Naavi.org

DGPSI as a framework targets the compliance to DPDPA. It can be used by Data Auditors to audit the compliance of an organization and certify them for adequate compliance. DGPSI can also be used to make an assessment of the compliance maturity through the Data Trust Score or DTS which can be used for monitoring the compliance and build an assurance for the Data Principals.

At the same time, DGPSI also has another use for those who build Privacy Compliance technical tools such as those for “Data Discovery”, “Data Classification”, “Consent Management” etc. This is for creating “DPDPA Compliance Software Tools” for compliance.

Since DGPSI is a reflection of DPDPA, DPDPA Compliance in a technology situation is better addressed by DGPSI Compliance.

Hence Privacy Enhancement Tool (PET) developers can target DGPSI Compliance to be built into their tools and thereby become DPDPA Compliance. Such tools can also be audited by DGPSI auditors and certified as “DGPSI Compliant”. They can even be assigned DTS scores to indicate the level of assurance.

Naavi invites technologists to come forward and tweak their current tools to meet the DPDPA compliance through being DGPSI Compliance through appropriate DGPSI Consultants and obtain a DTS Score for their tools.

The Data Auditors of FDPPI are being trained to make such assessments and provide assurance certificates for tools with a DTS score which fairly represents the ability of the tool user to meet compliance of DPDPA while he processes personal data using the tool.

This is a unique process and will take time to develop. The Data Auditors need to be specially trained for this purpose. But a beginning has been made and this should usher in a new era in PET development in India.

Need for Incentivisation

During the early days of HITECH Act implementation in USA, there was an incentive scheme by the US Government to promote use of HIPAA Compliant technology by the Health Care industry. This included a system for certification of “HIPAA Compliant Software” the use of which would make a covered entity eligible for subsidy. A total of $17.2 billion was distributed under this scheme over 5 years from 2009-2014 and is believed to have contributed significantly to the adoption of technology by the health care professionals. This was more relevant for individual doctors and small pharmacies where the lack of funds could have delayed the adoption of compliance technology.

It is time for India to consider a similar system to promote use of DPDPA Compliant technology and introduce some incentives to the Data Fiduciaries particularly in MSME sector to promote use of “DPDPA Compliant Software systems” for processing personal data.

It is our desire that before the Government can introduce a system for such purpose, we have a system of evaluation of software to be certified for DPDPA Compliance. Once such a scheme is introduced, there will be many players who would introduce their own DPDPA Compliance systems and promote them with aggressive marketing efforts. Naavi and FDPPI would however endeavour to make “DGPSI Compliance” as the hall mark that should have its unique value.

In the upcoming training for Data Auditors in Mumbai scheduled for January 24, 25 and 26, this aspect would be discussed in greater detail. Before that training, this may also be discussed in the IDPS 2024 on November 30 and December 1 at Bangalore. Watch out for details for both programs in FDPPI website. (www.fdppi.in)

Naavi

The recent spate of fake Bomb threats to different Airline companies and an open advisory from a Khalistani Terrorist not to travel in Air India are acts of terrorism that fit well into the definition of Cyber Terrorism under Section 66F of ITA 2000.

It is surprising that the Ministry of Aviation seems to be searching for ways to strengthen the aviation laws to make such threats punishable. I request the Civil Aviation Minister Ram Mohan Naidu Kinjarapu to take note that there is already a law in India under Section 66F of ITA 2000 which states inter-alia as follows.

“Who ever “with an intention to strike terror in any section of the people”, accesses a computer resource exceeding authorised access and by mens of such conduct is likely to cause disruption of services essential to the life of the community, shall be punishable with life imprisonment”

Hence there is no need for a separate law and tweaking of Airlines Rules to file a case of terrorism against those who send the fake emails either to Airlines or to schools etc with bomb threats. Once such cases are filed, they are recognized across the globe and can be taken to Interpol for investigation if required.

The reason why these threats are proliferating and will continue to proliferate is that it is child’s play to get an email account in Proton Mail or similar email services which provide an anonymous E Mail account from which such threats can be sent. There are proxy servers which provide services to hide the IP addresses also. It is therefore near impossible for the investigating agencies to quickly decypher the identity of the sender.

While it costs almost nothing for the attacker to send an email, it costs in the range of Rs 25 lakhs for airlines to divert flights in mid air for security reasons, conduct a security drill before it is released once again. In view of the ease and economy of such cyber attacks, these will continue and a solution has to be found by the Government as otherwise the asymmetric attack will cause huge damage to the country.

The solution to this lies in getting the cooperation of the service providers like Proton Mail or the VPN service providers to get the identity of those who use the facilities for committing international terrorism. The contracts of such providers always indicate that the services shall not be used for terrorism.

For example the terms of service of Proton Mail indicate as follows:

Any Account found to be committing the listed unauthorized activities will be immediately suspended.

