Naavi.org

(DVSI stands for Data Valuation Standard of India… Refer www.dvsi.in for more information)

Companies often face the dilemma on payment of ransom when their data is captured and held hostage by a ransomware attacker. The attacker fixes a certain price for the release of the decryption key and often places the data for sale in the dark web. Acer had a demand of $50 million, CNA Financial reportedly paid $40 million and Colonial Pipeline paid $4.4 million. In India itself we had a demand on Cognizant for $ 5 million and different smaller amounts in different companies.

It is clear that in these cases the hackers had a perception of the value of the data they had captured and the companies paid the ransom because they felt that there was an opportunity cost in refusing to pay.  Insurance companies have their own practices on dealing with such instances and some may cover the ransom as part of their policy.

Further, darkweb often quotes a price list for many kinds of data. One such laundry list is here.

When thieves set a value for the data they may target and steal, it is necessary for the organizations which have these assets to also know that they have assets which are vulnerable to be stolen.

Managements often express surprise when a ransom demand is made and wonder “Do we have that kind of data with us”?. The reason is that so far the CFOs and CEOs were never told that Data is an asset though on the balance sheet it does not show up.

Corporate Managements need to ask themselves, if they are not representing the true value of their assets in the financial statements which they certify “This is a fair and true representation of the company’s financial position”.

If the CEO/CFO knows that the company has a Rs 5000 crore of data asset, they would not crib to appoint a DPO or CISO at the kind of remuneration they deserve or to invest in security products or employee training or atleast to harden their operating systems which they keep postponing.

Let’s therefore look to the future with confidence by valuing our data assets and bringing them into our balance sheets. …

Let our shareholders know what we are worth.

Let our competitors know what it would cost to take over our company.

Asatoma sadgamaya…tamasoma Jyotirgamaya…Oh DVSI, Oh DVSI…

(meaning From Ignorance, lead me to truth, from darkness, lead me to light..Oh Data Valuation Standard of India)

Naavi

(With apologies to the Rishis who gave us the Upanishad Vaakya)

After the Delhi High Court and Orissa High Court indicating that Right to Forget can be extended to a right to remove reference to an accused in a Court Judgement, the Madras High Court has now rejected the “Right to Redact” the identity of an accused from the Judgement.

In a Judgement delivered on 3rd August 2021 by Justice N. Anand Venkatesh in the WP (MD) no 12015 of 2021, the Court rejected a request from a petitioner Mr Karhick Theodre who had been charged earlier for an offence and acquitted , that his name be redacted from the judgement records.

Similar consideration had come for discussion in two other cases one in Odisha High Court and another in Delhi High Court where the interim decisions were in favour of the accused and acquitted person to get his name removed from access through internet searches.

Naavi.org had observed that the decision was faulty since it interfered with a “Fact” and enabled suppression of the right to information.

The earlier Supreme Court decision regarding the victim of a rape or sexual abuse or in cases of Juveniles, to be conceded such a right does not apply to the case of an accused who may be acquitted for reasons other than being innocent.

This current judgement of the Madras High Court is well reasoned and refused such a request.

We appreciate the decision of the Court which was assisted by the Amicus Curie Mr Arun Anbumani. It is also notable that the hearing was conducted virtually and concluded in quick time.

Naavi

The current controversy on Pegasus in India arises from  the petitions filed by various persons who all have one thing in common that they are known to be opponents of the current Government.

Just because all the petitioners are Anti Government, we cannot presume that Government of India used Pegasus to target all its opponents.

End of the day, Pegasus is a spyware and was commercially produced and sold by a company like many other encryption, decryption software or other security software. It was designed for use by security agencies to infect mobiles and conduct surveillance of various kinds.

It is feasible that many Governments across the globe could have bought this software for legitimate intelligence use. “Intelligence” is a necessary activity of a Government and cannot be wished away. Whether it is ISI or RAW, FBI or CBI, MI6 or KGB, or snooping on crime suspects is a reality. Considering the proliferation of terrorism in the world, such intelligence activity is the duty of a Government.

Whenever a terrorist activity is reported, the first thing every opposition party asks is why there is an “Intelligence Failure”. But when it comes to Pegasus, the same opposition asks “Why there is Intelligence”?.

The petition in the Supreme Court is built on a weak premise that

a) there is a possibility that the Indian Government could have officially bought Pegasus,

b) there are a few mobiles in India which have Pegasus infection and

c) few of those persons whose phones are affected are political opponents of the Government and

therefore the Indian Government is guilty of illegal surveillance… Q. E. D.

On the other hand, it is observed that

a) Petition is filed by known political opponents

b) Petitioners have a motive to run a smear campaign on the Government

c) There are many previous occasions when the same petitioners have filed irrelevant and false petitions for political gains

d) There is no evidence backing the allegation

e) Demand for investigation is based on journals which are known to be anti-India campaigners

e) The petition has come 2 years after they first surfaced and just a day before the Parliament session and was used primarily to disrupt the Parliament session.

