Internet Privacy Issue Relating to Email and Judicial Approach |2022

JAIPUR NATIONAL UNIVERSITY

Session 2021-2022

Course Name: LLM (Corporate & Commercial Law) Semester -2

Course Nomenclature: CYBER LAW

Course Code: LLMCCL203

Project Report: Internet Privacy Issue Relating to Email and Judicial Approach

Submitted To: Submitted By:

Prof. Poojyashree Kumawat Gitika Garg
ERP: R30400
Enrol No. JNU-jpr-2021/00632

1
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

CONTENTS

1. Introduction

2. Concept of Internet Privacy

3. Defining the Term Email Security

3.1 Types of Email Spam

4. How Far Email Is Secured

5. Why Is Email Security Important

6. Email Security Best Practices

7. Judicial Approach Towards Internet Privacy

7.1 Current Laws Prevailing in India

7.2 Difference Between the Draft Bill and the SPDI Rules

8. Conclusion

2
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

Internet Privacy Issue Relating to Email and Judicial Approach

Abstract

Many people have moved to seek online alternatives for many of their offline activities
during the pandemic, driven by lockdown regulations and a fear of catching COVID-19,
resulting in a rise in online traffic—and greater surveillance by commercial and public
websites. Many websites nowadays enable or even require users to use their e-mail addresses
as a form of identification or for other purposes. Although username-based identity concerns
caused by user behaviour have been a study topic for a long time, the major challenges of
utilising an e-mail address as an identity and the accompanying online behaviours of users
have not been well addressed. In response to such concerns, legislative efforts such as
‘Information Technology Act, 2000’ and ‘Sensitive and Personal Data or Information Rules
2011’ and recent bill ‘Personal Data and Protection Bill 2019’ have sought to curb data
collection and sharing with third parties. It's critical to understand significant email privacy
concerns, how to recognise them, and how to avoid them in the face of current dangers and
conditions. In this paper we will explore the concept of internet privacy and analyse the term
email-security and privacy concerns resulting from using an e-mail address as identity. Our
findings show that utilising an e-mail address as an identity carries significant security and
privacy implications. This is primarily due to several e-mail accounts being used and users'
poor network habits. Furthermore, we explore the shortcomings of existing solutions for e-
mail address as identification and related password issues, as well as proposed solutions for
future online identity management system security.

Keywords: Internet, Privacy, Security, E-mail, Information Technology.

3
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

1. INTRODUCTION

With the changing nature of information and the way the internet allows data to be produced,
gathered, merged, shared, stored, and analysed, personal data and the types of safeguards
personal data deserves and can be afforded are continually changing and redefining. For
instance, relatively harmless data such as IP addresses, search words, and websites visited can
now be aggregated and analysed to identify individuals and discover personal information
about them. Information about an individual is generated with each usage of the internet,
from information given on social media sites to cookies collecting user browsing history to
individuals transacting online to mobile phones registering location data.

In some cases, the individual is aware that they are generating data and that it is being
collected; however, in many cases, the individual is unaware of the information trail they are
leaving online, does not know who is accessing the data, and has no control over how their
data is handled or for what purposes it is being used. Law enforcement, for example, often
combs social networking sites for material that could be relevant in an investigation. Whether
it's 2010 or 2020, online privacy has always been important. The main difference is that
internet dangers and data breaches have increased tenfold in the last decade. That's not a good
number, and it's not a good moment to be going online without precautions1.

The people of all ages are increasingly concerned about their online privacy.
Companies track your online activity across websites to give you with highly relevant
adverts, necessitating the need of an encrypted online connection—pure VPN2 offers superior
AES3 256-bit encryption. Governments track your every move in order to better predict your
behaviour and control you. And cybercriminals will go to any length to obtain your
information for their malicious intentions!4

In today's business world, email is one of the most widely used kinds of corporate
communication, with the number of email users globally estimated to reach 4.3 billion by the
end of 20235. Its broad use makes it a prime target for malicious attacks, which is both

1
Article on ‘what is internet privacy and why it matters most in 2022?’ by Haris Shahid, Posted on 11 january
2022.
2
VPN stands for Virtual Private Network
3
AES stands for Advance Encryption Standard
4
Ibid
5
Data collected by Radicati Group published on 19 Fascinating Email Facts (lifewire.com). Last accessed on 2
April 2022.

