DATA PRIVACY IN SOCIAL MEDIA PLATFORM:

ISSUES AND CHALLENGES

SAKSHI REWARIA

ABSTRACT

“Even though society as a whole is increasing the amount of personal information available
to the public, there is still an expectation of privacy. People believe, sometimes falsely, that
they can control the personal information they hold out to the public by determining who can
access the information and how the information will be used. It is extremely challenging to
define a fluid concept like privacy because it touches almost every aspect of a person and
society to one degree or another.” - Daniel J. Solove

With over 1 billion users connected through online social media, user confidentiality is
becoming even more important and is widely argue in the media and researched in academia.
Social networking sites are a powerful and fun way to communicate with the world. The
Internet is the safe place for only those people who aware of the risk and the security, and can
take steps to protect themselves, so the best solution is to learn. Social media is a good
service because it lets you to share what actually you want to share, but it can also be used for
negative purposes, and in both cases you are responsible for your security. Protection and
preventative techniques are not very difficult, but you need to be careful while you are on the
Internet. In this paper we provide a brief overview of some attire to users’ privacy. We
classify these threats as: users’ block, design pitfall and limitations, implicit flows of
information, and clash of stimulus. We also describe about the privacy and security issues
associated with social network systems.

INTRODUCTION

Electronic copy available at: https://ssrn.com/abstract=3793386

Social media are a source of communication between the data owner (data generator) and
viewers (end users) for online communications that create virtual communities using online
social networks (OSN). A social network is a social graph that represents a relationship
among users, organizations, and their social activities. These users, organizations, groups,
etc., are the nodes, and the relationships between the users, organizations, groups are the
edges of the graph. An OSN is an online platform used by end users to create social networks
or relationships with other people that have similar views, interests, activities, and/or real-life
connections. A large number of different types of social-networking services are available in
the current online space.

The level of human connectivity has reached extraordinary levels with over1 billion people
using one or more online social networks including Facebook, Twitter, YouTube, and
GoogleC. The enormous amount of data provided and shared on these social networks may
include the following information about a user: personal details, current address, hometown,
email addresses, instant messenger usernames, activities, interests, favourite sports, favourite
teams, favourite athletes, favourite music, television shows, games, languages, his religious
views, political views, inspirations, favourite quotations, service users history, education
history, relationship status, family members, and software applications. The user also
provides revise in the form of status information or Tweets, which could include: a thought,
an act, a link they want to contribute a video. All these information confess a lot about the
user, which will be of interest to various groups.

Social networks, due to many such unfavourable incidents, have been blame for breaching
the privacy of their users. Both in academia and in the media, the importance of a user’s
confidentiality has been rarely discussed. In addition to some proposed technical solutions,
there have been a huge number of initiatives to educate users so that they do not provide an
excessive amount of personal information.

Furthermore, social network information is now being correlated with users’ physical
locations, allowing information about users’ preferences and social relationships to interact in
real-time with their physical environment. This fusion of online social networks with real-
world mobile computing has created a fast growing set of applications that have unique
requirements and unique implications that are not yet fully understood.

Electronic copy available at: https://ssrn.com/abstract=3793386

The following are some of the common features in social-networking sites1:

a) Connectedness: This attribute showcases the media’s ability to connect and reconnect
like-minded people or people interested in same topics and domains. Through this
media, 24*7 connectedness is possible through a variety of media and access devices
including PCs, Laptops, mobile phones etc. Individuals re-tweeting & following other
people’s comments and status and updating their own account at all hours are
examples of this attribute.

b) Collaboration: The connections achieved on this media, enable people to collaborate

and create knowledge. Such collaborations can be either open or closed. Wikipedia is
an example of open collaboration which enabled creation of an open web based
encyclopedia through contribution from hundreds of thousands of people. GovLoop is
an example of closed collaboration wherein experts groups contribute on specific
policy matters.

c) Community: Connectedness and collaboration helps create and sustain communities.

These communities can create awareness about various issues and can be used for
seeking inputs into policy making, building goodwill or even seeking feedback into
delivery of public services.

TYPES OF SOCIAL NETWORK SITES

Lets have a brief introduction about the types of social networking sites2.

a) Social Networking Sites: Facebook, Twitter, LinkedIn, Google+, MySpace Micro-

blogging is similar to blogs, it is a micro journal of what is happening right now,
people share what is going on in their individual life or information individual wants
to share. In general terms these sites allow users to add friends, send messages and
share content.

1
Abdullah Al Hasib. Threats of online social networks. IJCSNS International Journal
of Computer Science and Network Security
2
Kaplan, A.M.; Haenlein, M. Users of the world, unite! The challenges and opportunities of Social Media. Bus.
Horiz. 2010

Electronic copy available at: https://ssrn.com/abstract=3793386

 b) Social Media Sharing Sites: Photo sharing Instagram, Flickr, Photobucket, Picasa and
Youtube, Vimeo, SoundCloud, MySpace and etc. These social networking sites allow
users to easily share video and photography content online. Photo sharing sites -allow
people to upload photos to share either privately with only selected other users or
publicly. Creative commons licensing rights can grant permissions for others to use
the photos by simply embedding the codes in their blogs.

c) Location Based Networks: Foursquare, Gowalla, Loopt Typically entered via smart
phones, these applications rather than social networking sites feature check- in
capabilities so that users can, if they choose, share their location with their social
connections.

In the present era of information technology and globalization of trade and commerce, no one
can stay away from the impact of information and technologies. It even has certain
transitional and legal implications with the use and application in terms of control and
regulations been framed for new technology.

The privacy laws in India are comparatively weak because of the absence of comprehensive
legislation but the reality is somewhat different. It is to be argued that this unquestioned
assumption has been based on a paradigm which does not take into consideration the
conception of privacy in India is a bit different from the Western conception related to same
right.

Firstly, ‘Privacy’ refers the privacy in terms of personal space and subjects are included in
Indian perspective.

