Naavi.org

[Discussions here are part of the Naavi’s Theory of Data]

Data Governance in an organization requires identification of what is data, how data can be created or collected,  what is its value, who is the custodian, who is the owner, who will have access?, What are the permitted uses?, What are the permitted ways of modification that creates new data assets, how the data can be shared or how it can be destroyed.

A detailed discussion of these are part of Naavi’s discourse on the Theory of Data for an academic discussion at some other time.

We have already discussed the concept of “Nuclear theory of Data” in the context of personal data in the following articles.

1.Fission and Fusion of data elements

2.Atomic structure of Data

In the recently released Draft India Data Accessibility and Use policy, the Government has set an objective to draw up an inventory of data assets in each of the Ministries and Departments and in this context, I would like to place a discussion on how do we classify “Non Personal Data” in a similar atomic model.

The “Atomic Model” of data envisages that

1. 1. There is a core element of identity of the data
   2. There are peripheral associate elements that give depth and width to data

In the Personal data context, the Name is like the proton but does not constitute a stable atom on its own. If it is associated with another stabilization element such as say the Aadhaar number or PAN card or Social Security number which gives a “Unique Identity” atleast within a large enough universe (Eg: Aadhaar is a unique identity in India but may not be considered so in another country). This combination of the Name and one or more unique identity factors form the nucleus. But Nucleus alone does not give the property of the atom. We need a set of electrons that revolve around like the other information such as the email address or mobile number etc which together give shape to the data set as a stable atom. When two such atoms combine together there can be a molecule and when more molecules get bonded, we may get a compound or a complex organic molecule.

In the non personal data, (NPD) defining a data set requires identification of a core identity element for the data set and then the associated information. NPD does not have the name of an individual to whom the data relates. But it could have an “event” or an “Object” to which the data relates. For example, data about a company or about a market research or about a cricket match are “NPDs but related to a core activity or object”. This core object is the defining sub atomic particle of the NPD element.

The depth and width of the element is determined by how may neutron like core elemental particles and how many electron type peripheral particles are associated.

A NPD data set can be a PDF document or a video or an entire data base. A document about a cricket match or a video about the same cricket match can eb considered as two distinct data sets. They can be combined with information on  several cricket matches in a data base in which case the data base is an NPD set.

When an inventory is being created, we need to identify and define the data set, give it an identity tag so that it can be accessed by users. In such an inventory, the data set has to exist in some stable form such as a video clip of atleast a few seconds for the data to have any meaning. The PDF document and the Video clip can be considered as stable data sets. They can be included in a data base an access may be defined either to specific stable elements or to a larger document depending on the requirement.

When a search facility need to be created, the search term has to be for a stable data element. For example, while we can do a text search for “sta” and index it, the more useful search term would be “stable”. Similarly the “Searchable component” of a data set could be such a term that can be useful to the person trying to locate the document.

These concepts need to be debated and refined further to enable “Data Governance” around “Non Personal Data Sets” generated, created, collected, used, disclosed and destroyed by an organization whether it is a Government department or a Private Company.

Industry representatives may comment if this concept has any relation to the way they define a data set under their control for Data Protection requirements under GDPR or other similar laws.

Naavi

Reference Articles:

Atomic model of Data
Fission and Fusion of Data

Theory of Dynamic personal data

The new theory of data

Hindu Business Line today carries an article stating that according to “ITU-APT”, the data protection Bill as envisaged may impede the right of foreign nationals.

The report also holds a threat that foreign jurisdictions may bar use of servers located in India.

This threat has come in the form of a letter written to the TRAI.

ITU-APT Foundation of India claims to be a non-profit, non-political, non partisan industry foundation registered under the Societies Act in India. The parent organization is a Geneva based  international organization having presence in other countries such as USA. The representation appears to have been led by FaceBook/Meta.

While we donot have the copy of the representation, the Business Line report indicates the following views expressed by the Association in the letter.

1. The DPB 2021 does not contain provisions that prevent Government access to data of foreign nationals stored in India.
2. The draft law will hamper user rights and could prevent cloud service providers and other entities from locating their servers in India
3. “Critical Personal Data” (a term that is yet to be defined) cannot leave except in very limited circumstances such as health and emergency services or where the Central Government allows such transfer.
4. The association contends that the draft DPB 2021 currently does not expressly consider the case where personal data may be located in India due to localization requirements but could be subject to the laws of the country in which such data originated. It does not address the possibility of Government access to such data in a way that over rides the protection provided to personal data in other jurisdictions.  This may, in turn, hinder the ability of cloud service providers and other entities to locate their servers in India as foreign jurisdictions may bar them from doing so on account of data security concerns (for instance, due to the inability to get approval from foreign jurisdiction regulators to store data in India owing to concerns such regulators may have about protection of their citizens’ data).

