What is Privacy?

The term privacy, in the cyber security domain, can be defined as the right of the person to have
control over how their personally identifiable information will be collected and used. Here,
Personally identifiable information (PII) means any information related to a person which can be
used alone (such as their name, social security number, biometrics record etc.) or when combined
with other personal information which can be linked to a specific individual (such their date of
birth, place of birth, mothers maiden name etc.) to distinguish or trace that individuals identity.

Legal framework for Privacy

Various laws and regulations have been enacted all over the world to protect the privacy of an
individual. These laws aim at regulating the collection, storage and use of personal information
about individuals by the government and other public and private organisations.

United States (U.S.)

The US legislative framework doesnt have a dedicated act for protection of PII but instead it is
regulated primarily by the industry, on a sector-to-sector basis. There are many sources of privacy
laws in the US and some of them are:

Health Insurance Portability and Accountability Act (HIPAA): The privacy rule in
Health Insurance Portability and Accountability Act (HIPAA) aims to protect an individuals
medical record history along with personal information related to health. Any kind of health
information which can be linked to an individual should be protected from being leaked out
in public and be protected against the risk of mala fide use by any third party. The rule
applies to all the health care providers conducting their transactions in electronic form. It
protects the privacy of the data and limits the disclosure of any kind of personal information
without taking permission from the patient. The rule also grants a right to the patient to
obtain the copy of health record, examine or to request any correction, if required. The
individuals should be notified of the use of their Protected Health Information by the
covered entities. A proper track of disclosure of any such information shall also be
maintained along with documentation of all privacy related policies and procedures.
 The Childrens Online Privacy Protection Act: It aims to protect the confidentiality,
security and integrity of the information provided online by children under the age of 13
years. The operators are required to notify the parents of such information, obtain and verify
their consent, provide access to their childrens information and give them a choice to
disclose the information to the third party or not.

The Privacy Act, 1974: It institutes the fair information practices governing the collection,
use, maintenance and distribution of an individuals personal information maintained by
federals in their systems. The Act also requires agencies to notify in the Federal Register all
records of their system.

The Fair Credit Reporting Act: regulates consumer reporting agencies, users of consumer
reports and furnishers of consumer information. It aims to protect and promote the privacy
of consumer information that is stored in the systems of consumer reporting agencies. It
protects consumers from negligent or wilful inclusion of wrong information in the credit
reports.

The Drivers Privacy Protection Act, 1994: It is a federal statute of US which governs the
privacy of personal information that has been collected by State Department of Motor
Vehicles. It prohibits the disclosure of personal information without the authorization of the
individual. The Act has imposed the department to maintain records of all the data disclosed
after the consent along with the details of the recipient.

India

The Constitution of India has provided the law relating to privacy under Article 21 but its
interpretation is insufficient to provide protection to privacy. Therefore, in the year 2000, the Indian
Parliament has made efforts to address the issues of privacy under the purview of Information
Technology Act, 2000. This Act was amended in 2008 and a few more sections were introduced to
increase the coverage of the Act. Some of the sections that relate to privacy are:
 Section 43: provides protection against unauthorized downloading, extraction and copying
of data through an unauthorized access to a computer system by imposing a heavy penalty
of up to one crore.
Section 66C: provides protection against identity theft caused by fraudulent or dishonest use
of electronic signature, passwords and other unique identification information of a person.
Section 66E: provides protection against violation of privacy done by publishing or
transmitting image of private part of a person without their consent by imposing a fine of up
to two lacs and imprisonment up to three years.
Section 67 and 67A: provides protection against cyber pornography which includes
transmitting and publishing any obscene material especially showing children engaged in
sexual activities with adults or using the internet to sexually exploit the women and children.

The Privacy (Protection) Bill, 2013 aims to provide protection of sensitive personal data of people
and describes the punishment for offences related to personal data. This Bill will have an overriding
effect on all the existing provisions related to privacy. The bill has expanded the scope of personal
data and exceptions to the rule of privacy. The Bill is proposed by the centre to the Parliament and
is pending approval of both the houses.