Secondly, what is believed to be protected, what is protected, and what is not protected in
terms of privacy is still not clear even by the western ideology. In the course of this paper, It
is been further argued that one’s private sphere is subjective and depends on one’s culture,
environment, and economic condition. While privacy is an important interest, it must also be
balanced against other competing interests is common for the theorists and the advocates of
privacy. Hence, instead of looking at privacy as a right, refer to privacy as an interest that can
be invaded for ‘social good.’

Electronic copy available at: https://ssrn.com/abstract=3793386

 PRIVACY AND SECURITY ISSUES

The main goal of Online Social Networks (OSNs) is to share contents with maximum users.
Users utilize OSNs, such as Facebook, Twitter, and LinkedIn, to publish their routine
activities. Sometimes, OSN users share information about themselves and their lives with
friends and colleagues. However, in these published data, some of the revealed contents
through the OSN are private and therefore should not be published at all. Typically, users
share some parts of their daily life routine through status updates or the sharing of
photographs and videos. Currently, various OSN users utilize smart phones to take pictures
and make videos for sharing through OSNs. These data can have location information and
some metadata embedded in it.

OSN service providers collect a range of data about their users to offer personalized services,
but it could be used for commercial purposes. In addition, users’ data may also be provided to
third parties, which lead to privacy leakages. This information can allow malicious users to
leverage and invade the privacy of an individual. Information retrieval and data privacy are
two growing areas in computer-science disciplines that have different goals. Information
retrieval provides methods for data extraction. It also offers a set of techniques to an
organization for data analysis and making decisions based on this retrieved information.

Data privacy protects information from unauthorized and malicious access that discloses,
modifies, attacks, or destroys the data stored or shared online. For example, researchers
related to information retrieval sometimes do not consider privacy issues while designing
solutions for information retrieval and management. On the other hand, researchers who work
on data privacy usually restrict information-retrieval techniques to protect sensitive data from
adversaries who seek personal information.

With the emergence of social media and the growing popularity of online communication
using OSNs, more sensitive information about individuals is available online. Though much
of the data that are shared through OSNs are not sensitive, some users publish their personal
information. Thus, the availability of publicly accessible sensitive data can lead to the
disclosure of user privacy. The privacy of users is at more risk when publicly available data
can be traced, and their activities can be connected with these data for mining and extracting
sensitive information from it.

Electronic copy available at: https://ssrn.com/abstract=3793386

IMPACT ON SOCIAL NETWORK

The growth of social networks has exploded over the last year. In particular, usage of
Facebook has spread internationally and to users of a wide age range. ‘Uber’ knows our
whereabouts and the places we frequent. ‘Face book’ at the least, knows who we are friends
with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.
Social networks providers, search engines, e-mail service providers, messaging applications
are all further examples of non-state actors that have extensive knowledge of our movements,
financial transactions, conversations both personal and Professional, health, mental state,
interest, travel locations, fares and shopping habits. It becomes a serious matter of privacy on
global basis.

In India, importance of this present matter have huge repercussions when A 3-Judge Bench of
apex Court of India was dealing in Aadhar card scheme. Under the said scheme, the
Government of India collects and compiles both demographic and biometric data of the
residents of this country to be used for various purposes. One of the grounds of attack on the
said scheme is that the very collection of such data is violative of the “Right to Privacy”.
Issue of right to privacy in contemporary emerging digital era becomes a serious matter not
only individual but also related to national security in all dimension like as economy, defense,
finance, health etc.

The increasing sophistication of information technology with its capacity to collect, analyse
and disseminate information is posing significant threats to social networks users privacy. It
is now common wisdom that the power, capacity and speed of information technology are
accelerating rapidly.

Privacy invasion or certainly the potential to invade privacy increases correspondingly. Many
social networks can be broken up into many categories and most networks fall into more than
one category. Every minute of the day: 1.100,000 tweets are sent 2. 684,478 pieces of content
are shared on Facebook 3.2 million search queries are made on Google 4.48 hours of video
are uploaded to YouTube 5. 47,000 apps are downloaded from the App Store 6.3,600 photos
are shared on Instagram 7.571 websites are created.3

3
“Facebook statistics,” http://www.facebook.com/press/info.php? statistics.

Electronic copy available at: https://ssrn.com/abstract=3793386

PRIVACY

On the Internet, privacy, a major concern of users, can be divided into these concerns: What
personal information can be shared with whom Whether messages can be exchanged without
anyone else seeing them Whether and how one can send messages anonymously.

Most Web users want to understand that personal information they share will not be shared
with anyone else without their permission. Information privacy, or data privacy (or data
protection), is the relationship between collection and dissemination of data, technology, the
public expectation of privacy, and the legal and political issues surrounding them. Privacy
concerns exist wherever personally identifiable information or other sensitive information is
collected and stored – in digital form or otherwise. Improper or non-existent disclosure
control can be the root cause for privacy issues.

Definitions of Privacy

There is no one recognized definition of confidentiality in academia or in government circles.

Over the course of time several definitions have been gone in to. In this field we look into
some of those definitions. One of the first definitions of confidentiality, by Aristotle4, makes
a distinction between political activity as public and family as private. Implied here are
barrier that might be suggested by the walls of a family house, an assumption which is made
explicit, though also modified, in a far more recent definition, that of Associate Justice John
Paul Steven of the US Supreme Court. Here, the home is not the exclusive locus of privacy,
but is, rather, the informing image or design in light of which privacy in other contexts may
be interpret. This is an interesting definition. The Internet has managed to dim the boundaries
that would have been suggested by the walls of a house.

However, privacy on the Internet is a more complex affair than physical metaphors of
intrusion and exposure can capture alone. Defence against publication of private information
can protect the exposure of that information, but what if it is used, rather to produce targeted
advertisements, with no publication.

William Parent provides a definition of privacy which does not rest on an implicit physical
dimension, as follows: Privacy is the condition of not having undocumented personal

4
Privacy: Stanford Encyclopedia of Philosophy, 2002

Electronic copy available at: https://ssrn.com/abstract=3793386

knowledge about one possessed by others. A person’s privacy is subsiding exactly to the
degree that others possess this kind of knowledge about him.