2. Authorized use of the Services

You agree not to use your Account or the Services for any illegal or prohibited activities. Unauthorized activities include, but are not limited to:

1. Disrupting the Company’s networks and Servers in your use of the Services;
2. Accessing/sharing/downloading/uploading illegal content, including but not limited to Child Sexual Abuse Material (CSAM) or content related to CSAM;
3. Infringing upon or violating the intellectual property rights of the Company or a third party;
4. Harassing, abusing, insulting, harming, defaming, slandering, disparaging, intimidating or discriminating against someone based on gender, sexual orientation, religion, ethnicity, race, age, nationality or disability;
5. Trading, selling or otherwise transferring the ownership of an Account to a third party (with the exception of Lifetime Accounts, which can be sold or traded exclusively through the Company);
6. Promoting illegal activities or providing instructional information to other parties to commit illegal activities;
7. Having multiple free Accounts (e.g. creating bulk signups, creating and/or operating a large number of free Accounts for a single organization or individual);
8. Paying for your subscription with fraudulent payment means, such as a stolen credit card;
9. Engaging in spam activities, which are defined as the practice of sending irrelevant or unsolicited messages or content over the internet, typically to a large number of recipients, notably for the purposes of advertising, phishing, or spreading malware or viruses;
10. Sending junk mail, bulk emails, or mailing list emails that contain persons that have not specifically agreed to be included on that list. You agree not to use the Services to store or share content that violates the law or the rights of a third party;
11. Abusive registrations of email aliases for third-party services;
12. Attempting to access, probe, or connect to computing devices without proper authorization (i.e. any form of unauthorized “hacking”);
13. Referring yourself or another one of your accounts to unduly benefit from our referral program’s benefits (see section 9 for discretionary benefits of the program).

Similar conditions will be available in all VPN services as well as all domain name services.

The first requirement for our law enforcement is therefore to quote these terms and demand that the service provider disclose the identity details of the account holder who is committing a terror activity. This can be supported with a Court order.

In case these service providers refuse to abide by the request, it can be escalated into a notice alleging an attempt to shield the perpetrator of the crime and make the service provider a c0-accused for conspiracy. This will provide power for the law enforcement to take direct action against the service provider in an Indian Court and later enforce it in the relevant country in which the service provider is registered. They will not be eligible for protection under Section 79 of ITA 2000 if they donot cooperate with the information sought with a due process of law.

In the meantime, the law enforcement can also take action to block the domain such as “Protonmail.com” from India along with the associated VPN services ignoring the cries of the digital andolan jeevies.

I request the MHA and MeitY to immediately initiate action to co-operate with the Ministry of Civil Aviation in initiating an action in the above direction.

Naavi

In a recent meeting of the officials of MeitY with the ministry, it is reported that the officials suggested the industry to get cracking on the implementation of DPDPA 2023 without waiting for publication of the rules.

This suggests that the MeitY is still not clear on some of the aspects of the law and how it has to be implemented.

In this context the DGPSI which was developed as a “Framework for Implementation” of DPDPA 2023 assumes a much bigger role as a document that would be the codification of the interpretation of DPDPA 2023 for the implementation by the industry.

DGPSI is therefore the “Jurisprudence” for DPDPA 2023. It indicates how the DPDPA 2023 can be interpreted and implemented. The legal basis is implementation as “Due Diligence” under ITA 2000.

Watch out for more in a series of posts here.

Yesterday we had a very useful discussion on whether there is a need to regulate the Dark Web and whether it is desirable and whether it is feasible.

As expected one school of thought was of the firm view that “Dark Web” cannot be regulated and if you try to bring down one Tor Site, another will come up and so on. There are no two opinions that hackers who function in the Dark Web are confident that the law enforcement cannot catch them. There are law enforcement persons as well as security professionals who simply are happy observing the dark web. In fact many security professionals make a living out of monitoring the dark web.

The fact that dark web is thriving because of the presence and availability of crypto currencies like Bitcoins and Monero is well known.

One common view of the professionals was that even politicians are having a cut in cyber crime proceeds and in Crypto Form and hence they are not interested in taking any action against them. It was however noted that regulation of Crypto currencies in India has been effective and Indians are using Dubai as the center for exchange of their black wealth to Crypto currencies and back. Havala operations are also in place between India and Dubai so that ransom money payments demanded in crypto currencies can be carried out.

At the end of the discussions, it was clear that the need for regulation of Dark Web and Crypto Currency is very much needed unless we want a “Digital Jungle Raj” in Digital India.

However there is no consensus on whether any regulation is feasible on Dark Web in India. Many are obviously against such regulation since their lively hood could be affected. They belong to that school of thought that let there be Crimes, Let there be victims of Cyber Crimes. We shall make our money through legitimate business surrounding dark web.

At Naavi.org we believe that “Impossibility of regulating Dark Web” is only an excuse not to try.

In fact we have not prevented road accidents but we have laws for traffic management. We have similarly laws on drug abuse or gun selling or terrorism but we are not able to eliminate them. What we as a society need to do is to take a position to declare that we would not support the Dark Web and the Dark Currency come what may.

It does not matter we shrink our Web space by creating an “Iron Curtain” and restrict use of Internet, ban the domains such as proton mails and continue to ban any substitutes that may come up.

If we cannot ban Tor browser because it is required for any reason, then make it’s possession subject to registration of a person as a “Registered Ethical Hacker” and bring accountability to the use of the Tor browser.

