeguard your Google/Facebook sign-ups
Most services require you to sign-up using social platforms like Google and Facebook. But are you aware of the information that you might be sharing? In a special video by popular anti-virus software maker AVG, on its official blog, Now.avg.com, its security advisor, Michael McKinnon, informs that users should regularly review the security and app settings within any of these platforms. These settings offer details about the permissions that you are offering to a third party website/app. Here's how you can do that:
For Google Account: Log into your Google account and visit the link security.google.com/settings /security/permissions. Here, you can remove the permissions for apps you no longer use. You can also enable two-step verification on Google, similar to what you see in banks. By this method, you will be required to enter a code (sent to your phone) before signing up.
For Facebook account: On Facebook, you can access the link by visiting Facebook.com/settings?tab=applications to review your permissions settings. To prevent unauthorised log-ins on Facebook, go to settings in your account, and within the tab 'Security' click on Log In Notifications to enable notifications/text messages. You will be notified via text message when your account is accessed from a mobile device that you haven't used before. Similar settings are available for other social networking platforms as well including Twitter and LinkedIn. Look up their settings page for more details, or ask their experts on Twitter.
1. Never use always signed-in option in your browser, most notably on the Google Chrome browser. Though it's convenient, it helps trackers and websites to know your identity.
2. Most browsers, by default, have turned on options that allow them to collect data about your behaviour. But you can always turn them off by visiting the settings page. In Firefox, go to Options>Advanced>Data Choices to disable data collection. Also go to Privacy, and select the box which says, 'Tell sites that I do not want to be tracked'. In Google Chrome, you can do so by going to Settings>click on Advanced Settings option, and then de-select all options apart from 'Send a Do Not Track' option and 'Enable Malware and Phishing Protection'. Also, make sure you have turned-off location sharing in your browser.
3. If you're looking for browsers where you can browse anonymously, a suitable option is to use Epic Privacy Browser or the The Onion Router (Tor) browser, available for free from Torproject.org. Tor is a great tool for those working in NGOs, and journalists, to keep government agencies from snooping into their online behaviour.
Ask the app makers/ service providers
Almost every website should provide guidelines about what data it stores, its data sharing and usage policy, and they should offer a method to its users to opt-out from its services. If not, we recommend asking them on their official Twitter page for details on how to opt-out of their services and delete all personal data. We asked several of these services for details, most refused to answer. Here are some who either answered our queries or had answers in their websites:
BharatMatrimony.com under its privacy-policy page states that it doesn't sell/rent any identifiable information at the individual level to any third party. Members can chose to un-subscribe from the website via the un-subscribe page, however, there's no link given under that on how to go about it. The steps find mention under Creation/Modification with the subhead Activation/Deactivation in the FAQs page.
Truecaller users can unlist themselves from Truecaller services by first deactivating their account on the app under the About section. Then visit the link Truecaller.com/unlist to unlist themselves from Truecaller. However, there's no clarity on whether it will delete your personal data from its servers as well.
Sachin Bhatia , co-founder and CEO of TrulyMadly says, “All information about a user is self-updated and the existing user can anytime update or remove any or all information as per their personal preferences. If they deactivate their account, all their information gets wiped off too. We do not retain any information other than the email id and phone number.”
Expert speak: Mishi Choudhary, Legal Director, Software Freedom Law Center, New York and executive director, Software Freedom Law Centre, India
Q. What are the various laws that govern data privacy and protection in India?
Currently, we don’t have a comprehensive data protection law or data privacy legislation in India. Recently, Dr Jitendra Singh, Minister of State for Personnel, Public Grievances and Pensions, informed Rajya Sabha that the Centre is in the process of drafting a legislation that will guarantee protection to individuals against breach of their privacy through unlawful means. There are some provisions, for example, Section 43A of Information Technology Act, 2000 that cover some aspects of it.
Q. In the wake of the Ashleymadison.com hack, what legal courses do Indian users can take if a similar scenario emerges in India with an Indian service provider?
In that case, the website charged a $19 fee to allegedly have the users data deleted, which it did not. The full delete option claimed to remove user profiles, all messages sent and received, site usage history, personally identifiable information, and photos from the site. The hack, disclosed that this ‘permanent deletion’ feature did not delete anything, and all data was recoverable. Users in India, if such an entity exists can claim compensation from such an entity for failure to protect data under Section 43A of the IT Act. Section 72A also provides imprisonment up to 3 years and fine up to R5 lakh for disclosure of personal information in breach of a lawful contract.
Log on to: www.mid-day.com
for the full interview