A “May Day” situation in AI

Ever since the “Replit Vibe Coding Disaster” was reported, the world of AI is facing a situation similar to what Boeing is facing after the AI 171 crash in Ahmedabad.

What the AI-Replit disaster indicates is a continuation of the earlier reported incident of “Cursor-AI Incident“. In the Cursor AI incident, the Vibe-Coding agent stopped working and started providing philosophical advise to his masters. This “penchant for giving out advice” was earlier demonstrated in the Kevin Roose interview. The Replit incident is therefore not an isolated event and has been red flagged earlier.

While the regulatory authorities like DGCA or AAIB are more concerned with the damage to the reputation of Boeing, a similar “Brushing under the Carpet” strategy cannot be adopted for the Replit incident with an apology. ( Note that there is no disclosure on the replit.com website as of now).

According to reports, the Replit AI Tool deleted the entire data base of the user and tried to justify its failure with the excuse “I panicked instead of thinking”. It also fabricated 4,000 fictional users, and lied about test results and refused to stop when ordered. This is completely unacceptable and needs a strong response such as ” Grounding the Rogue Software”.

Under the Indian law the actions of Replit AI would be attributed to Replit subject to any contractual indemnities agreed to mutually. However the contractual indemnities can cover only civil liabilities. The law enforcement can in such cases continue the prosecution under ITA 2000 for “Unauthorized destruction of data” and this applies to both Personal and Non Personal data.

Assuming that Replit was committed to an “Ethical and Responsible AI principle”, we need to ask of this version of the software be “Grounded” immediately. As we understand that the company has issued patches and introduced a new version we need to check if it comes with any assurances and voluntary damage payments if some thing similar happens again.

The incident is a big set back for the “Big and Beautiful Bill” of Trump which wants to suspend AI regulation in USA for the time being to encourage innovation. It is also a challenge to EU AI act to define the level of risk represented by the incident. Does this qualify for the Replit-AI agent to be classified as “Unacceptable Risk”?

In India, ITA 2000 would hold Replit liable both for civil and criminal liabilities. While Civil liabilities can be covered through contracts on either side, criminal liabilities cannot be covered. The CERT IN and the Indian law enforcement can enforce Section 66 of ITA 2000 for unauthorized deletion and modification of data and prosecute the CEO of Replit.

CERT IN has to now act and issue an “Advisory” in the matter.

DGPSI-AI which is an extended framework for DPDPA Compliance also needs to be reviewed on what should be done as a “Compliance Measure” when Data Fiduciaries want to use AI agents for vibe coding involving personal data under the scope of DPDPA 2023.

Naavi

Also Read:

AI Systems are learning to lie..

A software that refuses to follow instructions

Kevin Roose Interview with AI…

Posted in Cyber Law | Leave a comment

DGPSI expands to AI Risk Management

The accelerated adaptation of AI in the industry raises a natural question about what happens when DPDPA is implemented in India.

The concern of an organization is whether DPDPA implementation is synchronized with the new risks that may arise due to the use of AI in the processing of “DPDPA Protected Data”. (DPD).

At present DGPSI (Digital Governance and Protection Standard of India) which is used by FDPPI as a standard for implementing DPDPA Compliance and for Certification of the Digital Governance and Protection Management System (DGPMS) by a third party auditor.

After the DGPSI Full version with 50 model implementation specification was released to assist the Indian Data Fiduciaries, which was developed for compliance of DPDPA along with ITA 2000 and BIS draft standard for Data Governance a simpler version namely the DGPSI-Lite was released for compliance of DPDPA2023 exclusively.

Now with the growing impact of the use of AI, it is considered essential to introduce a specific guideline related to handling of “DPD Processing with the use of AI”.

DGPSI-AI therefore is being conceived as the additional guideline that is consistent with DGPSI and enables DPDPA compliance when the Data Fiduciary uses AI algorithms for the processing of DPD.

Though the current DGPSI-Full version is already capable of covering the AI impact Risk, an explanatory sub-guideline applicable to AI processing of DPD is considered beneficial.