Hence it is a fact that the petitioners have knocked at the doors of Supreme Court with unclean hands and the demand is that a fishing enquiry be ordered at the expense of the exchequer to satisfy the political opponents.

Pegasus Infection

I would like to draw the attention of the honourable Supreme Court that Pegasus is a malware. While the company which is selling the software claims that it sells it only to authorized Government agencies, there is no guarantee that any of these Government agencies may use it to spy on foreigners.

I.O.W. a foreign Government can snoop on Indian Journalists. We are aware that there are foreign news agencies like NewYork Times which are reported to be scouting to recruit journalists who can run smear campaigns against the Government of India. There is a possibility that such anti-India business interests may also want to spy on Indians both journalists or activists.

Further any State Government including the West Bengal Government or Kerala Government could have used the spyware for its own use. Political pundits like Mr Prashant Kishore could have advised parties like Congress which have earlier used Cambridge Analytica to use Pegasus .

A few years back there was a malware called Stuxnet produced again by an Israeli agency to target Iran nuclear facilities. This malware was supposed to spread only though a USB drive since the targeted Iranian facility was an air-gapped system and not connected to Internet. However, Stuxnet was found to have infected many systems world over and reported to have even affected Rare Earth Minerals near Mysore.

Malwares are often developed for a certain purpose but gets out of control and spreads like the Corona virus which could have escaped from the laboratory where it was developed as a research product. The world is struggling to hold Chinese Government or the agencies funding the Wuhan Laboratory responsible for the Corona Virus if not for malicious intentions, for at least negligence. But the Indian politicians are more concerned about Pegasus indicating that their intentions are not clean.

It is told that Pegasus is a “No Click infection”  and in case a person receives an incoming Whats App Call which he does not pick up the instrument may get infected.

The Supreme Court should ask the citizens of India, how many of them have in the past few years received WhatsApp calls which either they have not picked up or when they pick up does not receive any response from the other end.  All these phones might have been infected with Pegasus. Does it mean that all these phones were targeted by the Indian Government and are being surveilled?. If so then my phone should also come into this category.

Anti Virus companies are unable to confirm if they have a detection tool to find out whether a given phone is infected or not. Hence the Supreme Court should consider any person who has ever received a silent WhatsApp call from an unknown person is a potential target of the Indian Government using Pegasus.

Hence Pegasus infection may be found anywhere and if all the mobiles in India are checked (If there was a method of detection), then perhaps we would know that crores of mobiles may carry the infection.

If it is not the 20 odd persons who have filed the petition, not the 1400 persons in India who might have been affected as per some reports but hundreds of thousands of persons in India many of whom are pro-Government, then where is the presumption that the Government of India targeted only political opponents?

The very presence of a large number of pro-Government or neutral persons who could have been infected by Pegasus against a relatively fewer anti Government persons who have approached the Government, makes this petition a purely speculative judicial exercise even to issue a notice.

It is incumbent on the petitioners to find some evidence that a given infection in one of the phones was actually done at the instance of the Government and the snooped data was being received and analyzed by a Government agency.

We are aware that in Delhi several operators were selling “Off the air” mobile signal catchers which was also used by private detective agencies. The petitioners need to prove that Pegasus has not been accessed by such private operators either in India or elsewhere. If Off-the air mobile signal catchers costing Rs 1 core plus were in the market in India a few years back, a more powerful Pegasus could be acquired by private detective agencies for several crores more since it could be marketed to the opposition political parties themselves to spy on Government supporters.

The Supreme Court therefore has to look at the pros and cons of extending this investigation. Even assuming that some evidence is presented by the petitioners and an accusing finger may be pointed at the Government, it is impossible to find clinching evidence. Even if any clinching evidence is found,, it is not possible for the Court to issue an order “Prohibiting surveillance”. At best Court may question the process of authorization of such surveillance.

Hence this entire exercise is futile, unproductive and is a waste of time for the Court. It is just to satisfy ourselves that we value Privacy of citizens and go to any extent to fight for the right. All of us know this is not true and our politicians and businessmen are not interested in passing the Privacy law because we donot consider it a priority.

I hope the Supreme Court will also not fall prey to this political game and dismiss the petitions without wasting too much of its energies.

Naavi

Also refer: NDTV.COM

Data has a value as everybody understands. But we need to go further in our discussion on what is the value of data, how it can be computed and how it can be brought into the balance sheet etc.

The latest issue of Data Protection Journal of India discusses these concepts along with the handling of the personal data of the deceased persons.

