Naavi.org

Air India has made an announcement that it’s Passenger Service System was attacked and personal data of about 45 lakh data subjects have been compromised. The leaked data elements include Name, Data of Birth, Contact Information, Passport information, ticket information, frequent flyer data and also some credit card data (without CVV).

There is no doubt that the leaked data contains sensitive personal information (Section 43A of ITA 2000) and could cause significant harm to the individuals.

It is not clear what has happened to the leaked data. There is no information on any ransom demand. We may however  presume that it is available on the dark web.

The data breach might have occurred in the systems of the “Data Processor” which is SITA PSS and Air India is the Data Fiduciary for the data.

More details

Indian Express  :: NDTV

Is it an attack to Scuttle Disinvestment?

There is an observation by some professionals that this could be a sabotage connected with scuttling the disinvestment plan. The fact that hackers did not resort to extortion but simply leaked the information gives credence to this conspiracy theory.

Going by the recent developments related to  “Tool kit politics” of the political parties  it is possible that such political forces may be behind the attack. The motive here is to bring disrepute to anything the Government proposes to do irrespective of whether it is beneficial to the country or not.

China which is suspected to be behind a Bio-Warfare causing the Covid crisis in India  is also a suspect since China is an eternal enemy state for India.

Additionally, all those parties who had a stake in scuttling the disinvestment plan should be considered as potential suspects.

The Air India breach should therefore be investigated by CBI to check if there is any involvement of the Toolkit gang or others.

Has it been a blessing in disguise?

It may be the expectation of the attackers that the reputation loss caused by this data breach may significantly reduce the value of the enterprise.

But it is obvious that during the valuation of the organization for the purpose of disinvestment, normally the accountants take the value of land, building, aircrafts and other equipment as the main assets. Probably they could take the net present value of future estimated profits, less accumulated losses etc.

However, it is highly unlikely that the valuers considered the availability of personal data asset including the 45 lakh data sets now revealed. Probably Air India must be having more than 45 lakh data sets in its custody.  This had been valued at Zero value so far.

But now suddenly it is a discovery that the company has 45 lakh data sets and there is a huge value attached to it.

What is the value of Data that has been breached?

It is interesting to observe that the PDPSI (Personal Data Protection Standard of India) adopted by FDPPI for PDP-CMS audits includes an implementation specification (IS 6) which states as follows.

6.Data Valuation and Accounting

The organization shall adopt a policy of assigning a financial value to the inventory of data and provide visibility to the data asset in the books of account.

The value of data may be brought into the books based on a scientific valuation method or on a provisional basis and reported as a special reserve or as a Contra entry (both an asset and liability separately)

The Visibility of the valuation of data as an asset shall be extended to both personal and non-personal data.

At present no organization provides for such valuation but it is time professionals start thinking in this direction.

The Institute of Chartered Accountants need to develop an appropriate valuation methodology for the purpose, though the PDPSI requirement would be satisfied by a contra entry and not dependent on specific valuation methodology.

The advantage of bringing the value of personal data to the books of account is to provide the visibility. Had Air India  adopted this process, then the management would have realized that they are sitting on a “Data Gold Mine” which could have increased the valuation of the organization.

Even now, there is  time for Air India to assign a value to the data which is in its possession which can be updated, and though it no longer remains confidential, it is worth at least its shared value.

The valuation may have to take into account

a) Number of data sets

b) Sensitivity of the data

c) Net Present Value of the data adjusted for time based erosion

d) Real or Opportunity cost of acquisition

Since each of the 45 lakh data sets which have been leaked (and discovered)  contains some credit card data also, the value of each data set in the dark web may be estimated to be around $ 1000 each.(Refer Forbes Article)

This means that the value of the 45 lakh data sets is around Rs 31500 crores.

This valuation is a rough indication based on the following article in Forbes. We may debate how much of this data value is diluted since it is available to the hackers either in full or in part. But still the disinvestment value of Air India appears to have increased with this revelation.

But thanks to the discovery, Air India can now modify its valuation upwards.

Simultaneously, it may evaluate the cost of mitigation of the data breach risk and deduct it from its current profit.

Mitigation of the Data Breach Risk

In the meantime professionals can look at other aspects of how a “Data Breach Report” should be prepared by Air India, whether the individuals should be notified etc.

One point of  suggestion  towards mitigation is that  Air India should take a “Group Cyber Insurance Policy” covering liabilities that may arise from ” any loss that may occur to the affected data principals attributable to this leak for a period of say one year”. The cost of such a policy has to be separately negotiated and Air India can call for a tender from the Cyber Insurance agencies. These agencies may make their own assessment of the risk of claims arising in the next one year attributable to this particular data breach and underwrite the risk.

