Naavi.org

As expected, Delhi High Court has been dragged to adjudicate on the issue of the February 25th guideline on Digital Media ethical code and Intermediary guidelines.

See here for more information

In India Courts keep piling up cases and complain of shortage of judges but if Courts have to keep adjudicating on every administrative notice issued by the Government, then it is obvious that Courts cannot do what they are expected to do… to render justice to ordinary citizens.

No doubt there are lofty ideals quoted behind the petition. For example the petition states that ITA 2000 is not the Act under which these regulation should have been issued and there should have been a different legislation for the purpose. Well this is only a technical ploy to proliferate laws in the country. If a lawful objective can be served  by an existing law then there is no reason why it should not be accommodated within the provisions of the current law instead of drafting one more law.

It is therefore an over reach by those who donot want the Government to do anything positive to try and scuttle this notification. It is true that the ITA 2000 was meant to be an E Commerce promotion Act. But the amendments of 2008 extended its scope to security of the Cyber society. The time to challenge was in 2008 and the amendments of 2008 has converted ITA 2000 into a Cyber Security act. Now it is a matter of common knowledge that Digital Media does not follow any self regulation or ethics and is a tool of spreading disharmony in the society. Hence the need to regulate the digital media is part of the Cyber Security objective and is well within the scope of the revised version of ITA 2000 as per ITA amendment act of 2008.

The Delhi High Court has presently issued a notice to the Government in admission of the petition and if a proper response is given by the Government, the petition can be dismissed in the initial stage itself.

In most of the civil litigations courts try to suggest mediation for the parties and in the present case also the aggrieved party may be advised to have a dialogue with the Government and try to find out the objectives of Governance which require such measures before the Court can spend its time.

Let’s wait and see how the Court responds at the next stage.

Naavi

While there is a hot debate going on in India on how we can officially allow a parallel economy to be set up  with the use of Bitcoins as the currency and kill the sovereign status of the Indian currency, there are reports that “Coinbase”, a crypto currency exchange has just announced that it is opening a new office in India.  

There is a barrage of PR articles in major media vehicles that there is a wide spread support from investors to Bitcoin investment. There is a conspiracy to slip in a “Taxability” concept to ensure that Bitcoin is not banned. Like putting a biscuit before a barking dog, RBI is given a task of introducing the Indian regulated crypto currency which is a cannibalization of the virtual currency system we already have in India.

The Bitcoin community is conspiring to ensure that after the Crypto Rupee comes into existence, it will be made convertible to Bitcoin and the black money holders will be free to keep their digital black wealth in private crypto currency and make “Havala” operations smooth. This will be a big boost to the drug trade, cyber criminal operations, terrorist funding and bribing of Government officials and also the Judges who will give a favourable judgement whenever the time comes.

Without a tacit understanding from the Finance Ministry and perhaps the confidence based on the earlier Supreme Court judgement which was a concocted misinterpretation of law, it is unlikely that Coinbase would have decided to open a new business in India. It is possible that the Telengana Government with a strong support of AMIM may provide further assurance in case the Central Government acts tough.

Naavi.org has drawn the attention of Mr Nirmala Sitharaman besides Mr Amit Shah and Mr Narendra Modi on the need to ban crypto currencies.  We still believe that they are not interested in supporting Black Money in digital form nor supporting cyber criminals or terrorists or drug dealers etc. Support to crypto currencies and not banning them outright however only means support to all these nefarious activities.

Any amount of sugar coating with “Block Chain” technology being an innovation etc will be sufficient to hide the bitter poison that the Bitcoin and its family of private crypto currencies represent.

Obviously the Bitcoin lobby does not care for Mrs Nirmala Sitharaman. The bureaucracy is more in support of the lobby andl can consider reducing the interest rates on small savings but cannot recognize the damage that Cryptocurrencies can do to the economy.

If the Finance Minster has to preserve her self respect, she should therefore issue the “Banning Crypto Currency Ordinance” immediately. Mr Modi and Mr Amit Shah should also show their resolve in banning the digital black money as we the honest citizens of India have started losing faith even in their commitment to rooting out black money.

I hope BJP does not have a Bitcoin fund to support its political activities and request Mr Nadda, the President of BJP to clarify. I also request the RSS to clarify its stand in the matter of banning Bitcoins and informed ideologues like Mr Gurumurthy should respond with their views.

Coinbase should however be appreciated for their courage in taking on the Narendra Modi Government and compromising one of the major the principles with which Mr Modi came to power.