We are not clear if this representation has been made by the parent body directly or the local arm of which Shri Tilak Raj Dua  is the Chairman, Shri Bharat Bhatia is the President.

We would like to however point out that the argument of the organisation is based on incorrect interpretation of the Bill and we would like to explain why we feel that India requires a stronger Data Localization law than what is proposed in DPB 2021 in the light of the risk that has been highlighted due to the Russia-Ukraine conflict.

Russia Ukraine Conflict has exposed a new Risk

We donot want to go into who is correct or who is wrong in the Russia-Ukraine/Nato/US conflict. We donot want to argue whether USA’s destruction of Iraq suspecting nuclear arms was  justified or Russia’s invasion of Ukraine suspecting Bio Weapon factories run under the US patronage (like the Wuhan lab which could have manufactured the Covid virus), is more justified.

We can however focus on the action of many US companies which stopped services not only in Russia but also in India to private companies who had some business commitments to fulfil.

It is the prerogative of these companies to join a war for any cause but when their interests threaten Indian interests, we need to recognize it as a risk. Today we have recognized that there is a “China Risk” in depending on Chinese telecom equipment. But a similar risk appears to have emerged in the services of the US companies. The VISA for example stopped its Card processing services in Russia. What prevents them from bringing similar pressure on India if they are unhappy with the RBI regulation on data localization?

If FaceBook exits from India, there is no problem. It would be a blessing in disguise for the Indian society. But what if Microsoft or Adobe is arm twisted by the US Government to stop their services in India through the backdoors they maintain on their software?

Microsoft , and Apple also have a huge data collected from their “One Drive” feature which is more or less mandatory to be used for users. Google again is another US company which holds data about Indians beyond what is reasonable. If they ever stop access to such data then Indian citizens and Government will feel the real pinch of an Information war.

Is there a guarantee that these companies will not join a war in a fit of anger on India’s Kashmir policy or if Pakistan disintegrates and Baluchistan requests India’s help on humanitarian grounds to be liberated like Bangladesh?.

Like US sending their aircraft carrier during the Indo-Pak war of 1971, what is the guarantee that all windows computers in India stop working and all Adobe PDF documents vanish?

To counter such risks however remote they may be, India needs to take action through its current law namely ITA 2000 as well as the proposed Data Protection Law.

In this background let us see if ITU-APT ‘s objections hold any value.

1. ITU-APT says that DPB 2021 does not contain provisions that prevent Government access to data of foreign national stored in India.

Though it is our sovereign right under which any asset any where in India can be accessed in the national security interests, we must draw the attention of ITU-APT to section 37 of the Bill which states

Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

This section gives a provision that Government may grant exemption from the Indian law for personal data of foreigners stored in India subject to a notification. Hence all the arguments built by ITU-APT are false and qualifies to be  called a deliberate mis information.

It is not however necessary that India should become a safe haven and any data processed in India which may hold a global humanitarian threat or Indian national security,  should not be touched by the Indian law enforcement  agencies.

For example, if the data pertains to a foreign agency running a Bio Weapon facility anywhere in the world, or related to planning of a terrorist activity anywhere  in the world, it would be the bounden duty of the Indian Government to investigate not withstanding the data being that of a foreign national and being processed in a server belonging to a US entity.

When laws are made, there have to be empowerment for such eventualities along with appropriate checks and balances to ensure against misuse. Presently we are only discussing the basic provisions of the Bill where for empowerment purpose, provision of access under emergent situations must exist. The checks and balances will have to be discussed when the rules are framed by the DPA.

We already have Section 69/69A/69B/70B of ITA 2000 which ITU-APT should study and raise any objections if they have got. Probably they are not even aware of the law called ITA 2000 which is the current data protection law of India and will continue even after DPB 2021 becomes a law.

Hence the objection of ITU-APT on this ground is unfounded.

2. Regarding the hampering of the Cloud service providers, it is a business decision that these service providers may take whether they should have their services in India or not. There will be around 2 years time and India will try to develop its own services for data storage if these cloud service providers want to deny their services.

