[Readmelater]

‘Data Breach Affects Women More, Has Chilling Effect On Their Online Participation’

Data breaches not only violate digital boundaries, but also have real-world consequences that disproportionately affect women and marginalised groups, says Radhika Roy of the Internet Freedom Foundation

There have been multiple instances of significant data breach in recent times. Consider these:

  • There have been over 6,000 attempts at hacking the servers of the Indian Council for Medical Research since 2022.
  • The massive data breach in October this year – the personal information of approximately 815 million Indians is reportedly available on the Dark Web for sale – is suspected to be the biggest data leak in the country’s history. It is expected to be investigated by the Central Bureau of Investigation.
  • In September, cybersecurity researchers found that the official website of Jharkhand’s Ministry of AYUSH in Jharkhand had been breached, exposing over 320,000 patient records on the dark web.

To deal with this and other data issues, rules on collecting and processing digital personal details have been laid down in the Digital Personal Data Protection Act, 2023. The act establishes strict guidelines to ensure data fiduciaries’ responsibility while handling sensitive information and imposes high monetary penalties for noncompliance.

Data breach impacts people in several ways but it affects women and marginalised groups disproportionately, in more challenging ways, as per the study Why Gender Matters in International Cyber Security. It also points out that societal norms, gender-specific vulnerabilities, and cultural expectations spill into the digital space.

What are the gendered impacts of data breach? And will the new act make a difference? For answers to these questions we speak to Radhika Roy, associate legal counsel at Internet Freedom Foundation (IFF). She points out that the breaches have not only exposed universal vulnerabilities – financial instability, psychological distress, and privacy concerns – but also highlighted and exacerbated existing societal and gender inequalities. The DPDA, 2023, she adds, only has the illusion of accountability because it exempts various functions and instrumentalities of the government.

Here are the excerpts from the Behanbox interview:

In the case of data breaches that affect government websites such as the UIDAI, who is to be held responsible? Can the government be held accountable?

As per Section 43A of the IT Act, 2000, it is only a “body corporate” that can be held liable when a data breach occurs. Government-controlled websites like that of UIDAI do not fall under the definition of “body corporate” and hence, cannot be held accountable. This provision is, however, done away with in the newly promulgated Digital Personal Data Protection Act, 2023, which has sufficient provisions dealing with the aspect of data breach. So, while there is an illusion of accountability under the Act, the fact that its Section 17 exempts various functions and instrumentalities of the government from the application of the Act, implies that the government is likely to not be held accountable.

The Digital Personal Data Protection Act, 2023 has provisions for data fiduciary, the organisation that determines data processing, compliance and grievance redressal. Will this help deter data breaches? 

To some extent, yes. The Act extensively deals with the aspect of data breaches and the mechanism that must be adopted if they occur. Not only is it imperative to inform the affected user immediately, but the data fiduciary is also obligated to take immediate concrete steps to ensure that the risks associated with the breach are mitigated.

However, the provisions under the act are not as strict as they appear. In case a data fiduciary is found guilty of a data breach, they may escape the consequences by providing a voluntary undertaking, stating the actions they intend to take to rectify their mistake and a timeframe for the same. This voluntary undertaking undermines the sanctity of the compliance and grievance redressal mechanism, and dilutes its effectiveness in ensuring that data breaches do not take place.

Where are the failures of our current regulatory mechanisms? What additional safeguards should be put in place in regulations and laws?

The failure of our current regulatory mechanisms resides in the poor enforcement of the laws in place. In the name of ensuring that the ease of doing business remains intact, policy makers sideline the very real consequences of laxity in the functioning of these entities. Securing data costs a lot of money, and policy makers undermine how profit drives data fiduciaries whose sole focus is on cutting corners on protecting the data that they have collected. Add to this the lack of enforcement or just a slap on the wrist punishment when compliance is not adhered to. This allows errant data fiduciaries to escape responsibility. Rather than safeguards, there needs to be a clear understanding that the protection of the data of the person to whom it belongs (data principal) is of utmost priority.

How has the recent data breach exposing the private information of millions of Indians affected women and other marginalised groups?

Given the precarious nature of the positioning of women and other marginalised groups in society and how vulnerable they are to physical and verbal abuse, data breaches can pose specific challenges and risks to them. For instance, if the data collected by a dating app which caters to queer persons is leaked and revealed, such loss of privacy and public exposure can have real life repercussions to the extent that it can reveal their identity to persons with whom they do not wish to share the same. It can lead to societal ostracisation, job loss, and even family rejection, thereby causing mental trauma. Similarly, such data leaks can also place marginalised groups in the way of harm by revealing to perpetrators the location/identity, etc. of the persons involved. Women’s sensitive personal data may be made available to ex-partners or other untoward persons, and even lead to physical harm.

Studies indicate that women are at higher risks of gender-based violence and harassment due to data breaches. What are these risks?

Technology-facilitated gender-based violence is on the rise. Technology and its deployment and usage replicates the physical world, and the violence that is perpetrated against marginalised communities is replicated in the online world. Moreover, as technology develops, the ways to harass these communities also develop. As you can see, with deep fakes coming into play, many videos targeting women and other marginalised communities have increased exponentially. Similarly, as I had explained before, being at a higher risk of online harms (which inevitably flows from discrimination and exclusion in the physical world), marginalised communities disproportionately face the consequences of such breaches. It can lead to cyber harassment and stalking; it can lead to revenge porn, sexual exploitation; it can lead to doxxing and online hate speech. Such consequences lead to the reduced participation of marginalised communities in the online community, thereby affecting their financial independence, job opportunities, freedom of speech and expression, etc.