Speaking of the data leak itself, it is possible that  the data was unencrypted in storage or there was an insider assistance in the hack. If it is encrypted and the decryption key was not available to the hackers, the loss is not significant.

The data is supposed to have been collected over a period of around 10 years and many of the credit cards would have expired.

This would affect both the valuation of data, the valuation of the risk and the Cyber Insurance Premium.

I invite PDPSI professionals to come up with their views on this breach, the valuation of data and the impact on the disinvestment.

Naavi

Indian Constitution was framed with a purpose of guiding the legislature on how to Govern this country under certain principles. During the years of Congress rule especially under Mrs India Gandhi, constitution was toyed around with amendments many of them changing the basic structure of the constitution.

Today Indian Constitution does not place “Equality” as the cardinal principle. There is the concept of “Privileges” for one reason or the other, some times in the guise of correcting the long time discrimination, real or imaginary. Many of these privileges outlived their necessity and became the tools of “Voter appeasement”. Even the basic of the basic structure was changed with the introduction of the “Secular” concept which was not in the Constitution earlier.

The reservations and religious appeasements were born out of this disrespect to the cardinal principles of our constitution.

After the famous Kesavananda Bharti case, a principle was introduced that the Parliament can make any amendment but not change the basic structure of the constitution. But the interpretation of whether some thing affects the basic structure or not remained with the Supreme Court. In other words, the wisdom of the constitutional bench of the Supreme Court was more powerful than the Constitution.

For some time people thought that Indian democracy had legislature as one part and Judiciary as another part. The Executive and Press were considered other pillars of democracy.

However, at present, Supreme Court has become the ultimate interpreter of the constitution and even of 75% of the elected parliamentarians decide on a change, the Supreme Court can shoot it down. The elected representatives themselves can get into the legislature because they would have a consolidated voter base of one religion or caste.

The Press has long abdicated its role as a pillar of democracy. Executive is more comfortable with a corrupt political system since they can wield reflected power and enrich themselves.

Indian Democracy today runs on just one pillar and that is Supreme Court. The cabinet, the Ministries or the Loksabha or the Rajyasabha are only subordinate institutions who can propose but it is only the Supreme Court which disposes. This is not a healthy situation for any democracy as it upsets the delicate balance that needs to be maintained.

Quite often we feel that Supreme Court itself is over reaching itself with the executive decisions and has been swayed by political and financial corruption.

A time has therefore come to review the way Supreme Court interacts with the Executive and the Legislature.

Advocate Mathew Nedumpara has been the only person in the country who has the courage and the conviction as well as the expertise to question the Judiciary and make them think in the right direction.

Though the Judiciary has treated him with disdain, he has gone about his duty to the nation with undiminished commitment.

Presently the National Lawyer’s Campaign for Judicial transparency and Reforms, which is led by him has filed a petition at the High Court of Bombay questioning several practices that the Courts have adopted in the yester years particularly with respect to the selection of Judges.

(Copy of the draft petition is available here)

Today there is a petition with the Supreme Court questioning the constitution of the Election Commission. There are State Governments where Chief Ministers do a Dharna in front of the Governor’s office or CBI. The law and order has been broken by people holding the office of the Chief Minister despite having been defeated in the elections. But all this seems to be within the constitution of India.

“We the People” cannot understand how a State CM who is challenging the Union Government’s law enforcement authority or the main opposition which is instigating international conspiracy to defame India, cannot be booked for anti national activities.

The Constitution that does not prevent an irrational anti national activity of a political party is not a robust constitution. The PILs that question every executive action and the alacrity with which the Supreme Court jumps in to admit any petition against the Government weaken the constitution further.

It may be observed that during the Privacy Judgement, Justice Chelmeshwar made a statement to the following effect as part of his judgement.

“To sanctify an argument that whatever is not found in the text of the Constitution cannot become a part of the Constitution would be too primitive an understanding of the Constitution and contrary to settled cannons of constitutional interpretation.”

What this meant was that the Supreme Court had the powers not only to interpret what is written in the constitution but also imply what is not found in the text of the constitution.

With this view he justified the right of the Supreme Court to re-write the constitution and interpret it in any manner it prefers.

 I wish that the current petition of Mr Nedumpara’s team would make the Supreme Court impose some restrictions on itself . Otherwise there will be no difference between a dictator politician and a dictator Supreme Court.

