Sunday, October 12, 2014
Do Indian matrimonial sites guarantee the privacy of your most sensitive information?
I personally believe users of some of the Indian matrimonial sites face the risk of unconsented use of their sensitive personal information. When, I read the privacy polices of these sites, it felt quite apparent that there was a genuine lack of understanding as to what was needed to protect the privacy of the sites users. I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and to ensure the deletion of personal data when the matchmaking process is finished.Users of matrimonial sites fully disclose sensitive personal information to make a match. Initially in the matching process their profiles remain anonymous, but as the selection narrows down, the level of disclosure increases as the parties interact on the site. Personal information includes a person’s name, email address, sex, age, mailing address, credit card or debit card details medical records and history , photograph, sexual orientation, biometric information, interests, information tracked while navigation, horoscope and occupation. If other services linked to the sites such as chats are used, the contents of these chats may also be recorded. Interestingly, some sites also allow users to submit public and private information on behalf of others like child, relative, and friends without their explicit consent.
Information stored on these sites is used for advertising and shared with partners companies. None of these sites stated what data was shared (I presume all of it) and for what purpose. Sites have to be transparent and obtain explicit consent of users on the way in which personal data is used. Under data protection laws, blanket permissions are not allowed.Most of the sites were nonspecific about their process for deletion of personal information, in full or part, when requested by the user. One site stated that the deletion of information would take a long time because of residual copies on servers and could not guarantee their removal from backup systems.
What was left ambiguous was information on the sites mechanism to ensure anonymity of personal information at all times, except when the user consented to selectively disclose information to a selected match. While this is an implicit assumption, it was never explicitly confirmed. The two questions that came to mind was a) on how the employees of these matrimonial sites were authorized to access to the data and b) whether the data was secured using encryption. Reading through disclosure made by sites on their security mechanisms, my conclusion was that most of the sensitive data lies unencrypted (except for credit card information). Some sites openly disclaimed their inability to secure the data.In event of a data breach, matrimonial sites would be liable to pay compensation or penalty under section 43 A of the Indian IT Act. To avoid penalty they need to prove that their security systems were adequate enough to secure sensitive private data. Without encryption, the ability to fully delete information and restrictions on sharing copies of personal data with advertising partners, it would be difficult to convince a court that reasonable practices were in place.
To reemphasize;I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and ensure the deletion of personal data when the matchmaking process is finished.