Naavi.org

A Discussion has ensued on the regulatory structure for online gaming in India. Today’s news paper reports suggest that a confidential report has been submitted by a Government panel on regulation of online games such as Dream11, Rummy circle etc.

The focus appears to be the games which have become casinos with a large part of speculation and chance  built into the winning. As against this, “Skill games” including say the online chess playing arena will continue to represent another end of the spectrum of online games where “Skills” are more prominent than “Chance”.

The driving force for the regulation seems to be the “Taxing” of income of the game operators under GST.

The regulation will try to therefore consider how “Chance” based games donot turn into “Online betting centers and casinos”.

Mixed with these games for money, are the games like the “Blue Whale” which create social issues in the community and also have to be regulated.

To make the issue complicated, we also have the emerging “Meta Verse” where “Gaming” evolves into a more immersive interaction.

The “Crypto Currency” system where a hashing challenge determines the winner of a Bitcoin/Crypto currency is also a “Game of Chance” since there is no skill is involved in the winning.

If the idea is to charge GST, it will be essential to “Value” the winnings in the form of “Loyalty coupons”, “Coins”, “Cryptos” etc and the regulation will be incomplete without such data valuation.

Most games also appear as “Mobile Apps” and may involve malicious apps that may steal data or commit frauds of other kind.

Some games are harmful by being addictive and some are educative (cross word puzzles, hangmen)  or brain stimulating (sudoku, memory games).

In some instances game rewards are issued as loyalty points that can be used as currency within the game. If they cannot be converted into legacy currency or tradeable crypto currency, the rewards live within the gaming system. But if they can be encashed to legacy currency then there are other issues such as taxation, gambling etc. Many games have a monetization plan where external legacy currency can be used for buying game currency. This mixes up legacy currency with game currency and problems arising thereof need to be recognized.

In view of the above, “Gaming Regulation” does not end with  just an appointment  of a “regulator” but has serious implications on every aspect of Cyber Crime law and Data Protection Law.

In order to ensure that the regulation addresses only such concerns of the society that needs to be regulated, there is a need to clearly define and segregate different types of gaming so that appropriate regulation may be imposed.

The definition of “Online Gaming” used in the  Online gaming (regulation) bill 2022 which  was introduced in April 2022 on which the panel must have deliberated and issued a confidential report on 31st August 2022 states as under

“Online Gaming” means games played on any electronics device including Personal Computers, Mobile Phones, Tablets and other devices;

This is a generic definition and does not address the issues that arise regarding how an online Chess game is distinguished from a Blue Whale game or a Dream11 or Rummy circle or a Crypto Currency mining game.

The bill tries to create a regulator (Online gaming commission) and issue licenses to gaming servers so that others who donot have license can be declared illegal. (Section 5 of the Bill).

It exempts hosting and other backend services provided from India for those who operate gaming outside India  and protects the interests of such service providers.

The offences may be recognized as cognizable and also invoked by the intervention of the regulator.

The challenging part of the legislation is section 19 which overrides other legislations by stating

“The provisions of this Act, shall be in addition to and not in derogation of the
provisions of any other law for the time being in force and, in case of any inconsistency, the provisions of this Act shall have effect to the extent of such inconsistency. “

This requires an interplay of this  legislation with ITA 2000 and also the IPC.

Details of regulation are left to the rules.

The most important part of this legislation would be

1. Segregating different types of gaming such as Educative, Fun, monetary, harmfully addictive, etc
2. Ensuring that “Crypto Currency mining” come within the definition of “Chance based gaming” requiring a license.
3. Ensuring that game only rewards donot get converted into legacy currencies.

A detailed debate is therefore required before this regulation comes into existence.

