CONFIDENTIALITY IN CYBERSPACE

INFORMATION TECHNOLOGY LAW ASSIGNMENT

ZAKIYYA RASHEED
S9, BBA LLB
R.NO 31
 WHAT IS CONFIDENTIALITY?

The Black’s Law Dictionary defines confidentiality as secrecy or the state of having the
dissemination of certain information restricted. Confidentiality ensures that secret
information is protected from unauthorized disclosure. Data confidentiality is about
protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft.

Confidentiality has to do with the privacy of information, including authorizations to view,

share, and use it. Information with low confidentiality concerns may be considered "public"
or otherwise not threatening if exposed beyond its intended audience. Information with high
confidentiality concerns is considered secret and must be kept confidential to prevent identity
theft, compromise of accounts and systems, legal or reputational damage, and other severe
consequences.

Examples of data with high confidentiality concerns include:

• Social Security numbers, which must remain confidential to prevent identity theft.
• Passwords, which must remain confidential to protect systems and accounts.

In managing data confidentiality, the following factors are to be considered:

i. To whom the data can be disclosed

ii. Whether laws, regulations, or contracts require data to remain confidential
iii. Whether data may only be used or released under certain conditions
iv. Whether data is sensitive by nature and would have a negative impact if disclosed
v. Whether data would be valuable to those who aren't permitted to have it (e.g.,
hackers)

THE ETHICAL DUTY OF PROTECTING CONFIDENTIALITY

Confidentiality is a primary ethical duty provided in ethical frameworks such as codes of

ethics of a specific profession or association. In the context of the internet, privacy involves
an individual right to decide what information can be collected and how such information can
be used, to access personal information and to enjoy anonymity. Confidentiality, in the
context of the internet, is about implementing security arrangements for protecting personal
information and ensuring the safety of computer systems and equipment. When websites fail
to take the ethical duty of confidentiality, personal information and data are disclosed and
revealed, internet information privacy can be violated.

Technology solutions or methods can help to achieve or enhance confidentiality.

• Internet service providers can use firewalls to recognise where queries or

messages come from, and only permit those IP addresses that are considered good
and trusted.
• The use of firewalls, anonymizers, and encryption can help mitigate the risks.
• Cookies are a type of technology that can be utilised to capture personal
information such as browsing preferences, shopping habits or internet usage
preferences. JavaScript is typically used to write cookies. Although internet users
may use different browsers, they can delete cookies files to protect personal
information or data.
• A technique called message encryption can be used to protect data in transit. If
two users want to exchange information and data, both of them can use algorithms
in a form of pass phrase. Information exchanged between the two users will be
encrypted, and both users need to use public and private keys to decrypt and
encrypt information. Digital signature can also be used to protect the flow of
information.

Confidentiality in the cyber space is more about an ethical duty.

• Ensuring internet information privacy is more about carrying out the ethical duty of
confidentiality rather than only applying high technology solutions into practice.
Internet service providers, internet businesses, websites and many others who deal
with personal information have an ethical duty to keep the information of users or
customers confidential.
• Many businesses claim that they might collect personal data or information for
improving their services or target advertising. However, it is found that many of these
businesses make huge profit by selling personal information. For example, email
addresses of users can be traded. The worse scenario is that personal financial or
medical information is revealed and sold.
• Internet businesses that have access to personal data or information are required to
make sure that they do not compromise code of ethics by disclosing personal
identifiable information. They need to justify the objectives and purposes for using
 personal information or data. Also, the person who uses personal information should
understand his responsibilities and use the minimum information.

CONFIDENTIALITY IN CYBERSPACE: RISKS & SOLUTIONS

Major considerations to keep in mind regarding confidentiality in the cyberspace are

discussed below:

❖ Firewall as a solution to the threat of Silent communications.

There are thousands of rogue actors and infected computers probing machines across the
Internet at any given second. These bad apples are almost certainly trying to get control of
your machine through any security fault or unpatched module they can find. Fortunately,
their communications are straightforward to trap, since by definition they are unsolicited — it
is easy to tell the difference between a packet from a website you just accessed from a probe
from some site you never heard of before. The technological solution to this threat is called a
“firewall”, a program that monitors all communications and traps all illicit packets. Most
operating systems now come with a firewall preinstalled. However, some, such as the
Windows firewall, only block suspect incoming communications, leaving completely open
access to the Internet from your machine. This is a barn-door sized hole that is eagerly used
by almost every program you have on your computer to contact the home company for all
sorts of reasons ranging from automatic checking for updates to transmission of usage metric
data for their own proprietary purposes. The solution to this is a third-party firewall that
protects both incoming and outgoing communications.

❖ Surfing leaves tracks, Cookies must be deleted.

There is little privacy or confidentiality on the Internet. Websites can track your surfing on
their site by IP address and related system information, including system names and Internet
network addresses that often uniquely identify your computer. Search engines generally
record your queries together with your computer identification, building up a profile of your
interests over time. To minimize these threats, you can turn your default browser settings to
exclude cookies, since they can be used to build up detailed profiles of your surfing patterns
over time (advertising sites with presence on many sites can even use cookies to track your
surfing patterns across different sites). You can also use networked or single-point
anonymizers to obscure all your computer’s local identifying information and obtain the
maximum available Internet privacy.

