DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Security researchers — and journalists — need legislative protection in India for disclosing vulnerabilities

Posted on January 19, 2020 by Dissent

If there is anything positive at all about the legal bullshit 1to1Help,net has perpetrated to cover up their data leak and to deflect blame, it is the support I have received from the Internet Freedom Foundation in India. But before diving into that more, a quick update on 1to1Help’s shameful litigation:

After reading the court filings, my U.S. counsel wrote to 1to1Help’s counsel. My counsel’s letter said that they were not representing me in India (they can’t do that), but they wanted 1to1Help to understand that there was no extortion attempt at all, and that perhaps 1to1Help just misunderstood some email. So they told 1to1Help about my long history of blogging and privacy advocacy, that I am a healthcare professional in my own right and the author of books and medical articles, and that my work is respected by my colleagues. And they characterized the email chain properly.

Now you might think that once 1to1Help was handed a cluestick telling them that they had made a huge mistake accusing me of anything like extortion that 1to1Help would then — at the very least — withdraw their civil suit and apologize for any defamatory claims about extortion.

They did neither.  I will leave you to draw your own conclusions from that.

India Needs Laws That Support Responsible Disclosure and Transparency

It’s time for India to start protecting those who are trying to improve data protection and STOP protecting entities who try to cover up their security failures.  Every day I receive requests from researchers to make notifications about their findings while shielding their identity from the firms being notified.

When companies can use their resources to legally harass researchers and journalists — as 1to1Help has done with me —  why should researchers ever try to warn entities at all? Maybe researchers should all just keep their mouths shut and if criminals find the data and misuse it, the victims can also blame 1to1Help and every company who discourages responsible disclosure by threatening or falsely accusing those who are trying to help protect data.

There has been no disclosure notice on 1to1Help.net’s website, and I am guessing that none of the almost 300,000 people who had personal information exposed were individually notified — especially not those who had their sensitive counseling records exposed.

Note that I am not accusing 1to1Help of illegal conduct for failing to notify anyone of the data leak. because there is no law requiring notification. And that is part of the problem. Indian law needs to require notification.

Taking a Stand in India

One strong and unwavering source of support for digital civil liberties and privacy protection in India is the Internet Freedom Foundation. 

They issued statements this past week with feedback on current legislative proposals in India, and then a second statement on the need to provide more protection for researchers and journalists.  They used my case as a case in point.

From their statement:

In India, security researchers are constantly at risk of legal action because Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and it fails to draw a distinction between malicious hackers and ethical security researchers. Instances like Dissent Doe’s exemplify the urgent need for law reform in India. To promote good faith vulnerability disclosure, the Parliament must not only amend the Information Technology Act, 2000 but also look towards making suitable policy and regulatory frameworks within the field of data protection.

The present draft of the Personal Data Protection Bill, 2019 falls short on this aspect because it only obligates data controllers to report data breaches to the Data Protection Authority and there is no requirement to notify the data subject whose personal data has been compromised. In contrast, the Personal Data and Information Privacy Code Bill, 2019 introduced by Dr. Ravi Kumar as a private member’s bill obligates the data controller to notify the data subject in addition to the relevant authorities.

Till these legislative changes are made by the Parliament, we urge companies like 1to1Help to recognize the importance of vulnerability disclosure as a responsible business practice and work with security researchers instead of threatening them with legal action.

Well said, although I do not really hold out hope that 1to1Help will publicly disclose, apologize, and mend their ways.  Which is why I will continue to ignore the court’s injunction and name them and discuss their data leak. We should not allow companies  to benefit from their lack of transparency about data security incidents and vulnerabilities. And I do not recognize any authority a civil court in India might think it has to tell me what I can publish in the U.S.   I hope U.S. organizations who care about press freedom and the First Amendment will speak up on this case because of the threat that if India gets away with censoring my site or trying to censor it, what other American news sites or media outlets will they try to control or censor next?  Should India get to dictate our reporting here? How about France? Germany?

DataBreaches.net is just a small site. But I shouldn’t be the only one standing up to 1to1Help.net and a civil court in India for press freedom.

You can read InternetFreedom.in’s full statement here.

 

 

Related posts:

  • 1,355 Indian websites Hacked by hax.r00t n saadi Pakistani hackers
  • Forbes Breach Email Statistics
  • A misconfigured AWS bucket exposed personal and counseling logs of almost 300,000 Indian employees
  • TeamGhostShell posts “master list” of 548 leaks (so far)
Category: Breach IncidentsBusiness SectorCommentaries and AnalysesExposureHealth DataNon-U.S.Of Note

Post navigation

← CA: Adventist Health Notifies 2,653 Patients After Phishing Incident
Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.