This definition rests on the notion of “informed consent” as defined by Aristotle. If there is
any information about other need documentary evidence. An idea of privacy breach
understood in these terms thus remains very valid in the era of cloud computing.

Privacy concerns regarding Social Media Sharing Services

Social media sharing services are services, which allow its users to generate and share
different types of content. You tube and Vimeo are an example for sharing service for video
and audio, Instagram and flicker are the ones for sharing photos and there are many more.
However the aim of this paper is not to go in depth into what kind of different sharing service
providers, platforms, apps and etc. there are on the market but to discuss about the privacy
issues that arise with sharing different kinds of content on these networks. Posting Content
such as picture and video arise new privacy concerns due to their context revealing details
about the physical and social context of the subject.

The growing amount of online personal content exposes users to a new set of privacy
concerns. Digital cameras, and lately, a new class of camera phone applications that can
upload photos or video content directly to the web, make publishing of personal content
increasingly easy. Privacy concerns are especially acute in the case of multimedia
collections, as they could reveal much of the user’s personal and social environment.

Commonly users do not think or are not even aware of the risks when they share something
online. The reality, however, is that once the statement is typed, it can be copied, saved and
forwarded. In addition, the user no longer owns all the information posted to social networks.
“So if you’re using Gmail or Yahoo mail or Flickr or. YouTube or belong to Facebook
you’ve given up complete control of your personal information’ Video and photo sharing
services can pose a great threat especially for teenagers and youngsters, due to their
vulnerability. Although. However it is important to mention that there have been a number of
cases when youngsters have been harassed by paedophiles online and these cases have also
led to suicide

Electronic copy available at: https://ssrn.com/abstract=3793386

Location based social networks and privacy

Location based social networks are part of what is called Location based services
(LBS).They are made possible by linking Global positioning system (GPS), which track
user’s location, to the capabilities of the World Wide Web, along with other vital features
such as instant messaging.

Location-Based Social Networks (LBSN) derive from LBSs and are often referred to as
Geosocial Networking. As reported in Microsoft Research “a LBSN does not only mean
adding a location to an existing social network so that people in the social structure can share
location-embedded information, but also consists of the new social structure made up of
individuals connected by the interdependency derived from their locations in the physical
world as well as their location-tagged media content, such as photos, video, and texts”

Further, the connection between users goes beyond sharing physical locations but also
involve sharing knowledge like common interests, behaviour, and activities.5 Such pervasive
tools represent a challenge to privacy. LBSN users face the situation that the information
they publish on such platforms could be used to track their unwanted situations like being the
victim of stalking. The Privacy advocates fear that Foursquare, along with other geo location
apps Gowalla and Google Latitude are vulnerable to "data scraping", namely, the
sophisticated trawling and monitoring of user activity in an effort to build a rich database of
personal information. Specifically the insurgence of applications designed to function as
venues information aggregators can potentially represent a major threat to privacy and
LBSN. Another issue related to is known as ‘opt-in’ vs ‘opt-out’ default settings. An opt-in
scenario refers to having default settings where a platform requires user to join or sign up to
specific given service in order to receive the benefits of it. The provider is then granted
permission to access the user's data and to offer the service.

SECURITY

In addition to privacy concerns, social networking sites can be used by cyber criminals to
attack you or your devices.

5
Lindamood, J., Heatherly, R., Kantarcioglu, M., Thuraisingham, B.M.: Inferring private information using social
network data

Electronic copy available at: https://ssrn.com/abstract=3793386

Productivity

One reason why organizations on social networking within the geographical point are that
the incontrovertible fact that workers pay a good deal of your time change their profiles and
sites throughout the day. If each worker in an exceedingly 50- strong men spent half-hour on
a social networking website daily, that might compute to a loss of half-dozen,500 hours of
productivity in one year!

Though this could be a generalization, organizations look terribly rigorously at productivity

problems, and twenty five hours of non-productive work per day doesn't think again well
with management. Once you consider the common wage per hour you get a much better (and
decisive) image. There is additionally a control on company morale. Workers don't
appreciate colleagues’ outlay hours on social networking sites (and others) whereas they're
functioning to hide the work. The impact is additional pronounced if no action is taken
against the abusers.

Resources

Although updates from sites like Facebook or LinkedIn might not take up immense amounts
of information measure, the provision of (bandwidth-hungry) video links denote on these
sites creates issues for IT directors. There's a price to web browsing, particularly once high
levels of information measure area unit needed.

Viruses and Malware

This threat is usually unnoticed by organizations. Hackers area unit drawn to social
networking sites as a result of they see the potential to commit fraud and launch spam and
malware attacks. There area unit quite 50,000 applications on the market for Facebook
(according to the company) and whereas FaceBook could create each effort to supply
protection against malware, these third-party applications might not all be safe. Some have
the potential to be accustomed infect computers with malicious code, that successively may
be accustomed collect knowledge from that user’s website. Electronic messaging on social
networking sites is additionally a priority, and therefore the Koobface worm is simply one
example of however messages area unit accustomed unfold malicious code and worms

Social Engineering

10

Electronic copy available at: https://ssrn.com/abstract=3793386

Social engineering is changing into a creation and additional and additional individual’s area
unit falling victim to on-line scams that appear real. This will lead to knowledge or fraud.
Users is also convinced to administer personal details like social insurance numbers,
employment details and then on. By assembling such info, knowledge larceny becomes a
significant risk. On the opposite hand, individuals have a habit of posting details in their
social networking profiles. Whereas they might ne'er disclose bound info once meeting
somebody for the primary time, they see nothing wrong with posting it on-line for all to
envision on their profile, personal web log or different social networking website account.
This knowledge will usually be well-mined by cyber criminals

Reputation and Legal Liability

At the time of authorship, there are no major company lawsuits involving proof from social
networking sites. as an example, one young worker wrote on her profile that her job was
boring and shortly received her walking orders from her boss. What if a dissatisfied worker
set to complain a couple of product or the company’s inefficiencies in his or her profile?
There are serious legal consequences if workers use these sites and click on on links to look
at objectionable, illicit or offensive content. A leader might be command to blame for failing
to shield workers from viewing such material. The legal prices, fines and harm to the
organization’s name might be substantial.

