Security researchers — and journalists — need legislative protection in India for disclosing vulnerabilities
If there is anything positive at all about the legal bullshit 1to1Help,net has perpetrated to cover up their data leak and to deflect blame, it is the support I have received from the Internet Freedom Foundation in India. But before diving into that more, a quick update on 1to1Help’s shameful litigation:
After reading the court filings, my U.S. counsel wrote to 1to1Help’s counsel. My counsel’s letter said that they were not representing me in India (they can’t do that), but they wanted 1to1Help to understand that there was no extortion attempt at all, and that perhaps 1to1Help just misunderstood some email. So they told 1to1Help about my long history of blogging and privacy advocacy, that I am a healthcare professional in my own right and the author of books and medical articles, and that my work is respected by my colleagues. And they characterized the email chain properly.
Now you might think that once 1to1Help was handed a cluestick telling them that they had made a huge mistake accusing me of anything like extortion that 1to1Help would then — at the very least — withdraw their civil suit and apologize for any defamatory claims about extortion.
They did neither. I will leave you to draw your own conclusions from that.
India Needs Laws That Support Responsible Disclosure and Transparency
It’s time for India to start protecting those who are trying to improve data protection and STOP protecting entities who try to cover up their security failures. Every day I receive requests from researchers to make notifications about their findings while shielding their identity from the firms being notified.
When companies can use their resources to legally harass researchers and journalists — as 1to1Help has done with me — why should researchers ever try to warn entities at all? Maybe researchers should all just keep their mouths shut and if criminals find the data and misuse it, the victims can also blame 1to1Help and every company who discourages responsible disclosure by threatening or falsely accusing those who are trying to help protect data.
There has been no disclosure notice on 1to1Help.net’s website, and I am guessing that none of the almost 300,000 people who had personal information exposed were individually notified — especially not those who had their sensitive counseling records exposed.
Note that I am not accusing 1to1Help of illegal conduct for failing to notify anyone of the data leak. because there is no law requiring notification. And that is part of the problem. Indian law needs to require notification.
Taking a Stand in India
One strong and unwavering source of support for digital civil liberties and privacy protection in India is the Internet Freedom Foundation.
They issued statements this past week with feedback on current legislative proposals in India, and then a second statement on the need to provide more protection for researchers and journalists. They used my case as a case in point.
From their statement:
In India, security researchers are constantly at risk of legal action because Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and it fails to draw a distinction between malicious hackers and ethical security researchers. Instances like Dissent Doe’s exemplify the urgent need for law reform in India. To promote good faith vulnerability disclosure, the Parliament must not only amend the Information Technology Act, 2000 but also look towards making suitable policy and regulatory frameworks within the field of data protection.
The present draft of the Personal Data Protection Bill, 2019 falls short on this aspect because it only obligates data controllers to report data breaches to the Data Protection Authority and there is no requirement to notify the data subject whose personal data has been compromised. In contrast, the Personal Data and Information Privacy Code Bill, 2019 introduced by Dr. Ravi Kumar as a private member’s bill obligates the data controller to notify the data subject in addition to the relevant authorities.
Till these legislative changes are made by the Parliament, we urge companies like 1to1Help to recognize the importance of vulnerability disclosure as a responsible business practice and work with security researchers instead of threatening them with legal action.
Well said, although I do not really hold out hope that 1to1Help will publicly disclose, apologize, and mend their ways. Which is why I will continue to ignore the court’s injunction and name them and discuss their data leak. We should not allow companies to benefit from their lack of transparency about data security incidents and vulnerabilities. And I do not recognize any authority a civil court in India might think it has to tell me what I can publish in the U.S. I hope U.S. organizations who care about press freedom and the First Amendment will speak up on this case because of the threat that if India gets away with censoring my site or trying to censor it, what other American news sites or media outlets will they try to control or censor next? Should India get to dictate our reporting here? How about France? Germany?
DataBreaches.net is just a small site. But I shouldn’t be the only one standing up to 1to1Help.net and a civil court in India for press freedom.
You can read InternetFreedom.in’s full statement here.