Privacy issues in Instant Messaging services

By

Jasper Vikas George*

An attempt in this paper is made to analyse the problem of privacy violations in Instant Message Services, and to discuss in detail  the Penal provisions to curb privacy violations.

Introduction

Phishers on March 25, 2005 [1], had targeted the Yahoo's free instant-messaging service. They are attempting to steal usernames, passwords and other personal information through the much easy and popularly use mode i.e., Instant messaging services. According to the Yahoo, attackers are using messaging services as a means to steal the personal information of the person via instant messaging services.

Modus Operandi

  The modus operandi of the Phishers (cyber thieves) is simple. They  send messages to the members of any of the message services providers, which is carrying a link to a fake Web site. The fake site looks like an official site of the Instant service providers as Yahoo site, and it asks the user to log in by entering a Yahoo ID and password. The phishers attempt  succeeded because it was very convincing message from the one added in the messaging list of the members itself. Now how can any member be not convinced when the message is from the person added in the messenger lists? The issues involved in such criminal activities are multifarious.

-The theft of the private information of the victim.

-Theft of the personal details of the persons included in the friends lists.

-The application of the penal provisions.

-The extension of the right to private defense.

"In this case, the hacker was able to trick the user into providing personal information by disguising their identity to make it appear that the message was coming from a trusted source.[2]". The day by day increase in cyber criminal activities already had shown the loopholes in the contemporary cyber crime related laws. However, it also questions the very safety of personal identity over the much presumed safer digital environment.   “Serious security vulnerabilities such as buffer overflows, denial-of-service attacks and encryption weaknesses continue to be found and exploited in all popular instant-messaging clients[3]"

Indian Constitutional Perspectives

   Right to privacy though is not a fundamental right  is a part and parcel of the Article 21 of the constitution of India. Supreme Court had construed the “Right to Privacy” time and again as a part of the right to “protection of the life and personal liberty. In Kharak Singh v. State of U.P.[4] Supreme Court held that “the concept of liberty in Article 21 was comprehensive enough to include privacy and that a person’s house, where he lives with his family is his ‘castle’ and that nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy”.

   Similarly, Justice Mathew [5] stated the law in following words, “privacy-dignity claims deserve to be examined with care and to be denied only when an important countervailing interest is shown to be superior. If the court does find that a claimed right is entitled to protection as a fundamental privacy right, a law infringing it must satisfy the compelling State interest test…Privacy primarily concerns the individual. It therefore relates to and overlaps with the concept of liberty. The most serious advocate o privacy must confess that there are serious problems of defining the essence and scope of the right. Privacy interest in autonomy must also be placed in the context of other rights and values.”

In R.Rajagopal v. State of Tamil Nadu [6], Justice B. P. Sanjeevan Reddy observed that “The right to privacy as implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. it is a ‘right to be let alone”. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child bearing and education among other matters. None can publish anything concerning the above matters with out his consent – whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages.” The foresaid rule is subject to an exception, that “any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others.”

New dimension to the concept of right to privacy is added in Mr X v Hospital Z[7] the Supreme Court held that “the right to privacy has been culled out of the provisions of Article 21 and other provisions of the Constitution relating to the Fundamental Rights read with the Directive Principles of State Policy. Right to privacy may, apart from contract, also arise out of a particular specific relationship, which may be commercial, matrimonial, or even political. Doctor-patient relationship, though basically commercial, is professionally, a matter of confidence and, therefore, doctors are morally and ethically bound to maintain confidentiality.” In such a situation, it is intrusion on the one’s right to be let alone.

Extent of Private Defense

   In the digital environment where the thief is not physically present, the extent of private defense is almost impossible to judge. The virtual world is totally different from the physical world. The chapter on private defense which is available under the Indian Penal Code, 1860 is inapplicable on the cyber world. There the laws are meant primarily under section 96 and 97 of the code. Section 96 of IPC declares that nothing is an offence, which is done in the exercise of the right of private defense. It means nothing is an offence if committed in reasonable exercise of private defense. Section 97 of the IPC said that every person has a right to private defense subject to section 99 of the IPC. And Section 99, provides that there is no right of private defence in cases in which there is time to have recourse to the protection of the public authorities. Further, it provides that the right to private defense in no case extends to the inflicting of more harm than it is necessary to inflict for the purpose of private defense.

   Now if we applied this to the cyber world or virtual world, the victim always have time to recourse to approach the pubic authority such as adjudicating officers appointed by the central government. Hence, the right of private defense provided under IPC is not applied here.

Information Technology Act, 2000

   To imagine technology with privacy rights is a very tough proposition. The advent of viruses and the intrusion of Trojan horses now are the old techniques of privacy violation on the web. The maturity of the digital environment is sufficiently developed now. The advent of surveillance technologies such as spywares, anti-viruses, pop-killers, E-mail filtering techniques, etc. forced the cyber phishers to look out for the new techniques. They found the intrusion through Instant Messaging Services. Section 72 of the Information Technology Act, 2000 provides for the penalty for breach of confidentiality and privacy. If any person who, in pursuance of any of the secured access to any electronic rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

   But this section is confined to the punishments for the contravention to those persons only who have secured access to any electronic record, book, register, correspondence, information, document or other material. Hence, the phishers (Cyber thefts) are penalised under the section

   We have healthy provisions for curbing the menace of hacking under sections 43 and 66 of the Act. But, to punish the violation of privacy is only subject to section 72 of the act. Criminal mischief in cyber world required much wider parameter to cover. To curb the menace of Phishers, who are violating the privacy rights through criminal trespass in instant messaging services we have to immediately search for the constructive solution.