4
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

convenient and dangerous. Despite the fact that its prominence in the business world is
nothing new, the risk of an email privacy breach in 2021 is higher than it has ever been.

2. CONCEPT OF INTERNET PRIVACY

Privacy is a highly personal concept that varies greatly from one individual to the next. It
derives from the Latin word "privatus," which literally means "to be cut off from the rest of
the world." Steven Lukes shows how the concept of privacy evolves and develops through
the sense of "Individualism" in his article "The Meanings of "Individualism."6 Individualism
is a moral attitude, political philosophy, ideology, or sociological outlook that emphasises the
"moral value" of an individual. Individualism is the concept that a person is self-sufficient
since the creator has given him or her life, allowing them to enjoy all of life's freedoms,
including privacy.

Perhaps privacy now implies more than just sitting alone in a room; it also includes the
protection of personal information, creative work, commercial secrets, personal relationships
and lives, and so on. It is a violation of a person's rights if his or her letters to others are
published without his or her authorization. The risks of technology being misused are
increasing as we get closer to its evolution. Cybercrime is on the rise in India because there
are no clear or severe data protection legislation. The purpose of data protection is to protect
an individual's personal information.

The right to privacy on the internet, also known as online privacy, is a subset of data privacy
and a fundamental human right. It basically relates to your right to personal privacy when you
show, store, or provide information about yourself on the Internet.

It refers to the level of internet security for personal and financial information, conversations,
and preferences. Anti-virus software, strong passwords, shutting off tracking, checking site
security, and selecting for stricter privacy settings are all common ways for internet users to
increase their online privacy. Phishing schemes and viruses are among the threats to online
privacy, while website security issues can lead to identity theft.

6
Steven Lukes, “The Meanings of Individualism” 32 (1) JHI, 45-66(1971), available at:
http://www.jstor.org/stable/2708324. (Last visited on April 1, 2022)

5
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

3. DEFINING THE TERM EMAIL SECURITY

Email security is the process of ensuring the availability, integrity and authenticity of email
communications by protecting against the risk of email threats7. It can also be defined as the
use of various techniques to secure sensitive information in email communication and
accounts against unauthorized access, loss, or compromise. In simpler terms, email security
allows an individual or organization to protect the overall access to one or more email
addresses or accounts. This article explains what email security is, its importance, and
benefits for enterprises8.

Email allows billions of people and organisations to communicate and send messages to one
another. Email is at the heart of how people use the internet, and it has long been a target for
hackers.

3.1 Types of Email-Spam

Email has been abused and misused in many ways since its inception, and there has never
been a shortage of email threats. The following are examples of email abuse:

1. Phishing Attempts
The most common type of spam is phishing. It's usually delivered by email, chat, a
web ad, or a website made to look like a real person or business. Phishing
communications utilise a sense of urgency or anxiety to induce users to hand over
their personal information. A phishing message could originate from someone posing
as a bank, the government, or a large organisation.

2. Spoofing

The act of sending emails using a false sender address is known as email spoofing. It
deceives the receiver into believing that the email was sent by someone they know or
trust. It's usually a tool used in a phishing effort to get access to your internet
accounts, deliver malware, or steal money. Spoof email messages are simple to create
and detect. More malicious and targeted types, on the other hand, can create serious
issues and offer a considerable security risk.
7
Article on ‘Email Security’ by Sean Michael Kerner
https://www.techtarget.com/searchsecurity/definition/email-security Last visited on 5th April 2022
8
Article on ‘What is email security’ by Vijay Kanade
https://www.toolbox.com/it-security/network-security/articles/what-is-email-security/ Last visited on 5th April
2022

6
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

3. Spam Phishing

Spam emails are unsolicited and unrelated commercial emails sent to a large group of
people via the internet. Spam mails are frequently from businesses attempting to sell
you something. While these emails may be inconvenient, they are not malicious.
Examples of Spam: Advertising (retailers, dating sites, online pharmacies, gambling),
Get rich quick schemes (You've Won!), Hoax virus warnings, Chain emails.

4. Malware Delivery

A virus is a computer software that, like a biological virus, can replicate itself and
cause damage to the machine it infects. An email virus is a software or document that,
when accessed, spreads by forwarding itself to any number of recipients and groups in
the recipient's email address book. If you do not open or execute these attachments,
they pose no risk to your computer. If an attachment is not sent from a reputable
source, do not open it.