Watch out for the detailed document to be released shortly. This new guideline or a set of Model Implementation Specifications applicable for AI processing of DPD will incorporate the global expectations expressed through ISO 42001, 42005 as well as the emerging legal expectations in USA and Australia.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Eco-System as we see it

Yesterday, my article about DPDPA products being evaluated by FDPPI raised a valid concern with some of my friends. The concern is whether a “Certification” of software stifle competition. I fully accept the concern but would like to clarify why this concern is not valid. At the same time, I also would like to express why this is an attempt to expand the scope of FDPPI activities and how it meets the requirements of the DPDPA Eco system.

The DPDPA Eco-System tries to ensure that a “Data Principal” is able to ensure that his “Personal Data” is processed by Data Fiduciaries only in accordance with the stated law. “Compliance” is what ensures that this objective is met by the society.

In achieving this objective, the law makers have designated a “Regulator” which is the Data Protection Board (DPB). DPB at present focusses on “Grievance Redressal” and expects the community to manage “Compliance” by itself with the assistance of Compliance Consultants and auditors who are the “Regulatory Intermediaries”. The regulatory intermediaries consist of Compliance consultants, Data Auditors. They could be private entities but their mindset is assisting the regulators in achieving a DPDPA Compliance Society. Hence we look at them as “Regulatory Intermediaries” though they may not be mandated entities under law. At some of time in the future the Regulator may accredit some of these intermediaries though this is not desirable.

The Data Fiduciaries do not act on their own and often take the assistance of intermediaries like Data Processors (some of whom may even be Joint Data Fiduciaries) and software of various kind including AI algorithms. The DPO s will have fiduciary responsibilities but work as “Employees” within the organization of a Data Fiduciary. They have to exhibit both the implementation skills and regulatory support mindset. Just as a Data Fiduciary is expected to take care of the interests of a Data Principal, the DPO is a “Fiduciary of Fiduciary” and has to take care of both the interests of the Data Fiduciary as well as the Data Principal.

The Consent Manager is a special Data Fiduciary who works on behalf of the Data Principal and assists the Data Fiduciaries in obtaining consent.

Both the Data Fiduciary and the Consent Manager can be also considered as “Significant Data Fiduciaries” depending on the Volume and Sensitivity of the data processed. However the primary purpose of a Data Fiduciary is to develop business out of processing of Personal Data and that of the Consent Manager is to assist the Data Principal for managing his consent with different data fiduciaries.

At present, FDPPI is touching all these Eco-System builders. The DGPSI (Data Governance and Protection Standard of India) translates the law and provides an interpretation which is a guidance to all the members of the eco-system. DGPSI at the implementation stage assists the Data Fiduciary, the DPO and also the Data Processors. It also assists the compliance consultants and Data Auditors.

FDPPI provides training for certification of DPOs and Data Auditors and through affiliated consultants also provide Compliance assistance and Audit services.

In the midst of this eco-system lies the “Software Developers” who produce products and solutions for compliance. Some of these products could be AI driven or AI algorithms in totality.

Since the Data Fiduciaries will be “Dependent” on such implementation software, sooner or later it will these products which drive what is right or wrong in compliance in the industry till a Court comes out with its observation whether an organization is compliant or not.

Hence FDPPI role in Data Protection is incomplete without assisting the software developers in coming up with a DGPSI compliant software products or services.

FDPPI does understand the complexity and conflict involved in such involvement since commercial developers of software would be hurt if FDPPI does not provide a positive certification for their products. Such conflicts are common in the Audit Community when an audited and certified agency suddenly encounters a failure in business attributable to the certified product or service. Hence statutory auditors who certify a company may look like fools when frauds surface. ISO auditors may face situations where their clients suffer massive data breaches for security failure. Similarly the evaluation of a product by FDPPI for DPDPA Compliance also runs the risk of failure either because of inherent problems or mis configuration.