(Let us discuss this further. I invite comments)

Naavi

Reference:

The Online Gaming (regulation) Bill 2022

Singapore introduces online gaming regulation

Shortcomings of online gaming bill

Government panel calls for regulatory body, new law for online gaming

Functionality and Security are two dimensions of any software that needs to be balanced through regulation. Internet and E Mails were created with a purpose of effective communication and hence functionality was the prime concern in the design of protocols such as TCP-IP or SMTP.

With the growing use of Internet and E Mail for business, the need for Security in these protocols has become critical. Hence the current systems need augmentation for security considerations.

One of the problems which is confronting the internet society is the problem of “Phishing” where unauthorized and  impersonated e-mails are used for commission of frauds.  This must be addressed if we want to improve the trust in Internet communication.

Preventing misuse of E Mails requires two aspects namely authentication of the origin of the E Mail and prevention of modification of the E Mail content in transit.

These two security controls are addressed through “Digital Signature” and “Encryption”.

India has adopted a PKI based system based on a central regulatory authority namely the CCA (Controller of Certifying Authorities) granting licenses for Certifying Authorities who in turn control the Digital Certificate issue system.  The Digital Certificate issue/Signature  system consists of the use of accredited hashing algorithms and public-private encryption along with the creation of the key pairs, embedding them in tokens etc.

These Certifying authorities also provide the “revocation” and “Verification of Non-revocation” of digital certificates to ensure that the community can use the system with assurance.

The popular e-mail systems like G-Mail however are not designed for the use of the digital signature system and users need client side applications to use digital signatures for authentication or encryption.

When a single pair of public-private key is used both for authentication and encryption of content, a problem is likely to arise when crime investigators require access to encrypted content through the exercise of powers under Section 69 of ITA 2000. Sharing of the private key under this circumstance will need an issue of a new digital certificate for further use of the subscriber.

Presently the solution to this problem is to issue two key pairs with one set being used for authentication and another set used for encryption so that when required or as a certificate issue protocol, the private key for encryption can be escrowed with the regulatory authority.

While the digital certificate issuers have enabled such “Dual Key” system, the end user applications are still not fully equipped to use such dual key systems.

In the meantime, to overcome the shortfalls in the current e-mail communication where the content can be intercepted and altered  in transit through some forms of man-in-the-middle attack , an attempt is being made to create new Secure E Mail systems.

The undersigned came across one such system recently which is worth sharing here.

A Dubai based company with a development center in Bangalore has created an E Mail system which is considered as a “Blockchain” based application which can be used by enterprises for secure E-Mails within an enterprise eco-system.

The essence of the system is that the E Mail is encrypted with the public key of the recipients and hence remains encrypted in transit and storage. This requires the users to be on boarded on to the systems and issued digital certificates and the key pair of public and private keys.

If security in transit is the only concern the digital certificates can be issued by a system even if it is not belonging to the “Licensed Certifying Authorities”. If “Authentication” is also a requirement, it may be necessary for the enterprise to integrate this e-mail system with a local certification server as a sub agency of a licensed certifying authority.

One interesting feature of this system is that apart  from bringing all employees of an organization into the system so that e-mails between them can be encrypted, the organization can also on-board outsiders to the extent of their interaction with the enterprise just like the ‘Boxbe’ kind of systems which try to maintain an approved guest list for persons to receive the emails.

While it is difficult to impose the “Registration of Guest” before the email is allowed entry to the recipient’s inbox, in a personal communication, it may be possible in an enterprise communication particularly between Banks and its customers or E Commerce companies and its customers.

If all Banks start using such systems, then Bank frauds using “Phishing” can be eliminated since all Bank to customer e-mails will then be handled only through the dedicated e-mail system with encryption. This could mean that the Bank may have to create e-mail space for all its customers but the volume of data transmitted will be restricted only to the Bank-Customer communication and not others.

Presently Banks do provide for in-app communication either through the mobile app or after logging into the internet banking. But the use of the designated e-mail could be a more convenient option.

If “One Designated email for one customer ID” can be extended by every bank, then even the UPI IDs can perhaps be integrated with this special e-mail ID and there could be better security in the overall process.