5. Porn Spam

Spam like this is fairly common. Spammers frequently send pornography over email
because the pornography industry is profitable, and it piques people's attention.
Spammers are well aware of this and utilise it to send harmful emails including
pornographic images and videos.

6. Business Email Compromise (BEC)

This is a sort of email cybercrime scam in which an attacker targets a corporation in

order to defraud it. Compromise of business email is a huge and rising problem that
affects businesses of all sizes and industries all over the world. Organizations have
been exposed to billions of dollars in potential losses as a result of BEC schemes.

7. Denial of Service (DoS) attacks

A cyberattack against devices, information systems, or other network resources that

prevents legitimate users from accessing expected services and resources is known as
a denial of service (DoS) attack. This is commonly done by inundating the targeted
host or network with traffic until it becomes unresponsive or crashes. DoS assaults

7
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

can last anywhere from a few hours to several months, costing businesses time and
money while their resources and services are down.

4. HOW FAR EMAIL IS SECURED?

For a variety of reasons, email is not secure by default.

It's critical to understand significant email privacy concerns, how to recognise them, and how
to avoid them in the face of modern dangers and conditions. The most common email privacy
problems for MSPs9, as well as a recommendation for one of the best email encryption and
email monitoring products on the market to assist improve your customers' mail security
strategy. To help you better understand how to stress the necessity of email security to
consumers, we'll start by going over the types of damage that inadequate email security may
create.

Any organisation can be severely harmed by email breaches, which can result in reputational
damage and financial loss. There are some figures and instances of the potential
consequences of email security breaches: 96% of social engineering attacks (such as phishing
and pretexting) infiltrate through email10, 73% of cloud breaches in 201911 involved email or
web application servers. The FBI has seen a sharp increase in “business email crime,” a
simple scam that is also known as “CEO fraud”, with more than 12,000 victims affected
globally and a 270% increase in the number of identified victims and exposed loss since
January 2015, including in India12.

5. WHY IS EMAIL SECURITY IMPORTANT?

Email is widely used for business communications and is an important part of a company's IT
operations and ability to communicate both internally and internationally.

9
MSP full form Managed Service Provider
10
Source: 2021 Data Breach Investigations Report | Verizon
11
Ibid
12
Article by By Rica Bhattacharyya & Sachin Dave, ET Bureau. Last Updated: Apr 21, 2016, 06:02 AM IST
“CEO email fraud becoming rampant with hackers targeting high officials” posted on economic times.

8
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

A danger to email, such as a DoS attack that prevents access, could impede a company's
ability to conduct business. Spam is another important email issue that can harm a firm by
clogging inboxes with useless items and potentially resulting in phishing attacks.

Email messages frequently contain sensitive material intended only for the receiver of the
message. If email protection is not in place, sensitive information could be leaked to an
unauthorised organisation.

The legitimacy of corporate email emphasises the importance of email security. If an

unauthorised person is able to send email that looks to come from a corporate email account,
a BEC attack could result in fraud.

Benefits of email security for businesses

As most organisations still rely on email for day-to-day operations, email security solutions
and best practises offer a number of important advantages to businesses of all sizes, including
the following:

 Availability
Email security, at its most basic level, can aid in the continuing availability of email
services, allowing a company to connect with its staff and customers.

 Authenticity
Having email authentication procedures in place can assist an organisation and its
users trust that emails sent from its domain are genuine.

 Fraud prevention
The capacity to recognise potential email security issues, such as spoofing, might
potentially aid a company in reducing fraud risk.

 Malware prevention
A proper set of security capabilities on an email platform can help to reduce the
danger of malware being communicated over email.

 Phishing protection
Phishing attacks can persuade employees of a company to click on links or download
files that are potentially hazardous, resulting in data leakage and credential theft.

9
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

6. EMAIL SECURITY BEST PRACTICES

While email is not safe by default, there are proactive best practises that individuals and
organisations may use to improve email security dramatically, including the following:

 Make sure all connections are encrypted

All connections to and from an email platform should be made using an SSL/TLS
connection, which encrypts data as it travels over the internet.

 Encrypt your emails

While it may not be the best option for every user at every company, encrypting email
communications adds an extra degree of security that can help prevent illegal data
disclosure.

 Make sure your passwords are secure

It is critical for users to create complicated passwords that are difficult to guess. Users
are frequently advised to choose passwords that include a mix of letters, numbers, and
symbols.