Fake Accounts and biological research Attacks

Thus, it's terribly simple for Associate in Nursing offender to register accounts in the name of
somebody else, though it's prohibited by the privacy policies of most service suppliers. The
act of making bogus accounts is additionally referred to as a sybil attack. An offender will
use personal data, e.g. photos and videos of the victim, on the faux profile to win the trust of
his friends and allow them to permit the bogus account into their circle of trust. this fashion
the offender can have access to the data of the friends of his victim, that his friends have
united to share with the victim and not essentially the offender. The process of making bogus
accounts, is named a “cloning attack,” when the attacker clones (creates virtually precise
copies) of real social network accounts and then adds identical and/or alternative contacts as
their victim.

Classic Threats

11

Electronic copy available at: https://ssrn.com/abstract=3793386

Classic threats have been an issue ever since the development of the Internet. These threats
are spam, malware, phishing, or cross-site scripting (XSS)6 attacks. Although researchers and
industries have addressed these threats in the past with the invention of OSNs, they can
spread in a new way and more quickly than ever before. Classic threats are used to extract the
personal information of users, which are shared through an OSN, not only to attack the target
users but also their peers by adjusting the threat to correlate to users’ private attributes.

a) Malware

Malware stands for malicious software. It is a generic term that refers to intrusive software.
It is developed with the intention to log into someone’s computer and access their private
contents. A malware attack on social networks is easier as compared to other online services
because of the structure of an OSN and the interactions among users. The worst malware case
is to access users’ credentials and impersonate them to send messages to their peers. For
example, the Koobface malware was spread through OSNs such as MySpace, Facebook, and
Twitter. It was used to collect login credentials and make the target-infected computer a part
of a botnet. An OSN has a vital role for various purposes, for example, marketing and
entertainment. However, it has opened up its users to harmful activities7. Committing fraud
and propagating malware are criminal actions wherein users are engaged to access a URL and
run a malicious code on the computer of an OSN user .

b) Phishing Attacks

Phishing is another type of fraudulent attack in which the intruder acquires the user’s
personal information by masquerading as a trustworthy third party through either a fake or
stolen identity. For example, during an attack that was attributed to intelligence by the
Chinese government, senior U.K. and U.S. military officials were tricked into becoming
Facebook ‘friends’ with someone impersonating the U.S. Navy Admiral James Stavridis.
Similarly, social media were used in many places by phishers posing as other persons.8

c) Spam Attacks

6
Nithya, V.; Pandian, S.L.; Malarvizhi, C. A survey on detection and prevention of cross-site scripting attack. Int.
J. Secur. Appl. 2015
7
: https://www.trendmicro.de/cloud-content/us/pdfs/ security-intelligence/white-papers/wp_the-real-face-
of-koobface.pdf (
8
Vishwanath, A. Getting phished on social media

12

Electronic copy available at: https://ssrn.com/abstract=3793386

Spam messages are unwanted messages. In OSNs, spam comes as a wall post or a spam
instant message. Spam in OSNs is more dangerous as compared to traditional email spam
because users spend more time on OSNs. Spam messages normally contain advertisements or
malicious links that can lead to phishing or malware sites. Generally, spam comes from fake
profiles or spam applications. In case of a fake profile, it is normally spread from a profile
created in the name of a popular person.9 Spam messages normally come from compromised
accounts and spamming bots. However, the majority of spam spreads from compromised
accounts. Spam-filtering approaches are used to detect a malicious message or URL in a
message and filter it before delivering it to the target system.

d) Web Bugs

These are also known as web beacon, which a file objects that are placed on a web page or in
an e-mail message to monitor user behaviour as a kind of spyware. Rather than the term “web
Bugs”, the internet advertising community prefers the more sanitized term “clear GIFS”,
invisible GIFs”, “Beacon GIF”.
It is typically invisible to the user because it is transparent, matches the colour of the
background, and takes up only a tiny amount of space. It can usually be detected if the user
looks at the source version of the page to find an IMG tag that loads from a different web
server that the rest of the page. 10

There can be a situation where the user can report back the time and date the user had opened
it when an e-mail user opens his e-mail inbox and reads the message the web bug can “call
home”. The sender thereby gets to know about this information. Although proponents of
internet privacy object to the user of bugs in general, they can even be put for positive use
like to track copyright violations on the World Wide Web.

If law enforcement needs to search a premise, they have to go through the legal process and
require search warrants. But via web bugs a computer can be subjected to search without
following any legal procedure what so ever. This is a gross violation of privacy especially at

9
Egele, M.; Stringhini, G.; Kruegel, C.; Vigna, G. Towards detecting compromised accounts on social networks
10
http://searchwebservices.techtarget.com/Definition

13

Electronic copy available at: https://ssrn.com/abstract=3793386

a time when a computer has become the storehouse of a person’s most valuable information
and personal data or personal information.11

Modern Threats

These threats are typically related to OSNs. Normally, the focus of modern threats is to
obtain the private information of users and their friends, for example, an attacker wishes to
know about a user’s current employer information. If users have their privacy setting on their
Facebook account as public, they can be easily viewed. However, if they have the customized
privacy setting, then it is viewable to their friends only. In this situation, the attacker can
create a Facebook profile and send a friend request to targeted users. Upon acceptance of the
friendship request, details are disclosed to the attacker. Similarly, the intruder can employ an
inference attack to collect users’ personal information from their peers’ publicly available
contents.

a) Click jacking

Click jacking is also known as a user-interface redress attack, wherein a malicious technique
is used to make online users click on something that is not the same for which they intend to
click. In click jacking attacks, an attacker can manipulate OSN users into posting spam posts
on their timeline and asks for ‘likes’ to links unknowingly.12 With a click jacking attack,
attackers can even use the hardware of user computers, for example, a microphone and
camera, to record their activities.