The journal is available free at www.dpji.in

Luxembourg Data Protection Authority (CNPD) has done great disservice to the Privacy Community by administering a fine of $887 million(Rs 6582 crores) on Amazon for using customer data for advertising purpose. The fine has been revealed by Amazon in its SEC filing and requires public confirmation from CNPD. It is possible that CNPD may revise its decision since it is blatantly unrealistic and will create a huge backlash from the business to the sanctity of the administrative fine system.

Details available here

The ruling appears to have been a result of a complaint filed in 2018 by a French privacy rights group La Quadrature du Net representing the interests of 10065 persons. The complaint states that “Amazon is  carrying out certain personal data concerning the persons on whose behalf the this complaint is lodged (2.2) without, however, establishing these treatments on one of the legal bases required by law (2.1), making therefore, they are unlawful (2.3).”

Amazon has rightly pointed out that there is no “Data Breach” and the fine is disproportionate to the alleged violation.

It is important to observe that while CNPD can take pride in claiming that this is a “Record” fine based on the “4% Global Turnover window” provided in the GDPR, the level of fine is unlikely to be accepted by any sane Court.

The prayer in the complaint was

“request that the following measures be imposed on the from Amazon:
• the prohibition of behavioral analysis and targeting treatments advertising described above, pursuant to Article 58,§2(f) GDPR;
• an administrative fine which, because of the massive, lasting nature and manifestly deliberate of the breach found, must be the highest possible, pursuant to Article 83(2) and (5) of the GDPR.”

It is interesting to note that Luxembourg is one of the smallest sovereign states in Europe with a population 6,26,108 and an area of 2585  square Kilometers. It is a rich country but too insignificant because it is  an entity smaller than the State of Goa and a population of some small town in India. The fine will enrich the country by about Rs 1 lakh per citizen.

It is possible that the CNPD thinks that it is upholding the privacy rights of the entire EU population and it is the torchbearer of privacy protection for the entire democratic world.

It is however necessary for such regulators to remember that “Advertising” is an essential ingredient of marketing and cannot be completely eliminated. In the course of developing a targeted advertising of a commercial product, Amazon is being accused of not having a proper consent. The accusation may be partially true. But the punishment envisaged must be reformative and reasonable. The current level of fine will be considered as unreasonable and will actually  create a sympathy for Amazon.

I hope the Indian regulatory authority when it comes into existence would be more reasonable.

It is possible that the report as it happens in most media reports is itself not completely true. It is possible that CNPD might have raised a show cause notice on Amazon on why it cannot be fined Euro 447 million and Amazon might have disclosed it as a “Risk” in its disclosure documents to SEC. In the process, Amazon could have also exaggerated the possible fine without appropriate basis.

Based on the response from Amazon, CNPD may revise the fine downwards to more reasonable levels or a Court may actually squash the order. Hence the criticism may be premature.

However the incident does raise a question on how Privacy has to look at targeted advertising as a commercial marketing tool and whether it needs to be banned completely or regulated to the extent that it is used only for positive uses for the society.

Imagine a situation where all advertising on internet is banned. Then the entire internet industry would become so expensive that people will stop using it and technological development will be seriously affected.

This was not the intention behind GDPR and we should not allow the individual regulatory authorities to redefine the objective of GDPR and convert it into a revenue generating tool for themselves at the cost of business.

Naavi

The Zomato public issue of shares to raise Rs 9735 crores of public money to a company which has been consistently making losses and has declared that it will continue to make losses even in the future is a dangerous trend that is infecting the Indian investment scenario like a Virus.

Now PayTM is getting ready with even bigger losses to enter the IPO and other startups like Cred will soon follow suit.

In all these cases, one can see a Ponzi scheme of raising money from public to pay off the investors who had invested in the earlier private placement rounds.

The system of angel investors funding a new risky technology venture at the pilot stage and the Venture Capitalists at the stage when the concept is further developed until it is ready to go public is a great idea which needs to be encouraged for the benefit of genuine entrepreneurs. But in view of the risk involved, such projects cannot be funded out of debt from the Banking institutions but need to be funded by equity investors who can absorb the risk. Hence the private placements by angel investors and venture capitalists are acceptable. But before they want to take their money out by bringing in the public, the company should start earning profits.

Currently, this scheme of funding new ventures is being fraudulently abused by some venture capitalists and their beneficiaries. The game is for a company to first raise some funds at a premium, use the money to advertise and acquire customers offering deep discounts on products and services, and there after raise further money from other venture capitalists, do more advertising, acquire more customers for the service to create a growth narrative.

Most of the customer acquisitions are successful because the products and services are sold below cost and consumers are in a way bribed to become a member. The companies firstly pick up valuable personal data of the subscribers to trade and then show the growth rate as a success story to raise further private equity.