 Use two-factor authentication (2FA) or multi-factor authentication (MFA)

While strong passwords are beneficial, they are frequently insufficient. Implementing
two-factor authentication (2FA) or multifactor authentication (MFA) can help to
improve email security by adding an extra layer of access control.

 Get anti-phishing training

Email phishing is a widespread threat. It's critical to teach consumers how to prevent
risky habits and recognise phishing assaults that reach their mailbox.

 Log in using your domain

Domain authentication protocols and approaches, such as domain-based message
authentication, reporting, and conformance, can help to mitigate domain spoofing
risks.

 Email security software

Best practises alone are rarely sufficient to ensure email security and lower the risk of
being hacked. Organizations can benefit from email security tools and services to
manage and improve their security posture.

10
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

a. Platforms for integrated online email service providers

Microsoft Exchange Online is part of the Microsoft 365 Business Standard
suite and offers users a comprehensive range of email security features.
Similarly, Google Workspace offers a version of Gmail for businesses that
includes email security as part of the service. Both Microsoft and Google
services include built-in antimalware and antispam protection, as well as
secured data transmission options.
b. Security gates for email
An email security gateway can provide an inspection point for malware, spam,
and phishing attempts for organisations with on-premises email systems and
cloud-hosted email. Barracuda, Cisco, Forcepoint, Fortinet, Mimecast,
Proofpoint, and Sophos are among the companies that offer email security
gateways.

7. JUDICIAL APPROACH TOWARDS INTERNET PRIVACY

Ministry of Electronics and Information Technology (MEITY) blocked 118 mobile apps on
2nd September, 2020 invoking its power under section 69A of the Information Technology
Act13. MEITY had received complaints from various sources including several reports about
some mobile apps for stealing and surreptitiously transmitting users' data in an unauthorized
manner to servers outside India. The compilation of this data, its mining and profiling by
elements hostile to national security and defence of India, ultimately impinges upon the
sovereignty and integrity of India. This decision by MEITY has yet again opened up the
discussion on the urgent need to have strong Data Protection Laws in India14.

As per a report, presently there are nearly 700 million internet users in India. This figure is
projected to grow to over 974 million users by 2025. In fact, India was ranked as the second
largest online market worldwide in 2019, coming second only to China15.

Right to privacy is a fundamental right under Article 21 of the Constitution of India, which
lays down our fundamental rights. This was affirmed by a nine-judge bench of the Supreme

13
Read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of
Access of Information by Public) Rules 2009
14
Article by Priya Rao “Personal Data Protection Law in India” Posted on October2,2020.
15
Published by Statista

11
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

Court in Justice K.S. Puttaswamy vs Union of India16. A 10-member committee formed by

retired Supreme Court judge B.N. Srikrishna for making recommendations for a draft Bill on
Personal Data Protection Bill 2019 introduced in Parliament.

7.1 Current Laws Prevailing in India

In India there is no such specific laws for protection of Data, the privacy and protection of
Data are governed by the IT Act "Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011". As per the IT Act
Data is defined as “representation of information, knowledge, facts, concepts or instruction
which are being prepared or have been prepared in a formularized manner or is intended to be
processed or have been processed in a computer system or computer network and may be any
form or stored internally in the memory of the computer”17.

As per the definition given by the IT18 Rules 2011,

"Personal information has been defined under the Rules as "any information that relates to a
natural person, which either directly or indirectly, in combination with other information
available or likely to be available with a body corporate, is capable of identifying such
person"19

Sensitive personal data exists as the concept of sensitive personal data or information under
the Rules. Rule 3 specifies that the following types of data or information shall be considered
as personal and sensitive such as Passwords, Bank Account details, Credit/debit card details,
Present and past health records, Sexual orientation, Biometric data20

When this IT Act, 2000 came into force on October 17, 2000, all the laws and procedures in
reference to the given Act lacked the protection and provisions required to protect one’s
sensitive personal information provided electronically. This eventually led to the introduction
of the Information Technology Bill, 2006 in the Indian Parliament which then led to the

16
The most prominent case in Indian History relating to Data Privacy (2017) 10 SCC 1
17
IT Act, 2000 S. 2(o)
18
Information Technology Rules 2011
19
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 Rule 2 (1) (i)
20
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011Rule 3

12
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

Information Technology (Amendment) Act, 2008 whose provisions came into force on
October 27, 2009. It inserted Section 43A in the Information Technology Act, according to
which, if:

A corporate body possesses or deals with any sensitive personal data or information, and is
negligent in maintaining reasonable security to protect such data or information, which
thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall
be liable to pay damages to the person(s) so affected.