b) De-anonymization

Attacks De-anonymization is a strategy based on data-mining techniques, wherein

unidentified information is cross-referenced with public and known data sources to reidentify
an individual in the anonymous dataset. OSNs provide strong means of data sharing, content
searching, and contacts. Since the data shared through OSNs are public by default, they are
an easy target for de anonymization attacks. In existing online services, pseudonyms are used

11
The term "personal information" has been explained to mean any information that relates to a natural
person, which, either directly or indirectly, in combination with other information available or likely to be
available with a body corporate, is capable of identifying such person.
12
: https://www.blackhat.com/html/bh-ad-11/bh-ad-11-archives.html#Lundeen

14

Electronic copy available at: https://ssrn.com/abstract=3793386

for data anonymity to make the data publicly available.13 However, there are several
deanonymization techniques to reidentify an individual from such data

c) Fake Profiles

A typical attack in most of the social networks is a fake-profile attack. In this kind of attack,
an attacker creates an account with fake credentials on a social network and sends messages
to legitimate users. After receiving friendship responses from users, it sends spam to them.
Usually, fake profiles are automated or semiautomatic and mimic a human. The goal of the
fake profile is to collect the private information of users from the OSN, which is accessible
only to friends, and spread it as a spam. The fake-profile attack is also a problem for the OSN
service providers because it misuses their bandwidth.14 Moreover, it can be used for various
purposes, for example, advertisements. Making fake followers and retweets is a large IT
business, and it is possible because of fake profiles, but it gives misleading information to
viewers.

d) Identity Clone Attacks

Profile cloning can be performed by an attacker using theft credentials from an already
existing profile, creating a new fake profile while using stolen private information. These
attacks are known as identity clone attacks (ICAs). The stolen credentials can be used within
the same network or across different networks. The attacker can use the trust of the cloned
user to collect contents from their peers or perform different types of online fraud15.

e) Inference Attacks

Inference attacks on social networks are applied to predict the sensitive and personal
information of a user that they may not want to disclose, for example, age, gender, religious,
and political affiliations. The attributes or information that are revealed inside the network are
supposed to be private, but it is possible to use data-mining techniques on the released OSN
data to predict a user’s private information. Machine-learning algorithms can be applied for
inference attacks by combining publicly available social-network data, for example, network
topology and contents from users’ peers. A mutual-friend-based attack can be used to find the
common neighbour of any two users. An inference attack was presented in Reference to
13
Gulyás, G.G.; Simon, B.; Imre, S. An Efficient and Robust Social Network De-anonymization Attack. In
Proceedings of the Workshop on Privacy in the Electronic Society
14
; Ahmad, N. A sneak into the Devil’s Colony-Fake Profiles in Online Social Networks
15
Khayyambashi, M.R. A New Approach for Finding Cloned Profiles in Online Social Networks

15

Electronic copy available at: https://ssrn.com/abstract=3793386

predict the attributes of a user based on their other public attributes that were available online.
The technique was tested on Facebook to infer different users’ attributes, such as educational
background, preferences, and location information.

f) Information Leakage

Social media are all about openly sharing and exchanging information with friends. Some
users willingly share their personal information such as health-related data. Unfortunately, a
few of them share a bit too much personal information about products, projects, organization,
or any other kind of private data. The sharing of such sensitive and private content may have
negative implications for OSN users. For instance, an insurance company may dig in OSN
data to classify users as risky clients.

g) User Profiling

User profiling is one of the common activities in almost all online services, where OSN
servers analyze routine user activities in their space through various machine-learning
techniques. User profiling has some advantages for recommending required objects to users.
However, it may lead to privacy leakage because user profiles contain personal information.
Therefore, user profiling is a privacy issue and its protection is needed in an OSN
environment. Online service providers perform user profiling for commercial purposes;
however, it can open up the way for privacy leakage.

h) Surveillance

Social-media surveillance is a new type of monitoring that is different from the sociability
and social roles of a person in politics, the economy, and civil society. It becomes a process
for monitoring the various activities of their users in different social roles by using their
profiles and relationships with others. Social-media surveillance is a technology-based
surveillance in which human activities are monitored on social media.

16

Electronic copy available at: https://ssrn.com/abstract=3793386

 SOCIAL MEDIA CHALLENGES AND ITS GOVERNANCE

Free speech has always been a subject of immense debate. Different legal regimes in different
parts of the world have sought to regulate free speech on various grounds. In India, the
constitution guarantees the fundamental right to freedom of speech and expression. However,
this right under Article 19(1) of the constitution is not an absolute right. The state can impose
various ‘reasonable’ restrictions under Article 19(2). These can be imposed in the interest of
sovereignty and integrity of India, the security of the state, friendly relations with foreign
states, public order, decency or morality or in relation to contempt of court, defamation or
incitement to an offence. The supreme court has also upheld the reasonableness of such
restrictions. Article 19(1) (a) of the Constitution of India states that, all citizens shall have the
proper to freedom of speech and expression. The philosophy behind this text lies within the
Preamble of the Constitution, where a solemn resolve is formed to secure to any or all its
citizen, liberty of thought and expression. The exercise of this right is, however, subject to
reasonable restrictions certainly purposes being imposed under Article 19(2) of the
Constitution.

Freedom of speech and expression are often clearly explained by the very fact that each
person has the proper to talk and express their point of view during this country.
Freedom of speech may be a complex right. This is because freedom of expression isn't
absolute and carries with it special duties and responsibilities therefore it should be subject to
certain restrictions provided. This right is roofed under article 19(1) (a) of the constitution. It
absolutely was confers the citizens of India the proper to freedom of speech and expression.
The liberty of speech and expression means the proper to precise one's convictions and
opinions freely by word of mouth, writing, printing, pictures or the other mode. It also
includes the proper to propagate or publish the views of people.

Article 19 (1) (a) and Article 21 of the Constitution can together carve out by the courts by
their creative interpretation the Right to privacy. It has been established that this laws evolved
basically from torts and Constitution after close analysis of the development of privacy laws
in India.

