Security researchers need legislative protection for responsible disclosure

Tl;dr

On Monday, we published inputs to the National Cyber Security Policy that focus on protections for security researchers. Today, we demonstrate how the absence of protection results in tangible damage. To do so, we have studied the case of Dissent Doe, a US based journalist who reports on data breaches. In August 2019, Dissent Doe had reported that counselling related data of 300,000 employees of 1to1Help’s corporate clients had been leaked due to a misconfigured Amazon Web Services bucket. Today, Dissent Doe is being sued by 1to1Help before the Bangalore City Civil Court. To usm this demonstrates a tangible need to not only change the National Cyber Security Policy but build legislative protections within the framework of the Personal Data Protection law.

Shooting the Messenger

As the community of cyber security professionals increases in India, there are often questions on what processes they should follow for vulnerability and data breach disclosures. Even when done in good faith, such persons tread a dangerous path and face risk of legal prosecution. Today, we illustrate a routine case which demonstrates how an absence of clear positive protections in the law prevent security researchers from doing their work to keep users of technology safe in India.

We have taken the instance of Dissent Doe, who runs a journalistic and reporting portal at databreaches.net. On 1 August 2019, Dissent Doe had publicly disclosed that counselling related data of 300,000 employees of 1to1Help’s corporate clients had been leaked due to a misconfigured Amazon Web Services bucket. 1to1Help is an Indian company that provides counselling services to employees of prominent business corporations. As per Dissent Does's statement, the exposed data was over five years old and it is unclear why 1to1Help continued retaining such old sensitive personal data in an unencrypted and insecure form (read more here).

Further, as per Dissent Doe, prior to making this public disclosure, they had reached out to 1to1Help multiple times and provided them an opportunity to secure the data and notify individuals whose personal data was compromised. Since 1to1Help did not respond to Dissent Doe’s initial emails, they reached out to some of 1to1Help’s corporate clients and informed them about the data breach without disclosing any personally identifiable details of employees whose data was included in the misconfigured bucket. According to Dissent Doe, on 6 August 2019, the Bangalore City Civil Court granted an ex parte interim injunction in favour of 1to1Help (Read more here).

Such litigation often emanates when security researchers, vulnerability testers and journalists make responsible disclosures. Today, there is a lack of proper legal protections, defined processes and a duty on entities that hold personal data to make pro-active disclosure. Citing concern, we are issuing a short statement and also calling for wider support through legal fixes which are urgently needed to safeguard the privacy and security of personal data of users and hold those who possess it accountable.

Bug Bounties, not Vexatious Lawsuits

We are concerned with legal action against security researchers and journalists who make responsible disclosures of data breaches. To us, such prosecutions, which include several public instances including that of Dissent Doe, undermine the security of Indian internet users. Security researchers and journalists who report data breaches perform a vital function by exposing vulnerabilities that need fixing. Good faith vulnerability research and disclosure is necessary to limit the damage caused by a data breach and take corrective steps. Therefore, leading technology companies around the world provide recognition and rewards to security researchers who report vulnerabilities through bug bounty programmes.

Unfortunately, as this article notes, despite rapidly digitizing its infrastructure, India still has a long way to go in recognizing the value of good faith vulnerability disclosure. Despite being a sizeable number, Indian security researchers are wary of reporting vulnerabilities because they fear being sued. Instead, security researchers based abroad tend to break these stories because they are safely outside the jurisdiction of Indian courts. This excessive reliance on foreign security researchers who have little accountability before the domestic legal system can have national security implications, and it is in our own interest to cultivate an indigenous security research community.

In India, security researchers are constantly at risk of legal action because Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and it fails to draw a distinction between malicious hackers and ethical security researchers. Instances like Dissent Doe's exemplify the urgent need for law reform in India. To promote good faith vulnerability disclosure, the Parliament must not only amend the Information Technology Act, 2000 but also look towards making suitable policy and regulatory frameworks within the field of data protection.

The present draft of the Personal Data Protection Bill, 2019 falls short on this aspect because it only obligates data controllers to report data breaches to the Data Protection Authority and there is no requirement to notify the data subject whose personal data has been compromised. In contrast, the Personal Data and Information Privacy Code Bill, 2019 introduced by Dr. Ravi Kumar as a private member’s bill obligates the data controller to notify the data subject in addition to the relevant authorities.

Till these legislative changes are made by the Parliament, we urge companies like 1to1Help to recognize the importance of vulnerability disclosure as a responsible business practice and work with security researchers instead of threatening them with legal action.

Important Documents:

  1. Personal Data and Information Privacy Code Bill, 2019 introduced by Dr. Ravi Kumar (link)
  2. Personal Data Protection Bill, 2019 introduced by the Govt. (link)