Even if the cloud service providers are prevented by their respective Governments to store the data originating from their country in India, it is their choice. If the cloud service providers are aware of a technology called “Encryption” or “Pseudonymization”, they can still use Indian servers and manage the local legal requirements. Perhaps ITU-APT does not think that the companies who have a need to store data in a cloud are not aware of such access control measures to address the concerns.

We strongly feel that there is no need for Indian Government to create a safe haven for International data to satisfy the concerns of ITU-APT. We need to take care of our national interests first and the protection of the legal obligations of the cloud service providers to a foreign country has to be subordinated to the Indian interests.

3. Critical personal data was an empowerment that the Government of India built into the law to protect contingent concerns. Now the Russia-Ukraine war and the private sanctions of commercial MNCs on other commercial organizations in India ignoring international law have underscored the need for this provision to be clarified if required.

Government may therefore declare that

“Critical Data” includes personal and non personal data, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

For the purpose of implementing the cross border restrictions on Critical personal data, all organizations handling such data shall be considered as “Significant Data Fiduciaries” and assure the DPA through a registration agreement to protect the Indian interests at all costs.

4. The ITU-APT has not considered the fact that DPB 2021 basically applies only to data that has its origin in India, It does not affect the personal data of a foreign citizen originating abroad and processed aboard.

If such data is brought to India for processing, then Section 37 exemption as well as the security tools such as Pseudonymization, Encryption and Anonymization can be  used by the Data Exporter to protect the interests of the foreign citizens.

There is no need for India to dilute its laws for the sake of data exporters from other countries who donot want to invest in appropriate security technology.

It therefore appears that the representation  of ITU-APT is devoid of merits and has to be rejected.

I request the TRAI not to initiate any action in this regard. Additionally we urge the Government to tighten the Section 33/34 provisions of DPB 2021 and make it mandatory for a copy of all data transferred out of India henceforth has to be  kept in India. Additionally as recommended by the JPC outside the Bill, all data transferred out of India in the last 3 years need to be brought back to India as a copy.

Naavi

The fatal accident that occurred in March 2018  where the Uber Auto driven Volvo crashed and killed a person walking across the street had raked up many issues on the Technology and Law surrounding the development of driverless cars.

Now a detailed coverage of the aftermath of the accident in wired.com gives an analysis of the technology faults as well as the human issues behind the tragedy.

As per the report, it appears that Uber has been discharged of criminal charges of negligence and the human driver behind the wheel Rafaela Vasquez is blamed for not preventing the accident by timely intervention. The trial will continue and the final verdict may take some more time.

From the evidence discussed in the article, it appears that the Uber Software failed to recognize the obstacle and apply brakes. It is also said that the Car (Volvo) had its own emergency braking mechanism which was over ridden by the Uber system and Volvo claims that its system would have perhaps either stopped the Car or atleast prevented the fatality. This could mean that the Uber system was inefficient compared to the possible technical solution as offered by Volvo. This should make Uber vicariously liable for the accident.

However, whether the headlight system of the Car was good enough for the night driving could be a point of debate since it could not light up the victim earlier. Whether this was a fault of the Volvo or of the driver in setting the beam is not clear. This does not seem to have been discussed in the legal proceedings.

The video from the dashcam indicates that the victim suddenly appeared across the speeding car and perhaps it would have been impossible for any ordinary driver to spot the victim in the darkness that was around. Hence the accident could have perhaps happened in many other incidents of human driving under similar circumstances.

However it must be recognized that Uber was negligent for many reasons.

Firstly though the testing was not complete ,the safety of having two persons in the Car one to monitor the driving and the other to assist the driver was withdrawn. This left the driver alone and the “Automation Complacency” factor kicked in.

Secondly the real time monitoring of the driver was not resorted to for the fear of being considered as “Spying”.

Thirdly monitoring  of the driver behaviour through log monitoring was not good enough.

It is interesting to note that the driver refers to herself as the  “Operator”. The driver was not driving her own car and hence she was on duty when she was “Operating”  the automated machine. Hence there was no Privacy issue and no “Spying”. It was the duty of Uber to monitor the automated machine and its operator as a single unit of work which Uber failed to do.

It is unfortunate that Uber instead of taking the blame on itself made the “Operator” a sacrificial goat. The fact that the Victim herself was grossly negligent and by jaywalking across the road on a dark night was a contributory factor the accident, should protect the “Operator” from the charge of negligence.