On comparing the Indian law with the law of other developed countries, one can see the need for a
dedicated law for privacy and this Bill is a right step in that direction.
Privacy: A Shared Responsibility
The exponentially growing digital footprint has increased the internet benefits and has embarked a
place in our personal lifestyle. The benefits have come with some cost one of which is loss of
privacy and have become more vulnerable to data breaches and identity fraud. Therefore it becomes
now a social responsibility for the user to take preventive measures to minimize risk of fraudulent
attacks. We are becoming more digitalized leading to more dependence on the internet, as the
reliability grows opportunities for attacker to prey on our privacy increases.

Today, most of the Internet users exchange e-mails, view web pages and consume services from the
World Wide Web, and use it for many common things. Doing these activities can pose a number of
threats to an individual's online privacy and security. Without a strong technical understanding,
some risks may be increased for these users. The technically skilled people who have designed and
built the softwares used for these activities like e-mail server-clients, Web browsers, etc. have
provided the software with various tools that can be used to be informed of the risks they are facing
and to manage several aspects of their privacy and security as they use the Internet. Research
suggests that users are unaware of many risks, or misunderstand them, and that they are not
equipped to use available tools to manage those risks. A study carried out on the assumptions of the
design for some privacy and security tools available in present Web browser. Their objective was to
temporarily test common basic assumptions that are based primarily on unreliable evidence.
Participants in their study responded to a questionnaire designed to draw light to the extent of their
awareness, knowledge, and range of viewpoints regarding the technology. The questionnaire
focused on four relevant areas relating to the use of Web browsers: secure Web sites; browser
cookies; Web site privacy policies; and trust marks. In each category, it was to evoke responses that
would show what users understand about the risks they face when using a Web browser to access
the Internet in a variety of situations; how well informed they are of the tools at their use for
managing security and privacy threats in those situations; and how willing they are to use those
tools and even their ability in using those tools. The survey was qualitative and not made to produce
data for statistical (other than descriptive) analysis. The questionnaire had been designed to get
answers for certain questions like Whether the Internet Users really aware of the Privacy risks they
could be facing and if they do understand, Could they understand the threats in detail so that they
can handle them with the tools available for mitigating those risks?
Based upon the research and the answers given by participants to the questionnaire, they came
across a set of findings listed below.

Users have tried to understand stuff regarding their security and privacy with online help but
they have found mixed results.
It seems that many Users have found limited information because the subject has technical
aspects involved in it.
The research by users have provided with some technical stuff that can be pursued if only Users
are really willing to do so.
The term secure Web site is used in technical terms for reference use of SSL/TLS to secure
the HTTP communication between a client and server.
Some users use the above term to understand the Site in Secure as the name suggests without
understanding the meaning underlying it.
Users who know about closed lock icon and other indicators of secure sites may use security
attributes as provided by the user.
Some users tend to believe that the presumed security as offered by browsers makes those sites
more trustworthy for the purpose of conducting business.
Few participants went along with the statement that secure sites provide assurance that the site
with which they are communicating is authentic and not an impostor or fraud.

The user has to be aware about the attacks and way to protect oneself, earlier we started protecting
our computers through antivirus. However now the battle has come up to cloud and now we have to
start walling off the digital communication much of which are mobile. The responsibility lays with
the government and law enforcement officials, whereas the act of taking personal responsibility
would stem down the network breach and cyber attack. Some below steps would increase security
and decrease vulnerability to cyber attack.

1) If the email is not legitimate, never click on the link posed in the email whether it is from the
third party service provider.
2) Set up a secure password for the account and avoiding sharing with others.
3) Keep the system up to date, use system firewall security with antivirus and antispyware
software which would scan the system and uninstall malware elements.
4) One should verify the payment gateway by ensuring that the URL starts with HTTPS before
submitting banking details online.
5) Change the password and pin of credit card in regular interval of time.

The above some precaution measure a user must take, it is the social responsibility to protect the
internet community for tomorrow users.
Google Street view Contravening and violating privacy
Wednesday, 13th March 2013, San Francisco.

On this day Google acknowledged and accredited before US state officials that they had despoiled
peoples privacy. Subsequently the Google Glass is battling major privacy lawsuits.

The Google Street View vehicles, as of now, have covered over 5 Million miles of unique routes.
Google vehicles have already acquired 21,000 Terabyte (21 Million GB) of imageries and pictures
till 2012. Nonetheless, since its ban on 38 countries, it has been spotted in various cities. Aug 1,
2016 - A Google Street View vehicle camera caught a man who had lied about leaving smoking.