Supreme Court has the powers of Contempt but even this is exercised with an interpretation full of hypocrisy. An advocate who tears of an evidentiary document in the Court or shouts “Shame” when a judgement is pronounced is not booked for contempt, but a person who files a PIL which the Judge does not like gets fined. There is no consistency in the judicial pronouncements and public are aware of such inefficiencies in the system

The demand for open broadcast of the court proceedings have been resisted for too long a time because parts of the Judiciary were not confident of making themselves available for public scrutiny despite the powers of the Contempt being available to him.

If the current CJI breaks this self protective measure of the Court, it will bring a revolutionary change to the quality of our Judicial systems.

If at the same time, Mumbai High Court and there after the Supreme Court also ensures that Executive and  Legislature can function with reasonable freedom, then democracy in India will be on the right tracks.

Naavi

Today’s Economic Times carries an article “Crypto Exchanges want Sebi or a New Entity as regulator, not RBI”

It appears that the Bitcoin lobby has not been able to corrupt RBI which is standing up to its principle that Private Crypto currencies such as Bitcoin, Ethereum, Dogecoin etc are all meant to kill the legacy currency system of sovereign nations.

Though the Indian Crypto Exchange owners have been able to compromise several bureaucratic agencies, RBI has understood that allowing Bitcoins to be easily exchangeable into legit currency is declaring that “Black Money” is legal.

If RBI agrees to this demand, the central bank will lose all control on the monetary system in India and there will be financial chaos in the  country.

After the recent attack on the Gas pipeline in USA and also the Washington Police by Bitcoin ecosystem which includes the Cyber Crime, Drug Trade, Illegal arms trade and all crimes  that the DarkWeb represents, the US Government turned its screws on Bitcoins.

US Government appears to have realized that if we want to kill the Darkweb, we have to first kill the currency of the Dark web which is the crypto currency.

Now the Indian Crypto industry has realized that RBI is not amenable to bribes and the Ministry can at best be kept silent for some time because it is ultimately led by Mr Narendra Modi.

Seeing that RBI is likely to be unyielding and soon the Tax authorities will start investigating the source of declared crypto currency holdings,  the Crypto Criminals of India want to get rid of RBI and appoint  SEBI to be their regulator.

We have pointed out  in our earlier article ” Black Money gets a Boost from SEBI. Mr Thaygi should be removed as SEBI Chairman”  how SEBI in the past has shown its support to Bitcoin.

We had also pointed out that MCX which works under SEBI had officially supported the Bitcoin regulation” and sheepishly withdrew when Naavi.org exposed their designs.

Now Mr Monark Modi, founder of crypto currency exchange Bitex wants SEBI to regulate the Crypto currencies and not RBI. Knowing the earlier views of SEBI and MCX, Mr Monark knows which regulator is on his side.

The argument Bitcoin is not a currency but a commodity is technically correct. However, the Crypto industry has declared that their objective is to make Bitcoin a “Substitute currency to the legit currency”. There is a well developed market like Foreign Exchange market where trading of Bitcoins and other cryptos take place 24X7. The perception is therefore more relevant than the technical issue.

The declared objective of Bitcoin right from its inception is summed up below.

Bitcoin has been created as a “Currency”, used as “Currency” and promoted as “Currency”. Any other representation is is just an attempt to mislead the law makers.

Bitcoin industry was able to get the Supreme Court accept  devious arguments and provide a favourable judgment that enabled the industry to thrive . The industry feels that if the Bill fo ban Crypto currencies is passed, they can again go to Supreme Court and they will find some friends who will get another  “Bollywood judgement”, that can be scripted as per the direction of their lawyer.

This judgement would be considered as historic as the judgements like Keshavananda Bharti judgement or the Putaswamy Judgement.

While Keshavanand Bharti judgement propounded the primacy of the basic structure of the constitution and curtailed the powers of the Parliament, Puttaswamy judgement went a step ahead (See J Chelmeshwar judgment) that the judges have the freedom to interpret and even add to what is not written in the constitution.

On the other hand, this Bollywood judgement showed how a clever scripted judgement can come out of our highest Court  to with a ridiculous argument that “X, the litigant is right but Y the other litigant will be declared as winner of this case”.

Given this unpredictable status of law in India, Bitcoin criminals can get any law passed as they like and get the endorsement of the Supreme Court also. India today has a system of Governance where Supreme Court takes even administrative decisions on how Oxygen should be distributed across the States. It can therefore be expected that the Supreme Court can also draw up a law on its own making Bitcoin and other Crypto Currencies acceptable as legit currency.