There have been health data breaches, like the one in the case of ICMR or the cyberattack on AIIMS database, which exposed health records of millions of Indian citizens. Could you discuss how such breaches could impact women’s reproductive health choices and their trust in healthcare systems?

For this, we need to go to the very beginning of the story — which is that women are statistically less financially independent than their male counterparts which leads to disproportionate access to opportunities and facilities, which includes access to the internet. Further, when it comes to discussing and making reproductive health choices, women are sceptical due to the nature of judgement and treatment that may be meted out by healthcare service providers.

However, online healthcare services, with their promises of anonymity, quick access to healthcare services as well as reduced interaction between the patient and the doctor, have allowed slight bridging of the gap. This may be undone in the event that a data breach occurs which has the potential of leading to physical violence. If a woman has trusted an online healthcare service and her data has been leaked, it could lead to ostracisation, reputational damage and even violence. And scepticism and non-usage of these services may lead to women being unaware of consequences of health ailments as well as their rights, which can again be harmful for women.

Considering the compromised sensitive information, including Aadhaar and passport details, how might this breach undermine the safety, autonomy, and freedom of women?

The leaking of sensitive information like those in Aadhar and passport details as also voter IDs on the dark web allows nefarious characters to easily be able to track and locate their targets. As I had mentioned before, the dangers of the real-world are replicated in the online space. Technology is making it easier for stalkers to track and target women. With the increase in AI-based image recognition allowing any person to be able to find out your details coupled with the frequent data-leaks make it easy for any random stranger to be able to find out your place of work and home address even if the same has not voluntarily been shared online. Women, like mentioned before, have always been and will continue to be more vulnerable to instances of stalking. Data breaches further endanger women’s security and safety.

Do frequent data breaches affect women’s participation in the online world? 

Data breaches in the online world would inevitably have real-world impacts. They can expose personal information, making individuals more vulnerable to identity theft, cyberstalking, or harassment. Women are already at a substantially higher risk of online stalking and harassment. Frequent data leaks lead to an erosion of trust for all online users but it is bound to have a worse effect on women being specifically vulnerable to these activities.

Women, in particular, may be targeted, leading to a chilling effect on their online participation. Fear of harassment may discourage women from engaging in online discussions, social media, or other internet activities. It can stifle their voices and disable them from expressing their opinions and seeking community support.

Furthermore, data breaches can have significant economic impact which would inevitably be felt more by small businesses. The economic downturn during Covid saw a lot of home-makers set up online businesses in order to support their families. Data leaks affecting nascent businesses are bound to discourage these new entrants from taking further risks to further build up their businesses. The lack of social backing and support centres for women who are only recently entering into businesses will discourage them from seeking avenues for financial independence.
The consequences of data breaches can also exacerbate existing gender inequalities. For example, if women are disproportionately affected by online harassment or if their businesses are more severely impacted, it can contribute to a widening gender gap in the digital space.

In what ways do societal expectations, cultural norms, and gender-specific vulnerabilities create distinct challenges for women and marginalised genders in responding to and recovering from data breaches?

Societal expectations and cultural norms may lead to victim-blaming, especially in cases of privacy violations. Women and other marginalised genders may face additional scrutiny, judgement or stigma, making it more difficult for them to approach law enforcement agencies, or even seek familial or institutional support. Breaches that lead to intimate information being revealed may also deter such individuals from disclosing incidents to family in order to prevent reputational damage. It also needs to be borne in mind that given the skewed access to resources such as education/money/internet access, etc., women and marginalised genders may face difficulties in accessing legal support and it may hinder their ability to navigate the aftermath of a data breach effectively.

What policy measures are necessary to address the gendered implications of data breaches?

It is critical to ensure a secure online environment, regardless of gender, and to promote respectful  interactions. Organisations, social media, and law enforcement all play important roles in combating online gender-based violence as well as providing support to those affected. This requires a comprehensive strategy that takes into account cultures, raises awareness, and provides inclusive assistance.

It’s crucial to create a safer digital environment for everyone, irrespective of their gender, and to promote respectful and inclusive online interactions. Organisations, social media platforms, and law enforcement agencies play significant roles in combating online gender-based violence and providing support to those affected. Addressing these challenges requires a comprehensive approach that considers cultural contexts, promotes awareness, and provides inclusive support mechanisms. Efforts should focus on destigmatising the experience of data breaches, providing education on cybersecurity, and creating safe spaces for reporting and seeking assistance. Additionally, legal frameworks and support services should be designed to be sensitive to the diverse needs of women and marginalised genders.

What about community initiatives?

Widespread education and awareness campaigns are the need of the hour as they can help in raising awareness about the specific risks and challenges faced by marginalised communities in the context of data breaches. Such campaigns can also talk about online safety, best cybersecurity practices as well as the steps one must take in the event that their information surfaces in a data breach. Digital literacy programmes may also be conducted that can educate marginalised communities on how they must develop skills to navigate online spaces securely as well as how they can recognise and effectively respond to potential threats to their privacy.
Given the stigmatisation that may arise after data breaches, community forums and support groups can be formed where individuals can share their experiences, seek advice, and receive emotional support in a safe and understanding environment.

  • Divya Tiwari is a multimedia journalist with Behanbox. She is a documentary filmmaker with a keen interest in partition literature.

Malini Nair (Editor)

Malini Nair is a consulting editor with Behanbox. She is a culture writer with a keen interest in gender.

Support BehanBox

We believe everyone deserves equal access to accurate news. Support from our readers enables us to keep our journalism open and free for everyone, all over the world.

Donate Now