17

Electronic copy available at: https://ssrn.com/abstract=3793386

The very approach to protect privacy by both the laws is different. Damages for violating
one’s private space are found in common law and reasonable restriction for the intrusion of
the same comes under Article 21.

No doubt the right to privacy has been recognized and accepted the world wide over as an
essential human right and it is trite modern law that privacy is an important component of
human personality. By means of international and regional conventions Human rights have
been codified. Privacy has its prominent place in each of these regimes mentioned.

India being signatory to international covenants there has been the growth of Indian law
which are been guided by it. These principles have an important place in the evolution of
rights in India. Looking back to the history it has been evident that an immense effort has
been put on to advance laws on privacy and still there is no such comprehensive law to deal
with the legal and techno-legal issues of protecting privacy and data privacy in e-Commerce.

By the case of Innovation (Mail Order) Ltd. V. Data Protection Registrar16 , the data
Protection Tribunal stated that fair obtaining of data means that at time when information is
collected, the data user needs to inform the data subject of certain matters that will enable the
individual to decide whether to provide the information 0r not. In particular, this includes
information about the intended uses for the data, unless such use could be considered
obvious.

THE INFORMATION TECHNOLOGY RULES (THE IT RULES)

The government routinely gives notice of sets of Information Technology Rules to broaden
its scope under the provisions mentioned under the IT Act. Few specific areas of collection,
transfer and processing of data are been focused and regulated under the IT Act. The
following points are been included most recently notified on 11 April, 2011 under the section
43A of the Act i.e.:

a) the knowledge Technology (Reasonable Security Practices and Procedures and

Sensitive Personal Data or Information) Rules, which require entities holding users'
sensitive personal information to take care of certain specified security standards;

16
29 Sept, 1993;Case DA/92 31/49/1

18

Electronic copy available at: https://ssrn.com/abstract=3793386

 b) the Information Technology (Intermediaries Guidelines) Rules, which prohibit
content of a specific nature on the internet, and an intermediary, such as a website
host, is required to block such content;

c) it is required cybercafés to register with a registration agency and maintain a log of

users' identities and their internet usage under the IT (Guidelines for Cyber Cafe)
Rules; and

d) the Information Technology (Electronic Service Delivery) Rules, which allow the
government to specify that certain services, such as applications, certificates and
licenses, be delivered electronically.17

The main purpose for passing the bill was to stay a watch on the all the activities happening
on the net. The Act provides a legal framework for electronic governance by giving
recognition to electronic records and digital signatures. It also defines cyber crimes and
prescribes penalties for them. The Act directed the formation of a Controller of Certifying
Authorities to control the issuance of digital signatures. It also established a Cyber Appellate
Tribunal to resolve disputes arising from this new law.

The Act also amended various sections of the Indian legal code, 1860, the Indian Evidence
Act, 1872, the Banker's Book Evidence Act, 1891, and therefore the depository financial
institution of India Act, 1934 to create them compliant with new technologies.

This act provides the legal recognition for the transactions which is finished through by any
electronic exchange of knowledge or the other electronic means of communication. The final
assembly of the United Nations suggested that each one the countries should consider from
the model law before changing in their personal laws. India becomes the 12th Country for
creating the cyber laws after passing the amendment of data Technology act.

ADDITIONAL LEGISLATION

Property rights based on the Copyright Act (1957) may at times used for the enforcement of
data protection. Fu0rther, other legislation such as the Code of Criminal Procedure (1973),
the Indian Telegraph Act 1885, the Companies Act (1956), and the Competition Act (2002)

17
https://www.prsindia.org/billtrack/the-information-technology-rules-2011-1908

19

Electronic copy available at: https://ssrn.com/abstract=3793386

and, the Consumer Protection Act (1986) would also be relevant in case of unfair trade
practices.

A Data (Privacy and Protection) Bill 2017 (the Data Privacy Bill 2017) was introduced in
Parliament 11 December 2019 by the Minister of Electronics and Information Technology.
For the regulation and adjudication of privacy related disputes in India and to make right to
privacy a statutory right, there has to be establishment of a Data Privacy and Protection
Authority and for streamlining the data protection.

Through the landmark judgement of Justice K.S Puttaswami & another v. Union of India18
,the Honorable Supreme Court of India changed the landscape and outlook of people towards
data privacy. The Judgment pronounced Right to Privacy a fundamental right under the ambit
of Article 21 of the Indian Constitution.5 This judgement, in particular, raised awareness and
made the general public realise that their data is truly intrinsic, important and therefore
worthy of protection in the first place.

By the case of Innovation (Mail Order) Ltd. V. Data Protection Registrar , the data
Protection Tribunal stated that fair obtaining of data means that at time when information is
collected, the data user needs to inform the data subject of certain matters that will enable the
individual to decide whether to provide the information 0r not. In particular, this includes
information about the intended uses for the data, unless such use could be considered
obvious.

The case on Cyber Defamation in SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra,19
wherein a disgruntled employee sent derogatory, defamatory, vulgar and abusive emails to
the company's fellow employers and to its subsidiaries all over the world with an intent to
defame the company along with its managing director, the High Court of Delhi granted ex-
parte ad interim injunction restraining the defendant from defaming the Plaintiff in both the
physical and in the cyber space

In the case of Kalandi Charan Lenka v. State of Odisha20, the Petitioner was stalked online
and a fake account was created in her name. Additionally, obscene messages were sent to the
friends by the culprit with an intention to defame the Petitioner. The High Court of Orissa

18
Justice K.S Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012
19
https://indiankanoon.org/doc/31110930/
20
https://indiankanoon.org/doc/73866393/

20

Electronic copy available at: https://ssrn.com/abstract=3793386

held that the said act of the accused falls under the offence of cyber defamation and the
accused is liable for his offences of defamation through the means of fake obscene images
and texts.