If Mr Modi and Nirmala Sitharaman do not wake up from their slumber, it would only mean that “Even BJP is in support of Black Money”. No other explanation justifies the stand of postponing the ban legislation.

Naavi

MobiKwik is said to be India’s No 2 player in the mobile wallet space in India and amongst the 3 players in the payment gateway industry. It has a network of over 3 million direct merchants and 140+ billers and 107 million plus users recording over 1 million transactions per day.

Unfortunately the Company seems to have been hit by a huge data leak and a data base containing sensitive personal data of over 3.5 million users seems to have been made available on the dark web.

The massive breach reportedly included 36,099,759 files. Apart from this, the 8.2 TB data comprises 99,224,559 user phone numbers, email, hashed passwords, addresses, bank accounts and card details.

The entire data base is available for ale by payment of 1.5 BTC (equivalent to around 84000 USD or nearly Rs 60 lakhs). The entire data package includes

1) Total 350GB MySQL dumps: 500 databases.

2) 99 million data — mail, phone, passwords, addresses, etc.

3) 40 million — 10 digit card, month, year, card hash, etc.

4) Company data.

5) Over 7.5 TB of 3 million Merchant KYC data, including passports, Aadhar cards, pan cards etc.

To place the record straight, the Gurugram based company has denied the data leak and the website of the company does not give any disclosure of the same. Some are saying that the data leak may not be from the company.

The leak is said to be of the KYC data and questions are being raised about the Information Security status of the company. From the 1st of April, RBI is introducing new rules for card payments. This new rule will require an additional authentication for recurring transactions using credit cards, debit cards, UPI or prepaid payment instruments. The rule of additional authentication will apply to payments upto Rs 5000 and payments above this limit will require OTP. Further ,half yearly audits from Cert empaneled auditors may also be required to be conducted by them.

Many star up companies are not happy with the RBI restrictions and would like greater freedom to collect and use personal data without any obligations of securing Cyber Crimes or data protection.

This data breach is a reminder to these Fintech companies that they require to substantially improve their security measures.  Some Fintech companies ensure that they are PCI DSS compliant and MobiKwik also may be holding the necessary certificate. But we must appreciate that PCI DSS is meant to safeguard only a small part of the information which need to be secured. ISMS with ISO 27001 certification would have provided better security though it is not focussed on protecting the personal information.

It is possible that MobiKwik might not have initiated specific measures for compliance of Section 43A of ITA 2000 and is answerable to the Cert In for the data leak. Had there been a Data Protection Authority under PDPA of India, then the issue would have escalated into a huge fine and questions would have been asked if MobiKwik has adequate Cyber Insurance to keep itself financially stable. The company is said to be planning an IPO during this year and this data leak would become a necessary disclosure in the prospectus unless the IPO is postponed for some time.

This is a typical instance of a Fintech Company being ignorant and negligent of Indian laws such as ITA 2000 and it is essential that the industry wakes up now before the more stringent Data Protection law comes into existence.

When such personal data is lost, the kind of harm that can be caused to the data principals is a matter of interest to the Privacy watchers. The harm could be loss of money or loss of opportunities etc. In a recent data breach in Royal Dutch Shell which was hit by a ransomware gang, extortionists leaked the worker’s passport and Visa scans online apart from the corporate data such as invoices etc. What such data leaks would cost to a company when the Data Protection Authority is assessing the damage for imposing a fine would be of interest.

The data protection professionals of FDPPI are undertaking an academic  exercise to evaluate the financial damage that may occur to a company in such cases.

Naavi

FDPPI is an organization which represents the effort of the Data Protection Community to create a “Privacy and Data Protection Culture in India”.

In this endeavor to create the Data Protection Culture in India, PDPSI works on the three dimensions namely

1. 1. The Data Protection Regulations
   2. The Data Protection Professionals
   3. The Data Processing organizations.

FDPPI is closely following the Privacy and Data Protection regulatory regime in the country and engaging itself with the Policy makers to contribute towards framing of a  balanced  legislation which achieves the objectives of protecting the Privacy of Indian Citizens as a fundamental right under our constitution without ignoring the requirements of the Government which has the duty to protect the Citizens of the country and the requirements of Data Processing business which cannot be killed in pursuance of Privacy.