❖ Posting is public.

When you post anything to a public Internet newsgroup, mailing list, or chat room, you
generally give up the rights to the content and any expectation of privacy or confidentiality.
In most countries, anything you post to a public space can be saved, archived, duplicated,
distributed, and published, even years later, by anyone in the same way as a photograph taken
in a public space like a city park. If you have ever posted anything to the newsgroups, you
might find it interesting to search them now for the email address you used at the time, which
is one reason you should disguise your email address when posting to the Usenet
newsgroups.

❖ Personal data is cross-referenced; Be aware of the privacy policy.

If you give a site personal data like an email address, home address, phone number, birth
date, or credit card number, be aware that the information can be easily cross referenced by a
range of large service companies to assemble a detailed database of your buying habits,
surfing patterns, and interests. And it usually is. If you do give a site personal information, it
is a good idea to first read their Internet privacy policy to see how confidential they promise
to keep it.

❖ Tapping; Encrypt to be Safe.

Without speculating on who or why, Internet communications interception is technically easy

to do at any of the perhaps five and twenty-five routers through which your packets are
switched on the way to their destination. Software taps are easy to add. Direct physical
interception through tapping into copper network cable near a house or in a switching station
is straightforward with inexpensive equipment and enables an eavesdropper to copy all of the
traffic that passes over the line. Radio frequency interception of the traffic on copper lines is
possible. Tapping into fiber optic line is more difficult, usually requiring a high angle bend to
get a bit of light leakage but is also technically possible. Encryption is the only sure solution.

HOW TO SECURE DATA CONFIDENTIALITY

When managing data confidentiality, follow these guidelines:

1. Encrypt sensitive files.

Encryption is a process that renders data unreadable to anyone except those who have
the appropriate password or key. By encrypting sensitive files (by using file
passwords, for example), you can protect them from being read or used by those who
are not entitled to do either.

2. Manage data access.

Controlling confidentiality is, in large part, about controlling who has access to data.
Ensuring that access is only authorized and granted to those who have a "need to
know" goes a long way in limiting unnecessary exposure. Users should also
authenticate their access with strong passwords and, where practical, two-factor
authentication. Periodically review access lists and promptly revoke access when it is
no longer necessary.

3. Physically secure devices and paper documents.

Controlling access to data includes controlling access of all kinds, both digital and
physical. Protect devices and paper documents from misuse or theft by storing them in
locked areas. Never leave devices or sensitive documents unattented in public
locations.

4. Securely dispose of data, devices, and paper records.

When data is no longer necessary for University-related purposes, it must be disposed

of appropriately.

• Sensitive data, such as Social Security numbers, must be securely erased to

ensure that it cannot be recovered and misused.
• Devices that were used for University-related purposes or that were
otherwise used to store sensitive information should be destroyed or
 securely erased to ensure that their previous contents cannot be recovered
and misused.
• Paper documents containing sensitive information should be shredded
rather than dumped into trash or recycling bins.
5. Manage data acquisition.

When collecting sensitive data, be conscious of how much data is actually needed and
carefully consider privacy and confidentiality in the acquisition process. Avoid
acquiring sensitive data unless absolutely necessary; one of the best ways to reduce
confidentiality risk is to reduce the amount of sensitive data being collected in the first
place.

6. Manage data utilization.

Confidentiality risk can be further reduced by using sensitive data only as approved
and as necessary. Misusing sensitive data violates the privacy and confidentiality of
that data and of the individuals or groups the data represents.

7. Manage devices.

Computer management is a broad topic that includes many essential security

practices. By protecting devices, you can also protect the data they contain. Follow
basic cybersecurity hygiene by using anti-virus software, routinely patching software,
whitelisting applications, using device passcodes, suspending inactive sessions,
enabling firewalls, and using whole-disk encryption.
 CONFIDENTIALITY: LEGAL PROVISIONS

Various provisions of the Information Technology Act provide for protection of

confidentiality of personal data and information. They are:

❖ Section 43A of the IT Act creates a liability on a body corporate (including a firm,
sole proprietorship or other association of individuals engaged in commercial or
professional activities) which possesses, deals or handles any sensitive personal data
or information in a computer resource that it owns, controls or operates to pay
damages by way of compensation, to the person affected if there is any wrongful loss
or wrongful gain to any person caused because of the negligence in implementing and
maintaining reasonable security practices and procedures to protect the information of
the person affected.

❖ Section 72 A of the IT Act mentions that any person (including an intermediary) who,
while providing services under the terms of a lawful contract, has secured access to
any material containing personal information about another person, with the intent of
causing or knowing that he is likely to cause wrongful loss or wrongful gain discloses,
without the consent of the person concerned, or in breach of a lawful contract, such
material to any other person, shall be punished with imprisonment for a term which
may extend to three years, or with fine which may extend to five lakh rupees, or with
both.

❖ IT Rules grant the right to individuals with regards to their sensitive personal
information and make it mandatory for any corporate body to publish an online
privacy policy. It also provides individuals with the right to access and correct their
information and makes it mandatory for a corporate body to obtain consent before
disclosing sensitive personal information except in the case of law enforcement,
which provides individuals the ability to withdraw consent.