Next time,  the Bitcoin lobby may be able to convince the Supreme Court to come up  with a judgement stating that Court fee can be paid out of Bitcoins or salaries of  Judges may be paid out of Bitcoins.  This will clear all doubts in the minds of honest citizens like us that India will in future be led by Black money and not the legit RBI money. Since the Government has recently received a billion dollar donation in the form of Bitcoins for Covid relief, the Government can use the funds for meeting salaries of Judges since they are now required to act as the Alternative Cabinet of the country and take day to day administrative decisions.

Given this scenario, I am not surprised that the Bitcoin lobby wants to change the regulator. Tomorrow the same lobby will want a change of the PM also. The recent defeats of BJP in West Bengal and Kerala indicate that anti nationals can come to power by religious vote consolidation and these same groups can also defeat BJP at the national level one day…if not in 2024, may be in 2029. Once the Government changes, Bitcoin criminals will get the regulator of their choice and can sell India for Bitcoins.

People like us are hoping that in our lifetime, Mr Narender Domodar Das Modi  will not let the country’s economic system go to dogs. We also hope that the new crop of Supreme Court judges will also realize their responsibilities and will not let their views manipulated by clever lawyers.

The more delay there is to pass the Crypto Bill, more pressure would be brought on the Government to get Crypto currencies brought into the main stream. It is unfortunate that our Finance Ministry is unable to muster courage and get the Bill passed. There will always be media and journalists to write that Bitcoin is a great boon and try to persuade public to invest more and more in Bitcoins and other crypto currencies. Many such investors have lost their money and they are unlikely to get any legal support to get protection from frauds involving bitcoin purchase or usage.

I request that those who understand technology and also have the country’s interest at heart like Mr Ratan Tata to clarify Madam Nirmala Smitherman that banning crypto currencies has nothing to do with technology innovation. Block chain as a technology can continue to be used without Bitcoins or other Crypto currencies. This excuse to gain support for Bitcoin should be brushed aside with the contempt it deserves.

I also want Mr Amit Shah and Mr Ravi Shankar Prasad to appreciate that banning the use of Crypto currency is the first step to reducing cyber crimes, terrorism and even the farmer’s unrest. They should support the Crypto ban with all the power at their command.

Let wisdom dawn on our decision makers in Delhi.

Naavi

Cyber Law College, a division of Ujvala Consultants Private Limited is the pioneer in India in Cyber Law Education.

Started in 2000, Cyber Law College started offering online programs on Cyber Laws to spread the awareness of Cyber Laws in India. It also conducted innumerable offline training and educational programs and contributed to the development of Cyber Law aware industry professionals.

Now Cyber Law College is also in the fore front of education related to Privacy and Data Protection.

Starting June 19th, a 36 hour online program for Privacy and Data Protection is being launched to develop a comprehensive Privacy and Data Protection professional. The program is being executed for FDPPI, under the set of FDPPI-DNV  programs.

Fee for the program includes the basic membership of FDPPI.

For more information visit www.fdppi.in

Naavi

The option to enrich oneself with Bitcoin wealth has created an incentive for Cyber Criminals to continue their nefarious activities.

The news that Colonial Pipelines, a company in US first stopped its operations plunging the US East Coast into a severe Petrol shortage situation and later making a payment (not admitted by the Company publicly) of US $5 million to the ransomware attackers in the form of Bitcoins highlights this risk manifestation.

In recent times, Ransomware attackers have become bold enough even to attack the Washington Police showing that they are above law. The possibility of enrichment is the main reason why criminal activities continue.

So far we are thinking that it is “Cyber Criminals” who are using “Bitcoins” as currency. When Naavi.org talks of Crypto Currencies being “Currency of Criminals” or “Currency of Terrorists”, the perception is that Crypto currency is another “Currency” which is misused by criminals, drug traffickers or arms dealers etc.

But now slowly it is time to realize that it is not “Crimes” that are driving the Bitcoins but it is the “Bitcoins” that is driving the Crimes.

In fact Bitcoin has elevated itself from being a “Currency of Terrorists” to “Being A terror by itself”.

What we are seeing now is that the Bitcoin holders are enriching themselves by resorting to financial terrorism.

India by showing reluctance to ban Bitcoins and other Crypto Currencies is in fact assisting the “Bitcoin Terrorists” to indulge in Cyber attacks.

I therefore call that Mrs Nirmala Sitharaman, the honourable Finance Minister needs to realize that any further delay in not banning Bitcoins is actually showing forbearance to the Financial terrorism of Bitcoins.

The time to wait for the the next Parliamentary session is over. We need an immediate ordinance to make the provisions of the Bill effective immediately.

Will the Finance Ministry listen to our words at least now?

Naavi