FDPPI also is taking steps to empower the professionals who need to comply with the law in the Data Protection scenario and implement the vision of “Protecting the Privacy through Personal Data Protection” and providing a “right of self determination to the Data Principals on how the personal data about them can be collected, used and disclosed.” Towards this end, FDPPI has created and executed “Certification Programs” and created an army of “Certified Data Protection Professionals”  who have attended at least 12 hours of training on the current Indian Privacy Laws including the proposed law represented by PDPB 2019, followed by an evaluation through an online examination. Many of the professionals have been further empowered with at least another 16 hours of training on Global Privacy laws and a further 12 plus hours on Data Audit skills making them one of the best trained professionals globally. They are developing like the “Navy Seals” or NSG Commandos” as we have heard in the security scenario.

Additionally, FDPPI has adopted the “Personal Data Protection Standard of India” or PDPSI  as a “Unified” framework for compliance of multiple Personal Data Protection laws by an organization. The PDPSI consists of 12 standards and 50 implementation specifications that cover the entire gamut of PIMS as envisaged by other frameworks and goes further to address the needs of the need to be simultaneously in compliance of multiple global laws incorporating many futuristic thoughts on “Data Business”.

This PDPSI framework is not only a “Certifiable Audit Framework” like the ISO 27701 but also an Assessment framework for the Data Trust Score (DTS) system which is a representation of the Personal Data Protection maturity of an organization as assessed by an auditor using the 50 implementation specifications of the PDPSI framework.

PDPSI is also a framework which is available for organizations for self implementation as an instrument of internal audit.

FDPPI is also creating a set of professionals who are conversant with Indian Privacy Laws, Global Privacy Laws and a certain minimal Data Audit skills through 3 certification exams which over over 55 hours of online training, over 1000 pages of study material and 270 minutes of online examination.

We are humble enough to admit that FDPPI can only provide an opportunity for professionals to develop their knowledge and skills and ultimately it is the capacity of individual professionals to absorb the skills and apply it in the practical scenario.

However the symbol shown along side is emerging as the symbol of Personal Data Protection and is the goal of every Data Fiduciary and Data Processor.

This is a symbol of protection for the Data Principal in the context of protection of his Privacy.

It also represents a framework for enabling Privacy Protection through Data Protection.

The accompanying symbol in future will represent an organization which has undergone an assessment of its DTS by a PDPSI accredited auditor.

This could be disclosed by organizations as required under the Indian laws.

The auditors and consultants who have undergone the rigorous training and passed through the Certification exams have been certified by FDPPI and certificates like the following have been issued to them.

These are sample certificates that only the privileged professionals who have gone through the rigorous evaluation process have been issued.

The “Certified Global Privacy & Data Protection Consultant” is  a person with a reasonable knowledge of the Privacy laws and a reasonable skill to conduct data protection audits and provide consultancy to organizations in their Privacy Compliance program.

The “Certified Global Privacy & Data Protection Auditor” is a person with an accreditation for conducting Audits and DTS assessment which will be registered with FDPPI and issue necessary “Certificate of Privacy and Data Protection Compliance” under the PDPSI framework.

FDPPI  congratulates the 21 professionals who have achieved this recognition in the first batch and hope that in future, we will have many more such professionals.

Naavi

According to the news reports that are circulating, it is reported that the Chief Election Commissioner Mr Sunil Arora in an interaction with the IPS probationers at the SVP National Police Academy, Hyderabad has stated that 

“Election Commission is working with IIT-Madras on using Blockchain Technology for remote voting”.

This statement raises doubts on what exactly is in the minds of the EC and how IIT-Madras scientists are suggesting Block Chain technology for this purpose.

Block Chain technology per-se is a technology of “Authentication” of a transaction which is published to a large number of authentication agents, and the majority acknowledgement of the transaction is taken as a “Deemed Authentication”.

We donot know if the EC is referring to Block Chain technology in this sense or just referring to a “Secure Network” based transaction and wrongly labeling it as Block Chain technology.

In a connected statement, Mr Sandeep Saxena, Deputy Election Commissioner has stated that they will be using a “Controlled Environment”, “White listed IP devices” “Dedicated Internet lines” “Using biometric devices and web camera.”etc.

It is clear that Mr Saxena is speaking of a secure network and this is not the classical “Block Chain Technology”.

Instead of running behind a fad called “Block Chain Technology”, Election Commission should consider use of “Digital Signature” and “E Sign” to let voters vote by remote log in and this is acceptable in Indian law as of now. This can be supplemented with data pseudonymization to achieve the objective.

If the secured network technology as is suggested by Saxena is to be used, the process will have to be Section 65B (IEA) certified and otherwise it would not be legally admissible.

Further, the remote voting based on “Block Chain” technology if attempted would be an invitation for disaster similar to what happened in US elections this year where unaccounted postal ballots caused a disruption to the election system.