In another case, M/S Spentex Industries Ltd. & Anr. vs. Pulak Chowdhary21, the petitioner
had filed for a compulsory and prohibitory injunction along with the recovery of Rs.
50,00,000/ as damages for loss of reputation and business due to defamatory emails sent by
the defendant to the International Finance Corporation, World Bank, President of Republic of
Uzbekistan and UZEREPORT (a news website portal and publisher of monthly news reports)

The last five years have been fascinating for Indian Social media. For marketers, advertisers
and brands, this presents huge opportunities to experiment with Social Media as a key
marketing communications. This can be explained by the example of #Chowkidar which was
For -Lok Sabha Election 2019.

Since its 2014 election campaign BJP have been using social media as a strong
communication tool. They clearly made Mr. Modi their brand’s logo, and Mr Modi turned
out to be one of India’s most political brands ever. The Modi brand had also successfully
leveraged social media to its benefit for the 2019 election campaign. The’ Chowkidar ‘
campaign is one major campaign that has gained a lot of attention on social media.
Chowkidar’s word means’ Watchman.’ The campaign was launched in response to the slogan
Chowkidar Chor hai’ (The watchman is a thief).BJP supporters followed prefixing
Chowkidar to their twitter handles and using hashtags #MainBhiChowkidar.

The party also made use of the ‘Conversations card’ feature on twitter to send personalized
messages to those who supported the campaign from the PM’s official twitter handle. The
very Impact of #Chowkidar has been a strong move in the history of social media promotions
for a political campaign and had an impact on BJP’s success in election 2019.
To put in Numbers #MainBhiChowkidar received around 1.5 million mentions on Twitter,
followed by #ChowkidarPhirSe with used for about 3,00,000 times. Whereas, the congress’s
#ChowkidarChorHai campaign which was started in response to the #MainBhiChowkidar

21
https://indiankanoon.org/doc/80844707/

21

Electronic copy available at: https://ssrn.com/abstract=3793386

campaign, received hardly 1,63,000 mentions, which is almost just 10 percent of that of
#MainBhiChowkidar got mentioned.22

Laws related to social media and privacy in India are clearly insufficient. The Indian
judiciary and legislature have proved to be far behind expectations when it comes to the
framing of laws in this arena. Some rules and legislations have been issued, those too are
primarily related to defamation.

In the Kharak Singh v State of UP23, often called the PUCL case, it was held that tapping of
phones amounts to a breach of privacy. Extending this reasoning, it can be reasonably held
that sharing of information by WhatsApp with Facebook, post its update, is an obvious
breach of privacy of its users.

Under the Information and Technology Act, 2000,. the concept of privacy in this act is
comprehended in a very liberal and traditional sense. The act of knowingly sending pictures
of a person’s private parts, without his permission, then Section 66E of this act is violated.
Social media finds only a mention in Section 79 of this act. This section clarifies that if any
person posts or uploads anything derogatory to some other, then the medium on which it is
posted, that is Twitter, Facebook etc, is not to be held liable for the acts of such person.
Beyond this, nothing is mentioned in the whole article with regard to social media.

This concept has however evolved with time, in the case of Shreya Singhal, it was held that it
is Facebook’s duty to remove any material posted by them which is objectionable. This has to
be done by Facebook, applying its discretion, after complaints regarding the same are
received.

One concept to be noted here is the growing popularity of meme culture. Memes of famous
personalities carrying derogatory comments and comparisons can be safely termed as an
invasion of the privacy of such individuals. To check such incidents is urgently required.

22
https://timesofindia.indiatimes.com/india/pm-modi-urges-people-to-be-a-proud-chowkidar-of-
nation/articleshow/68435831.cms
23
https://indiankanoon.org/doc/619152/

22

Electronic copy available at: https://ssrn.com/abstract=3793386

Next, let’s learn about the recent Whatsapp- Facebook Privacy Case or Karmanya Singh v.
Union of India. Constitutional rights were meant to deal primarily with the relationship
between the state and individuals. However, this concept has seen a marked change due to the
boom of privatisation in India. Private companies have taken up many functions which are
traditionally associated with the state. Our Constitution makers, however, had framed laws
according to the situation of the country which was prevailing at that time.

Due to these changed conditions, these private actors when performing state-like actions are
subjected to the same Constitutional scrutiny. In the case at hand, the contract between two
social networking sites, Whatsapp and Facebook was challenged, both private parties,
invoking the above-mentioned ideology.

The facts of this case are – Whatsapp contends that now Facebook is its parent company, and
hence data of its users can be sent to the latter. Examples of the data in question are- names,
phone numbers, credentials, location, status etc. This vulnerable data may be used for a
number of purposes of which the users would not even be made aware of. The most harmful
one being the risk of uncalled for surveillance. It was also noted that this update of WhatsApp
would affect a wide variety of users, most of whom would not even be aware of the damage
that can be caused to them.

This case is presently pending before the Supreme court of India. The question of privacy as
a fundamental right was then referred to a larger constitutional bench. This bench ruled that
privacy has a tripartite structure namely, intimate, public and private zones of privacy. The
intimate zone includes physical and sexual privacy, the private zone encompasses ATM
number, PAN number etc. These two zones, held by the Supreme court of India are beyond
the facts of the case at hand. The zone of public privacy, it was held, has to be dealt with on a
case to case basis. The present case falls under this zone and is pending before the Supreme
Court.24 A potential question that now surfaces is that are these terms and conditions in
violation of the fundamental right to privacy of the user?

24
Shruti Dhapola, 'Explained: What is new in WhatsApp's privacy policy' The Indian Express
( https://indianexpress.com/article/explained/explained-what-you-need-to-know-about-whatsapps-new-
privacy-policy-7135730/

23

Electronic copy available at: https://ssrn.com/abstract=3793386

The answer is clearly a 'yes.' After agreeing to the said terms and conditions, the user data
base of Facebook, Instagram and Whastapp will be combined as per the parent company's
wishes. Although what a user talked about will be end-to-end encrypted but whom did the
user talk to, when did they talk to and where did the user talk to is not end-to-end encrypted.
This data would be shared to third parties such as businesses to further the parent companies'
objectives of exploiting the user data to mint money.25

The said terms and conditions are in unequivocal violation of the fundamental right of
privacy of the user and expose the user to potential data leakage. Thus, these terms are
unconscionable and unfair in nature, extent and scope; arising from the inherent inequality of
bargaining powers between the parties in the said circumstances.