The system can perhaps be used even by the Government so that communication between Government servants can be encrypted.

At present the system is good for enterprise e-mail systems and may be some integrator can create a “Regulated Anonymised E Mail System” where privacy is ensured subject to the law enforcement rights. Such a system could be a replacement of the “Proton Mail” which could be non compliant with the recent CERT-In guidelines and can only function as a “Not Legal” service.

“Regulated Anonymity” was a  system suggested more than a decade back by Naavi when the concept of BlockChain or even Privacy as we know today did not exist. Perhaps the system can be tweaked to meet the current requirements through this new system created by the Bangalore company.

I urge companies to explore this solution (request for contact if required) of “Secure Enterprise E Mail” that could be one of the use cases for Block Chain technology.

(Comments welcome)

Naavi

FDPPI is conducting IDPS 2022 which is a flagship event of FDPPI and an apex national event. During the three day virtual event that is taking place this year between November 11-13, about 30-40 speakers would be taking part.

We are aware that there are many more experts in the domain not all of whom can be identified by us and invited for the program. In fact FDPPI has over 200 members each of whom are decorated professionals and could contribute to the society with their knowledge. But we cannot accommodate all of them as speakers in this prestigious event.

However, we now have an alternative. We would like to collect both text and video messages from experts around the world and publish it as pre-recorded videos or messages during the IDPS 2022.

We therefore invite experts to contribute text or video messages by email  if they have a view on Privacy and Data Protection or related areas.

IDPS 2022 is the flagship program of FDPPI and will focus on Privacy and Data Protection in India. This is the third year of the program and will be  conducted as a virtual conference on November 11, 12 and 13, 2022.

Details of the program will be available exclusively on www.idps2022.in

There are many sponsorship opportunities available during the conference for interested persons.

Those who are interested, may look through this flyer.

For more information contact naavi.

One of the features of this year’s IDPS  would be the awards  to be provided to different category of persons recognizing their contribution to the Privacy and Data Protection eco system in India.

(Download the flyer with all information on the awards)

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

Restrictions on Cross border transfer of data is one of the most controversial aspects of the data protection laws. Though the PDPB 2019 was criticized for its “Data Localization” aspects, it must be stated that PDPB 2019 was a gross dilution of the provisions of PDPB 2018 in respect of Data localization and even ignored the sectoral law of RBI. The media reports were motivated and was part of the conspiracy to dilute the restrictions.

For records, under PDPB 2019, non sensitive personal data could be freely transferred. Sensitive personal data could be transferred subject to a copy being held in India and explicit consent and Critical data alone was in the restricted category.

On the other hand GDPR imposes impossible conditions for transfer of personal data outside EU and is a draconian legislation in this respect forcing international data importers to contractually oppose the sovereign rights of their respective Governments. GDPR data transfer requirements to a non adequate country cannot be complied with except with an effective pseudonymization/de-identification plan.

However, the vested interests have painted as if PDPB 2019 was restrictive and this cannot be accepted.

As long as Data is considered an “Asset” and its value recognized, the Government has a duty to protect it’s plundering like what happened in the infamous CIBIL-TRANSUNION case.

Hence it is suggested that the New Data Protection Act of India reverts back to the PDPB 2018 version and impose the condition that

a) No Personal or Non Personal Data is transferred out of India except with the consent of the data principal or data owner and

b) A copy being held in data servers held in the geographical boundaries of India

c) Processing of Critical Data shall be undertaken and retained only within India

This does not adversely affect any ongoing data processing activity except that there could be additional storing cost.

Though this is an unpopular decision which would be opposed by Tech Companies and the US Government and was one reason for the withdrawal of the legislation and continues to be the Achilles heel for MeitY as regards Data Protection legislation, it is our sincere belief that India needs to put its foot down as a sovereign country and protect its interests.

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.