If Block Chain technology is used say even for validation of a voter, it has to be based on a confirmation received by a majority of owners of a block chain node either public or private. This network can be easily manipulated to create false IDs and fake Votes.

Hence “Block Chain” technology of the way we understand now cannot be used in the E Voting system. If the EC and IIT Madras have some other technology in mind, they should stop referring it to as “Block Chain Technology” as if it would increase the TRP of the statement.

I look forward to a clarification from the EC and IIT Madras to clarify what exactly they plan to do, why they donot want to use the existing digital signature and E Sign framework and why they are using the terminology of “Block Chain” in this context.

Additional Information Received

As per additional information available, the EC has clarified as follows:

When the vote is cast, the ballot will be securely encrypted and a blockchain hashtag generated. This hashtag notification will be sent to various stakeholders, in this case the candidates and political parties,” the official said.

The encrypted remote votes so cast will once again be validated at the pre-counting stage to ensure that they have neither been decrypted nor tampered with or replaced.

“Suppose there is a Lok Sabha election and a Chennai voter is in Delhi, instead of returning to vote in his or her constituency or missing out on voting, the voter can reach a pre-designated spot set up by the EC, say in Connaught Place, in a particular time window and can cast his vote,” Saxena had said.

EC has said such voters may have to apply in advance to their returning officers to exercise the option.

With this clarification, what the EC’s remote voting system means is  that a copy of the “Vote” would be hashed and the hash value would be sent to the stake holders and the EC. Hash tags of a vote to a given candidate will all be identical and therefore such votes can be segregated into votes for different candidates. This is like the physical ballot paper being put in different boxes. (In case the vote is encrypted before hashing, the confidentiality may be maintained. But the need for keeping the political parties informed is not clear)

The Name “Block Chain Technology” for this is not very appropriate.

Also since votes are cast in specific voting booths, the booth master has to conduct a KYC and the booth agents of all the political parties will be present in the booth. The system only means that instead of one EVM per constituency, the voter can use a virtual copy of EVM of any constituency in the booth and he can exercise his vote.

The block chain concept is only involved in the fact that if there are 5 political parties in the election, then all remote votes would be informed to all the five political parties as and when the vote is cast. If it is sent as soon as the vote is cast, as indicated by the EC, the political parties would come to know the vote cast immediately.

Though the parties may not know who has cast the vote, the number of votes polled for a political party will be known. This would amount to advance information on the polling trend. In case the votes are stored and the forward is initiated only on the counting day, then it would be similar to the current practice of counting postal ballots before the counting of other votes.

A question however arises that if it is possible to send the postal vote immediately in hash form to the parties, then why not introduce the same system for the normal EVM votes also which prints out the VVPAT slips. At the same time, the hash value can be sent to the parties.

However this would create a law and order situation as the losing party would immediately disturb the election process.

If such advance information can harm the normal voting system, then it is obvious that the suggested system is also wrong.

On the other hand, I recall that I had suggested a system of “Cyber Law Compliant EVM system” through this website sometime around 2000. (Refer here). Even a prototype was suggested for development by BEL. However at that time the technology of touch sensitive screens was expensive and the system was perhaps not commercially feasible. But now VVPAT system is in place and it is working well enough.

What can be done:

The postal ballot system can be introduced in a different manner as follows.

1. Authentication of the voter has to be based on e-sign .
2. Casting of vote is done by a virtual EVM created on the fly based on the constituency to which the voter is attached.
3. The Virtual EVM would be displayed on a touch screen and when the voting button is pressed, the system should create a voting symbol on the screen (as if a rubber stamp has been put on a printed ballot), capture the screen image, calculate the hash value and store the hash value in a printer.
4. Just like a serial number being present on the voter slip which is entered in the physical election booth under a serial number which can be linked to the specified VVPAT, it may be possible to establish a link to the digital signature with the actual vote cast through a serial number. To ensure privacy there may be pseudonymization of the digital signature record with the pseudonymization table being kept with an official other than the one who has control to the Virtual EVM.
5. The Virtual EVM should be counted just like the other EVMs on the day of the counting but at one central place.
   1. At this time, the votes should be verified with the hash value once again to rule out any corruption or manipulation from the time of voting and the time of counting and then sent to the respective counting booth of the constituency through a digitally signed communication from the central counting booth to the constituency counting booth.
   2. Then it can be merged with the counting at that booth.
   3. The Ujvala-Bellur  e-document audit system can be used for the verification of the votes.

I hope this system can be given effect to.

Naavi