Hopefully the trial with the Jury will find the “Operator” not guilty and accept that the death of the victim as an essential sacrifice for development of technology. However technology companies need to set their bars of declaring a software “Safe” at a much higher level than what they may be doing now and their liability should continue even after releasing the software. In this case the software was still under testing and hence the liability of Uber should have been recognized without much of an argument.

Though Uber has made a monetary settlement with the victim’s family, it is unfortunate that they have not protected the “Operator” who became the second victim of the accident both legally and financially. She ought to have been provided with a life time financial settlement and legal support to bail herself out of the charge of negligence even with her own lawyers.

This case should establish that any software developer who produces an AI led system should inherently be made vicariously liable both for the victims of malfunctioning as well as the operators who had minimal control on prevention of accidents.

The Cyber Insurance industry would perhaps come to the assistance of the companies to ensure that the cost of technology development ultimately gets distributed.

In the light of this development, the provision of Data Protection Act in India requiring “Algorithmic Transparency”, “Security Certification” and filing of a “Privacy By Design Policy”,  when personal data processing is handled by  automated systems is a welcome step. This will bring better accountability for the companies in at least absorbing the liabilities and preventing unfair liabilities on the user-operators including the employees assigned for testing.

Naavi

Cyber Law College is conducting the next program on Data Protection Laws in India for FDPPI Certification, starting from April 2nd. Details are as follows:

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows:

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

The war in Ukraine may be between Russia and the NATO interests where Ukraine is a willing sacrificial goat. While we can appreciate the resolve of the Ukrainians to join the war directly, the Latvian Parliament approving their citizens in Ukraine to join the fight, some other foreigners to travel to Ukraine and join the war front are worrying trends.

While companies like Twitter have for long been recognized as their own masters trying to engineer regime changes in countries through fake messages, a new trend that has emerged in the current war is that non-media companies in US have also joined the information warfare by “Denial of Access” to certain services which they are bound by contracts. This is an contractual default under International law though they may cite “Act of war” as a reason.

For example companies like Dell and Apple have stopped their hardware supplies to Russia and some of these are defaults of contracts with parties  in other countries. For example if an Indian aggregator had contracted with a Russian company for an IT service in which some components of Dell was involved, he is now forced to default on the service because Dell is unwilling to fulfil its part of the contract.

A demand was made on ICANN to stop its services which was fortunately rejected.

 Now we are told that VISA and Master has stopped its services to Russia. PayPal has also made similar moves.

These private sector companies through their actions have joined the war front in the information sector. They are acting as mercenaries just like the Afghan tribals.

The demand on ICANN is a red flag which makes the Internet system itself less reliable than before. In case companies like GoDaddy or other hosting companies respond to the call of blockage then the Internet blockade of Russia may partially succeed. Russia itself may not be adversely affected since they have a robust internal network and can also connect to the dark web seamlessly.

I would not be surprised that in future Microsoft does not turn in their backdoors to the US Government or Google does not pass on all the access to Gmail content to NATO.

But there are lessons that we in India have to draw from these developments. Indian Government and the population is very much dependent on US companies for many of the critical IT services including the use of Microsoft products and Adobe products.

Without a proper assurance from these companies, it would be difficult for the country to rely on their services in future.

We therefore need to tighten our laws on the one hand to bind the “Critical service providers” to stand neutral at times of such conflict and in the long run become more and more self dependent. This approach to “Atma Nirbhar Bharat” has to be accelerated to avoid India again succumbing to “Colonisation” in the digital global world.

I recently heard one professional suggesting that “Processing” includes storage and hence VISA can continue to store the information abroad without maintaining a copy in India and claim that the “Processing” is not complete. The Government needs to be aware of such innovative interpretations of law to defeat the data protection regulations in India.

In the light of these developments it is necessary for CERT IN to send an advisory that a new Cyber Security threat has arisen where private sector IT companies are joining hybrid warfare and pose a significant threat to Indian companies and Government dependent on their services.

It is therefore necessary for all Indian companies and the Government entities to gradually develop alternate technological support bases to ensure that moves of VISA kind of organizations donot hurt us.

NASSCOM is in the forefront of supporting VISA and MASTER and demanding that no restrictions are placed on localization of their services. RBI has diluted its data transfer rules to allow “Processing” of financial data outside though the processed data must be kept in India.

I request NASSCOM to provide an assurance to the Indian community that MNC s who are their members donot toe the Biden’s policies to the detriment of Indian interests in future.