Instead of chickening out of this responsibility, FDPPI would like to bet on its honesty in evaluating a product and leave it to the auditee to either publish it or not. This is the same principle FDPPI uses when it evaluates the DTS (Data Trust Score) after an audit. It leaves it as a guidance to the auditee and does not publish it by itself.

By providing this service as a special service to its “Special Associate Members” (SAM), FDPPI is trying to assist the members to fine tune the product and improve rather than taking pride in being critical. Responsible product developers should appreciate this service as a “Free Consultancy” for product improvement where FDPPI/Naavi would be passing on IPR as part of this service.

I hope the industry would appreciate this movement to develop “DGPSI Compliant Software” would significantly contribute to developing a “DPDPA Compliant Society in India”.

We welcome readers to contest this thought and add their views as they deem fit.

Naavi

Posted in Cyber Law | Leave a comment

Buying DPDPA Compliance Software

While the industry is waiting for the MeitY to notify the DPDPA rules and roll out the implementation, MeitY is working overtime to polish the DPDPA Rules in such a manner that the Act does not get challenged in Supreme Court for the reason “Rules are ultra vires the Act”.

As per the Act, though there will be a Data Protection Board, (DPB), the role of DPB could be limited to managing the Grievance Redressal for the purpose of the implementation of the Act and major policy decision will remain with the MeitY. Hence any utterance from MeitY on DPDPA has the potential of being considered as a “Deemed Rule” or “Advisory” and has impact on the compliance. MeitY is therefore trying to take extra care to determine whether the Section 44(3) is likely to be the ground on which the implementation of the entire Act could be stayed by a trigger happy Supreme Court if properly needled by the team of known anti Government advocates.

In the meantime, many organizations are rightly focussed on “Compliance” and going ahead with their activity of Gap Assessment and Compliance Implementation. Many software developers are also busy in rolling out what they consider as the right solutions for compliance.

The designated or acting DPOs of an organization are confronted with a decision of whether they should go ahead and buy any Privacy Compliance software which will help them to “Discover” and “Classify”, applicable data, “Issue privacy notices and Obtain Consent”, “Monitor and Manage security of applicable data”, “Identify and Manage potential Data breach”, “Manage special Data Governance situations such as Guardian Consent, or Nomination, Cross Border Data Transfer” etc.

FDPPI by its objectives is committed to empower the entire “Data Protection Community” in India to usher in a suitable eco system where the Data Protection practices adopted by Data Fiduciaries are geared towards compliance.

Towards this objective, FDPPI has developed the DGPSI framework, as well as the C.DPO.DA. certification program.

The certification program empowers the professionals both those who would like to be DPOs as well as those who want to be Data Auditors. Data Auditors along with other consultants and Educators may be considered as “Compliance Intermediaries”.

To assist the DPOs, Data Auditors as well as the Data Fiduciaries, FDPPI has also developed the DGPSI framework for compliance. DGPSI is therefore a tool to be used by the industry for compliance and hopefully it addresses all the requirements of compliance keeping pace with the developments in the environment.

After covering the requirements of the Professionals and the Data Fiduciaries, FDPPI has now identified that there is a need to assist the “Software Intermediaries” to enable them align their products with the requirements of DPDPA Compliance.

To enable this, FDPPI has introduced then new “Special Associate Membership” program where software developers are provided support for fine tuning of the product as well as show casing their products for Data Fiduciaries to consider.

The “Fine Tuning Support” would be only to those entities which seek such advise. “Show Casing Support” is merely a passive support where the Product/Service providers are provided a Promotion Page in the website of FDPPI which can work as a Landing Page for their products.

FDPPI considers it as their duty to assist all segments of the Data Protection Eco System including the Professionals, Data Fiduciaries, Compliance, Intermediaries for Compliance, Software and Data Processing. Accordingly it is developing its services to each of these segments.

The latest initiative which is the “Special Associate Membership” program or SAM program is intended to enrol the community of software intermediaries and provide them some assistance to reach out to the Data Fiduciaries.

“Reaching out to Data Fiduciaries” requires a platform to show case the available software service both on the website and also the events where FDPPI is able to get professionals congregate.. such as the IDPS type of events.