Under Section 67B of ITA 2000, any person  who creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner.

A similar law should be considered for restricting the use of Dark Web.

Under Section 84 C of ITA 2000, Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed is also punishable.

Dark Web which is an instrument of crime along with Tor browser, Proton mail (and other similar services) as well as the Bitcoin type of Private Crypto Currency are all therefore classified as instruments which “Causes such offences…..defined under ITA 2000” . Hence there is already a law that can be used against the use of Criminal Instruments.

Any person in possession of dangerous weapons in the physical world is looked upon as a potential threat to the society and Police maintain a register of such persons as “Rowdie Sheeters”. At the same time we allow police, security agencies and celebrities including people like actor Govinda to possess revolvers for their own safety or for other purposes.

Similarly, we can mandate that any person who wants to use any of the dark web tools should be registered with the national security agency as a “Registered Ethical hacker” and report his activities periodically in the form of an audit report. This will bring accountability to the use of dark web by security persons and segregate them from “Unregistered ethical hackers” who can be classified as “Black hat hackers”.

We advocate MHA to bring in an explanation to the existing laws at appropriate places to state “Possession of dark web tools …as per a list to be published … will require mandatory registration failing which the possession itself will be punishable.

We agree that a section of the society will ignore the law. It does not matter. Let us at least give an opportunity to the “Friends of the digital society” to declare their honesty in good faith by registering themselves as persons who possess ability to wade into criminal space but use it responsibly.

Naavi

October 17, 2000 was the day when Information Technology Act 2000 (ITA 2000) became effective. The essence of ITA 2000 was the legal recognition for binary documents and authentication with the use of PKI based Digital signatures. Together, legally valid digital contracts became feasible and E Commerce and E Governance got a foothold. This should be considered as the birth of “Digital Society of India”. This digital society has now developed and become “Digital India”.

Let us therefore remember this day as the “Digital Society Day”.

In order to celebrate the day, we at Naavi.org and FDPPI are having a discussion on “Taming of the Dark Web”. It is a short virtual Round Table discussion on Zoom and all are invited.

In order to preserve the benefits of Technology to the society, we need to curb the activities of Cyber Criminals. The presence of “Dark Web” and the “Dark Currency” in the form of private Crypto currencies enable criminals to continue their criminal activities. Criminals reside in Dark Web and come out from time to time to attack the Netizens on the surface and vanish back into the Dark Web.

The entry door for moving in and out of the dark web is the Tor browser and the currency for living in the dark web is the PCC (Private Crypto Currency). The communication tool for Dark Netizens to communicate with surface Netizens is the mail services like the “Proton Mail” which is used for sending not only the bomb threats but also the ransomware demands.

Despite knowing the adverse impact on the society from Cyber Crimes, we have allowed free conversion of PCC like Bitcoins to legacy currency so that all earnings in the dark web can be used in the civil society. We also encourage use of Tor browsers in young technology users as a part of security training. Many of the VPN services like the Proton Mail are used by security professionals to have anonymous existence.

It is however necessary to recognize that the Dark Web eco system is killing the society for the benefit of the criminal. We need to recognize this and put a stop to it.

The regulators are currently unable to reduce Cyber Crimes and the society is moving into an era where Cyber Crime is becoming an acceptable way of life.

Our own Government is hesitant to curb Bit Coins and is shamelessly happy to make money through taxation of Bitcoin transactions. Our security experts are unconcerned about the adverse impact of technology crimes on the society. Given an opportunity wee would try to take the benefit of Cyber Crimes by creating products for handling the adverse impact rather than preventing the adverse impact.

It is time that we realize that we as a society need to go for a direct attack on the crime syndicates by attacking the Dark web entry tools and dark web benefit exploitation tools. We therefore need to introduce strict regulations on the use of Tor Browser, VPN mail services like Proton Mail and the Private Crypto Currencies like Bitcoin.

Let us by law make it difficult for the Tor Browser and Proton Mail to be used by criminals with following steps.

1.Let us ban Proton Mail and all other mail services that donot cooperate with the law enforcement agencies in identifying the senders of email.

2.Let us make all Tor browser installations “licensable”

3.Let us mandate that all Tor users need to be registered as “Ethical Hackers”.

4.Let us mandate that use of Bitcoins (PCCs) is an offence and considered as an attempt at money laundering.

I suppose we can discuss all these in today’s discussion on “Taming the Dark Web”

Naavi

In October 2023 when Mr Rajeev Chandrashekar was the minister of IT, a draft national strategy on Robotics had been released for public consultation. In July 2024, Government announced that 5576 responses were received and closed. Since then no further news is there about the adoption or implementation of the draft policy.

A copy of the draft rules is available here.

A National Strategy for Artificial Intelligence which was published by NITI Ayog way back in 2018. Now an AI & Emerging Technologies Group has been set up by the MeitY to promote adoption of new technologies. Several reports have been issued by this committee from time to time. Government has also launched an India AI mission to propel innovation.

There is a need to follow up on these initiatives and its integration with the developing regulations. FDPPI would like to pursue this during the IDPS 2024.

Naavi