Also, Section 72A, according to which: the punishment for disclosure of information
in breach of lawful contract and any person may be punished with imprisonment for a term
not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both, in
case disclosure of the information is made in breach of lawful contract.

Penalty for the same is mentioned in Section 72 of the IT Act. The Section provides
that: any person who, in pursuance of any of the powers conferred under the IT Act Rules or
Regulations made thereunder, has secured access to any electronic record, book, register,
correspondence, information, document or other material without the consent of the person
concerned, discloses such electronic record, book, register, correspondence, information,
document or other material to any other person, shall be punishable with imprisonment for a
term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx.
US$ 3,000) or with both.

Section 75 mandates that provisions of this Act shall also apply to an offence/contravention
committed outside India by any person if the conduct constituting an offence involves a
computer/computer network located in India.

However, the scope and coverage of the IT Act and Rules are limited. Majority of the
provisions only apply to ‘sensitive personal data and information’ collected through
‘computer resource’. The provisions are restricted to corporate entities undertaking the
automated processing of data and consumers are only able to take enforcement action in
relation to a small subset of the provisions. There is no provision on data localisation which
was the major concern and reason for the ban of the Chinese apps in India. In order to address
these limitations, India needed a comprehensive data privacy law21.

21
Article by Priya Rao “PERSONAL DATA PROTECTION LAW IN INDIA” Posted on October 2, 2020

13
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

7.2 Difference between the Draft bill22 and the SPDI Rules

 SPDI rules apply to the body corporate and the individual located in India, whereas
the bill applies to the government private entities incorporated in India and
incorporated outside India.

 The SPDI can be processed only after the consent of the information provider,
whereas according to the bill along with consent, functions of the state, compliance
under law or order of court, prescribed emergencies or any other purpose as specified
by the Authority.
 According to the Rules the data provider has right to withdrew consent and can
abstain from giving consent. As per the bill the onus of the personal data will be on
the data collector and not the data provider and that the data provider have right to
access the data and right to forgotten data.
 In the rules there are no such provisions as to where the data is to be kept or stored
within the territory of India, whereas as per the bill the data needs to be stored within
the territory of India.
 That according to the Rules the data can be transferred to the third party provided the
third party is having same level of data protection. And for the bill it allows the cross
border transfer of Personal Data and Sensitive Personal Data where (i) transfer of data
is according to standard contractual clauses or intra-group schemes that have been
approved by the Authority; or (ii) the Central Government in consultation with the
Authority has prescribed a country or section within a country or a particular
international organization where such transfers are permissible based on the adequacy
of the data protection framework in such country; or (iii) a particular transfer is
approved by the Authority on grounds of necessity. Along with (i) and (ii) mentioned
above, the data provider's consent will be required to transfer the Personal Data and
Sensitive Personal Data.
 As per the bill there will be separate authority for taking the applications for data
protection.

22
It refers to PDP Bill 2019

14
 Internet Privacy Issue Relating to Email and Judicial Approach |2022

8. CONCLUSION

Though India is attempting to establish and create regulations for data protection and privacy,
there are still some gaps that must be addressed. As a result, our Indian legislature must
combine the benefits of data protection and privacy laws from around the world and take a
step forward in the adoption and development of this new branch of law, given its critical
importance in today's world.

Data privacy is a fundamental right that must be governed by strict legislation. It is

critical to have a data protection law in place so that there is proper data processing and
control, protection of individual rights, and enforcement of rules against unauthorised access
and penalties if someone violates the policies. To do their jobs properly, the several agencies
performing cybersecurity operations in India, such as the National Technical Research
Organization, the National Intelligence Grid, and the National Information Board, require
strong policy, legislative, and infrastructural support from the Ministry of Electronics and
Information Technology, as well as from the courts.

As introduced in parliament, The Personal Data Protection Bill 201923, is a

comprehensive framework for data protection in India. Despite concerns that the Bill does not
perfectly balance citizens' privacy with the need for occasional government intervention, once
passed into law, the Bill is likely to function as a much more effective means of data
protection (and the protection of allied interests such as free speech) than existing legislation.

23
The underlying principles of the Bill are broadly similar to those in the General Data Protection Regulation
(Regulation (EU) 2016/679) (“GDPR”) of Europe.

15