25
Dr. Mohan Dewan, 'Personal Data Protection Laws in India' (R K Dewan, 13 May 2020)
(https://www.rkdewan.com/articledetails.php?artid=183)

24

Electronic copy available at: https://ssrn.com/abstract=3793386

 CONCLUSION

With the expansion of the internet in the last decade the social networking websites became
predictable part of our everyday life. The concerns about breaches of individual’s privacy and
data security became more active. Even though people claim to be very concerned about what
information is posted publicly, but in general this is not true in the social networking sites.
So, in order to protect the privacy of users and reduce the risk of unlawful processing of
user’s data by third parties the default settings of the social networking websites should be
privacy-friendly. For the users point of view it is important to distinguish whether social
networking sites should be regarded as a private space where the user has reasonable
expectations of privacy or a public space.

A plausible question that arises is that why the personal data of a person requires protection
when it is not even the public domain without the owner's consent? This question has two
folds; first what is the rationale behind protecting the personal data when it is not even
accessible to the public and second, what does the word consent imply and when can it be
said to be truly given by the user.

Honorable Chief Justice of India, S. A. Bobde observed that "Consent is essential for
distribution of inherently personal data.26"

After being sanctioned by Courts all around the world, Social Media Platforms do realise that
they require the consent of the user for pulling off a gimmick of this sort. In pursuance of
this, they create a mirage of such kind that the user can neither escape nor get hold of the
same. These exploitative terms and conditions are so surreptitiously camouflaged with the
general terms that a layman agrees to all these conditions without even reading them once,
attributable to the naivety coupled with lack of care and time with the user. Further, even if
they do read the terms and conditions of a particular platform as a conscious citizen, it bears
them no fruit because they cannot proceed or access the platform without agreeing to these
conditions.

26
Justice K.S Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012. Justice K.S
Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012.

25

Electronic copy available at: https://ssrn.com/abstract=3793386

These kind of contracts are qualified to be called as 'Standard form Contracts. 27'A Standard
form Contract (also referred to as a contract of adhesion, a leonine contract, or a boilerplate
contract) is a contract between two parties, where the terms of the contract are set by one of
the parties, and the other party has practically zero ability to negotiate more favourable terms
and is consequently placed in a 'take it or leave it' position.28 While these sorts of contracts
are not illegal per se, there exists a potential for unconscionability, unfair terms and
inequality of bargaining powers29 between the parties.

In Life Insurance Corporation of India v. Consumer Education and Research Centre and
others30, the Hon'ble Supreme Court has observed that

"If a contract or a clause in a contract is found unreasonable or unfair or irrational one must
look to the relative bargaining power of the contracting parties. In dotted line contracts there
would be no occasion for a weaker party to bargain or to assume to have equal bargaining
power. He has either to accept or leave the services or goods in terms of the dotted line
contract. His option would be either to accept the unreasonable or unfair terms or forego the
service forever. With a view to have the services of the goods, the party enters into a contract
with unreasonable or unfair terms contained therein and he would be left with no option but
to sign the contract."31

Furthermore, even if the reader, for once, allows a particular app to access some of the user's
files or data, it is inherent in this contract that the consent to access this information pertains
to only the particular action in question and not a general green signal given to the platform
for limitless exploitation of data. For instance, users often allow these platforms to access a
device's current location but the said permission only pertains to that particular task and not
for these platforms to save in their servers for their own use in future. Nevertheless, these
overpowering platforms use that permission to collect user data to fulfil their organisational

27
M Siddalingappa v. T Nataraj [1970] AIR 154 (Kant)
28
D.C.M. Ltd. v. Assistant Engineer (HMT Sub-Division), Rajasthan State Electricity Board, Kota [1988]
AIR 64 (Raj).
29
Superintendence Company of India (P) Ltd v. Sh. Krishan Murgai [1980] 3 SCR 1278.
30
Insurance Corporation of India v. Consumer Education and Research Centre and ors [1995] 5 SCC 482.
31
Central Inland Transport Corporation Limited v. Brojo Nath [1986] AIR 1571 (SC).

26

Electronic copy available at: https://ssrn.com/abstract=3793386

agendas and use this automatically 'saved' information on their servers for other purposes
outside the scope of this limited contract that the user had entered into with them.32

At the time of the initial signing up at the platform, the user does not sign up for exploitation
in this sense and such power by the application to unilaterally alter the privacy policies,
renders the initial contract of the user with the application meaningless and the entire scheme
unconscionable. Thus social media platforms are exploiting personal data in the garb of
consent of the users.

Social networking sites have become a potential target for attackers due to the availability of
sensitive information, as well as its large user base. Therefore, privacy and security issues in
online social networks are increasing. This survey paper addressed different privacy and
security issues, as well as the techniques that attackers use to overcome social network
security mechanisms, or to take advantage of some flaws in social networking site. Privacy
issue is one of the main concerns, since many social network user are not careful about what
they expose on their social network space. The second issue is identity theft; attackers make
use of social networks account to steal victim’s identities. The third is the spam issue.
Attackers make use of social networks to increase spam click through rate, which is more
effective than the traditional email spam. The forth is the malware issue. Attackers use social
networks as a channel to spread malware, since it can spread very fast through connectivity
among users. Social networking sites are always facing new kind of malware.

Therefore there has to be concentration on privacy protection law in India which is the need
of the hour, to prevent the users from exploitation. The dangerous potential of these
platforms to unlimitedly aggregate information from its users without their real consent or
knowledge coupled with the unawareness and callous attitude of the users in this regard is
what privacy activists are most concerned about. Thus, the status quo demands and makes it
inevitable that the personal data of the individuals be protected by the courts, if not the
government.

32
Helen Anderson, 'A Privacy Wake-Up Call for Social Networking Sites?' (2009) 20(7) Entertainment Law
Review 245.

27

Electronic copy available at: https://ssrn.com/abstract=3793386