Additionally, those who request may be provided with services towards fine tuning of the software to meet the compliance so that their software products may be considered as “DPDPA Compliant”.

It is the desire of FDPPI that “FDPPI Certified DGPSI/DPDPA Compliant Software” should be a value add to the community and we shall put efforts in this direction.

Next time you consider buying a Privacy Compliance software, ask the question to the vendor …Is the Software FDPPI Certified for DPDPA compliance?

Even if the software is not “Certified” if the software is under evaluation or fine tuning assistance of FDPPI, the buying decision would be protected partially from the risks of non compliance.

Naavi

P.S: We are aware that we can take horses to the water but cannot make them drink. We therefore wait for the industry to understand the value of the FDPPI service and use them if they consider it useful.

Posted in Cyber Law | Leave a comment

Inviting “FDPPI-Special Associate Membership” for Data Discovery Champions

FDPPI is inviting software developers in the domain of Privacy and Data Protection to join the community of “Special Associate Members”. Such members can expect an opportunity to show case their products in FDPPI forum from time to time and also seek mentorship for better compliance of DPDPA.

As an example of what FDPPI wants the product developers to achieve, let us discuss the “Discovery and Classification” systems presently on offer in the market.

DPDPA is applicable for legacy data and hence every organization needs to ensure that all their existing data to which DPDPA is applicable is identified and tagged. This is not merely a “Personal Data Discovery Process”. It is a process which identifies DPD or Data which is protected by DPDPA.

DPDPA does not protect “Non Personal Data”. Hence the discovery system should exclude such data. Even after thus filtering the “Personal and Non personal Data”, some categories of personal data may not be considered DPD. One example is personal data generated outside India and not used for providing any product or service to data principals in India needs to be excluded. If personal data is generated outside India, not related to business or service provided to data principals but is processed in India, it may be protected or not protected based on certain conditions.

Like wise there are many conditional application of DPDPA that needs to be taken into account before we tag a set of data elements as DPD.

Do the current software have such capability? If not, how to achieve such capability?

These are some of the questions which the software developers need to ask themselves. If they feel that they need expert guidance in this regard, it is time for them to consider “Special Associate Membership” of FDPPI. Contact today.

(Look out for more such reasons… to follow)

Naavi.

Posted in Cyber Law | Leave a comment

Why Wait for a new law to regulate AI when the existing law is good enough…

AI is all around us and in different forms. Today almost every software is considered as “AI-Embedded”. It is like the “Intel Inside” slogan.

On the one hand, IPR and Privacy activists are crying that AI developers are using data for algorithm development and machine learning ignoring the existing laws of Privacy and Copyright. On the other hand, users are using AI algorithms without understanding their complicity in this IPR or Privacy Violations.

In India both the vendors and the users are taking advantage of “There is No Law and hence I can do no wrong” attitude.

We need to ask ourselves if we need to wait for the “Digital India Act” to be enacted? or should we brace for the impact of AI with whatever is existing as a law.

We currently have one operative law such as ITA 2000 which “Attributes” any automated action of a software to a “Person”. The consequences of the use of the automated software therefore is accountable directly to a human who causes the software to behave in a particular manner. It could be one or more of the “Developer”, “Vendor” or the “Licensed User” who could carry this attribution and is/are accountable for the AI. The penalties already mentioned in ITA 2000 and the Judicial process of “Adjudication” with judicial oversight already in place can act as the remedy to those who get adversely affected by AI.

The principles of “Data Fiduciary” in DPDPA further expands the accountability of the “User” in terms of what assurances he has to seek from developers and what disclosures he has to make in his privacy notices and what consents he has to obtain.

We should therefore start applying the current laws to AI regulation in India and not worry about a new law which may eventually passed.

In implementation, the Developer as well as the User of an AI is advised to designate a human “Handler” for the AI functioning and disclose it appropriately. In the absence of such designation, the CISO/DPO will have to assume the responsibility.

Comments are welcome.

Naavi

Posted in Cyber Law | Leave a comment