The entire private equity so gained will add to the “Reserves” account in the balance sheet as “Share Premium” and add to the networth for the company. But the funds would be burned out through expenses which will be greater than the earnings. Most such companies make “Marginal loss on every unit sold”.

The following is a list of loss making companies compiled from some available public sources  of which Zomato has now tasted the investor’s blood by its public issue.

Other companies in the list will soon hit the stock markets and try to siphon off public investments.

We must remember that some of these investments may come from Mutual Funds and the public funds in the Banking industry will also be used to fund these IPOs through the mutual fund route. 

This is the Harshad Mehta scam back in the game, this time with the assistance of SEBI.

SEBI was an institution whose basic objective was to protect the interest of the investors. The institution and its predecessor, the Controller of Capital Issues (CCI) always exercised strict control on the pricing of public issues. Until recently it was a pre condition that only profit making companies could go public and raise public money on the basis of the prospectus document which was an honest declaration of the organization about the past financial position of the company, proposed new initiatives for which the money would be raised, the profitability for the next 5 years etc.

Unfortunately SEBI has now abdicated its responsibility for investor protection and started looking at Prospectus as a junk statement which can say (as in the case of Zomato)

“We will continue to make losses….. The project have not been appraised by any financial institution… ” 

Despite such risk disclosures, the Companies want to raise public money with a premium and SEBI is willing to allow.

In the case of Zomato, each share of face value of Rs 1 was sold at Rs 76. It is another fact that the shares were listed at the price of around Rs 116 and is now at around Rs 140. The market capitalization has crossed Rs 1 lakh crores. Some are advocating that these shares are to be brought in even to the nifty basket. It is ironic that ZOMATO kind of companies are having market capitalization higher than other successful manufacturing companies which have created value for the economy.

There have been a lot of trading turnover in Zomato shares the initial days. However how much of the turnover reflect the genuine investor purchases is a moot point. It is well known that the trades are fixed so that broker of a fund A will buy from the broker of fund B and the broker of A will again buy back with each such transaction executed at a higher price. In the process the market price of the share goes up and the brokers make their commission. It is these broker manipulations that some investment counsellors call as “Listing Gains”.

During the traditional public issue shares, the issue price was genuinely lower than the intrinsic worth since SEBI or Controller of Capital Issues was very conservative. Hence public issues were heavily oversubscribed and the shares were listed at higher than the issue price and there was real listing gains. What is now happening is pure speculation which will erode the faith of the investors in the market.

It is certain that there would a stock market recession induced by such issues probably in the next 2 years.

SEBI is expected to control such malpractices but it has become part of this corrupt system of manipulation. The Government is completely under the control of the corrupt system and also has the income from STT to show as its gains.

Thus “Innovative Technology Companies”, “Venture Capitalists”, “SEBI” and the “Government of India” are all involved in this big game of cheating the public.

Our advise to investors is to completely refrain from the IPOs of such issues like Zomato and Paytm etc. Value investors like Mr Rakesh Jhunjhunwala states

Even the most optimistic valuation assuming growth of Indian GDP to the level of China GDP, and assuming that the company will be able to make profits int he next 10 years, maintaining a market share of 40%, experts value the shares at not more than Rs 41

Investors should ignore the manipulations of the brokers and the fraudulent investment advisors and the media which try to sell the idea that “Share price is a derivative of the sentiments of the investors” and there is no relation to profitability. Investment advisors have stopped looking at P/E ratios are are now looking at “Price to turnover” and other parameters to justify why a “Junk Share” should be bought at a high price.

The famous Harshad Mehta whose scam which induced a long time recession in the Indian market in 1992 had a theory that if you create the right sentiment any share can be sold at a higher price. While such speculation is fine with own funds, institutions with public money and organizations like SEBI cannot take a stand to ignore the principles that an “Equity Value” is related to the “Underlying income potential”. If we break this link between “Market Price” and “Income Potential”, we will make all Equity investments, another form of “Crypto shares”.

In the end, when a couple of these companies start failing, people will inevitably blame Mr Narendra Modi who has supported “Start Up” industries and companies like “Paytm” as promoters of Digital India.

Mr Modi will be called the “Mastermind of the scam” and Amnesty International, Wire and Mr Rahul Gandhi will all join hands and disrupt the Parliament while Mamata Banerjee may institute a “Judicial Commission” to probe.

If Mr Modi is wise, he should understand the risk and take effective counter action to ensure that SEBI does not become an instrument for cheating public through such fraudulent IPOs. Otherwise like the failing Cooperative banks being merged with healthy Banks, these “Crypto Companies” which are nothing but hollow accounting creations will have to be taken over by other health companies to save the market.

I therefore suggest that the Government has to immediately direct SEBI that

“No Premium issues should be permitted unless a Company is profitable on PAT basis for atleast two consecutive years or in three out of 5 years before the issue”

Naavi