Google automatically detects faces and number plates of vehicles and blurs them, however houses
and addresses are also concealed on any user who makes a request. There are instances when people
are seen leaving strip clubs, clinics of abortion, naked sun bathing on beaches and activities which
they do not want general public to watch. Yet another concern was the height of the camera (10
feet), it was taller than an average fence or a hedge of a house. In Switzerland and Japan it created
ruckus and the height was then lowered as per the local state legislation. Google Street View also
allows viewers to flag inapt and in appropriate images which Google review and removes.

In 2010 May, it was exposed that Google, through street view program, gathered payload data from
open unencrypted Wi-Fi connections. This concern has been raised by the general public and the
case is being administered and investigated by Australian police.

In a similar incident, In Austria, Google was found to be collecting Wi-Fi data. It was banned for
some time and there were rules formulated for GSV to operate lawfully in Austria. Since then
Google decided not to work under the new laws and is yet to resume its service in Austria as of
2016. Germany has banned Google to take images in the country since 2011.
Google have violated privacy knowingly and unknowingly both, they ignorantly commit this
forgery until they are being confronted by lawsuits and legal proceedings. Nonetheless, the spree of
mining as much Big-Data as they can is never ending and in the not so distant future Google might
be able to run decisions and results for a huge chunk of local population if more stringent laws are
not being made to cherish public privacy.

SCENARIO OF PRIVACY PROTECTION IN INDIA

The government had passed a privacy protection bill in 2013. The term privacy wasnt clearly
defined in the bill but it focussed mainly on protecting the personal and confidential data of an
individual. Personal data is described as any data by which we can identify a particular person
specifically. Sensitive data can be as follows:

1. Biometric data
2. Deoxyribonucleic acid data
3. Medical history and health
4. Financial and credit information
5. Political affiliation

There are provisions that relates to collection, storing, transfer, security and processing of data. But,
the consent of the individuals is needed for doing all of the above with their data. There are some
exceptions to this rule of collecting data with consent. Data can be collected without consent if:

1. A case of medical emergency.

2. Is becomes necessary to prevent a threat to the national security.
3. Required to establish an identity.

Personal data can be processed for a process other than for which it was collected if:
 1. Its possible to prevent a threat to the national security and defence or public sector.
2. Its necessary to prevent or prosecute offence.
3. Its necessary to perform the contractual duty to the data subject.

If the data of an individual is to be disclosed, he needs to be informed about it prior to the disclosure
and should be given the following details:

1. When will the data be disclosed?

2. Whats the reason for the disclosure of data?
3. The procedure of recourse in case of any grievance,
4. The security practice and the privacy policy that will protect it.

References
 Krishna, P. (2010, 31st August). Cybercrime and Privacy. [Weblog]. Retrieved 29 January
2017, from http://cis-india.org/internet-governance/blog/privacy/privacy-ita2008
Jay, R. (2013, September). Data Protection & Privacy. [Weblog]. Retrieved 29 January
2017, from https://www.hunton.com/files/Publication/1f767bed-fe08-42bf-94e0-
0bd03bf8b74b/Presentation/PublicationAttachment/b167028d-1065-4899-87a9-
125700da0133/United_States_GTDT_Data_Protection_and_Privacy_2014.pdf
wwwhgorg. (2016, no-date). Privacy Laws. [Weblog]. Retrieved 29 January 2017, from
https://www.hg.org/privacy.html
Kumar, P. (2013, February). Data Protection Law In India. [Weblog]. Retrieved 29 January
2017, from http://www.legalserviceindia.com/article/l37-Data-Protection-Law-in-India.html
Legal counsellors, P.S.A. (2013, 8th November). India: The Privacy (Protection) Bill,
2013. [Weblog]. Retrieved29 January 2017, from
http://www.mondaq.com/india/x/273736/Data Protection Privacy/Secret Agreement Fragile
Evidence
Gsagov. (2015). Gsagov. Retrieved 29 January, 2017, from
https://www.gsa.gov/portal/content/104256
Flinn, S., & Lumsden, J. (n.d.). User Perceptions of Privacy and Security on the Web.
Cyber Attack Prevention for the Home User: How to Prevent a Cyber Attack. (n.d.).
Retrieved January 29, 2017, from http://www.inquiriesjournal.com/articles/47/cyber-attack-
prevention-for-the-home-user-how-to-prevent-a-cyber-attack