The Parliament at the same time must restore the Data Localization aspects in DPA 2021 back to the PDPB 2018 version and require that copies of all personal and non personal data transferred outside India must be kept in India and emergency access be made available to the law enforcement authorities under appropriate procedural controls.

The services related to Internet data storage and transmission provided by any company  in India needs to be declared as “Critical Essential Services” with an empowerment for the  Government  to deal with them like other  “Essential Public Services”.

By opting to take part directly in the information warfare, the US based companies have lost their case on opposing strict data localization in India. It has become a “Data Sovereignty” issue more than ever before.

We donot have any objection for any country to join the war transparently like Lativia. However, companies need to always stay non aligned if they want to work in international space. Companies having activities in India have to support the Indian policies and not the policies of a foreign country. This is the same situation that arose when Hyundai supported Pakistan on Kashmir issue. If they donot see reason, the law should take care that they donot turn rogue. Today we are afraid of dependence on Chinese technology because it is a security risk. A similar risk perception has now arisen on companies like VISA, DELL and APPLE.

As an immediate step, I urge that both NASSCOM and CERT IN to issue a joint notification that activities of IT companies stopping any services to Indian companies on pretexts of war in Ukraine would be considered as an “Unfriendly Act” and flagged accordingly. Such companies must be blacklisted or subject to higher standards of compliance in case of any Government contracts in future. It is necessary for NASSCOM members to bee “NON ALIGNED” in the current situations and toe the policy of the Indian Government.

Naavi

(P.S: The views expressed here are personal.)

One of the issues that has arisen due to the Russia-Ukraine conflict is the collateral damage that is being caused to companies in India because some of the US companies have decided to join the war front by imposing various kinds of sanctions.

India has declared that it remains “Non Aligned” in this conflict and neither US nor Russia has the right to force India to join one of the fronts against its will.

While civilians in Ukraine out of their patriotic fervour are welcome to get themselves enlisted to the military and some foreign Governments such as Lativian Government has allowed its citizens in Ukraine to join the war front, citizens of other countries are not presently under obligation to join the war front as front line soldiers.

Similarly, when we discuss “Information Warfare” being part of the hybrid war, we are considering that the Government which is part of the kinetic war using information for propaganda or even conducting cyber attacks as part of its military operations. These are acceptable as part of the International war fare strategies.

But when civilians or companies try to impose sanctions of their own in support of one of the warring countries, there could be some legal issues of whether they have the protection of the international law for their information war.

For example if Google stops its map services or Dell and Apple stop contracted hardware supplies they are actively joining the war and need to be formally conscripted to the military of one of the warring countries.

We now have situations where an Indian company which has a contract to execute involving components from US companies being stopped on their tracks with the sanctions imposed by the Commercial companies. It is difficult to say if this is supported by any contractual clauses since US itself today is not at war (legally) and hence the “Acts of War” clause for disruption of service cannot be invoked.

While it is difficult for Indian companies to raise this as a dispute because of the continuing relations with the component suppliers, it is time for the Indian Government to consider the concept of “Deemed Conscription”  of a company into military if it actively takes sides in such a war. If this is not ratified by their respective Governments like Laivian Government has done, then the actions of the individuals and the companies imposing sanctions of their own  become illegal and qualify for penal action in the respective countries.

Such actions may also qualify as conducting “Warfare” in other neutral countries. Hence Dell stopping supply of computers under a contract and frustrating an Indian company from executing its contract is like bringing the war into foreign soil.

We can understand that the Corporate executives in these companies may not think deeply but the call for ICANN to stop its domain server for Russia (reported to have been rejected by ICANN) is an indication that “Critical IT Services” may become instruments of war fare without appropriate international legal justification.

Tomorrow if Microsoft jumps into war and stops all Windows servers or Gmail stops all its email services, or VISA stops all its card processing services, the activities of other nations can be crippled.

At a time when we are thinking of a new Data Protection Law in India it is necessary for us to see if we have sufficient legal backing to defend such actions even if it is purely speculative at this point of time.

I therefore call upon the Government of India to undertake such measures as are necessary to ensure that Indian companies are not held to ransom for settlement of international disputes of which we are not a party.

This could be achieved through declaring  “Essential IT Services” such as internet transmission, hosting etc  as “Critical Data”, imposing “Data Localization” and other security measures to ensure that we are not at the mercy of these companies in future.

Naavi