Naavi.org

Vodafone is facing a financial crisis. (Refer article in New Indian Express) A company which has 270 million customers is in financial crisis and is unable to face the loss arising out of the Supreme Court decision which had made it liable for payment of substantial dues to the DOT. Even a 10 year spreading out of the repayment appears to be insufficient for Vodafone to come out of the crisis.

According to  information available, Vodafone woes Rs 58,254 crores to the Government as AGR dues of which it has paid Rs 7854 crores. This is the annual license fees and spectrum usage charges which the company failed to factor in its operations earlier due to a wrong advise it received from its financial and legal professionals.

It is said that Telecom operators interpreted that  they would be charged the license fee on the basis of their core business conducted using the spectrum while DoT held that the definition of AGR included items like dividend, interest, capital gains on account of the profit from the sale of assets and securities and gains from foreign exchange fluctuations.

It is futile now to discuss the legality of the issue since the Supreme Court has settled it in favour of the DOT. The telecom operators together are guilty of not having provided for this possibility while they made merry during all these days under the mistaken interpretation.

However, this is not the time to gloat over who was right and who was wrong. We need to look at ways by which the issue could be resolved because the damage that a failure of a big company like Vodafone could cause to the economy is immense and is avoidable.

The per-capita burden of Vodafone dues of Rs 58000 crores on 27 crore subscribers is about Rs 2000 per customer. Current share price of Vodafone is around 120 per share.

If there is a further issue of shares at around Rs 100 per share, the dues can be met with an issue of 20 shares per customer as “Rights”. (Technically it could be called a Private Placement). This issue of 540 crore new shares would dilute the share holding by 20% but can enable the company to sail over the current difficulty and increase the P/E multiple so that the loss could be adequately compensated.

While the above thought is a traditional thought, there is a more exciting thought based on the new concept of “Value of Data as an Asset” which we shall discuss separately in the following article.

(Continued)

Naavi

In computing the intrinsic value of data as an asset, cost based method is one of the choices that a Data Valuer needs to explore. Current market value if available could be the second option while Net Present Value of future earnings expected from the asset could be a third option.

In Cost based approach, it is necessary to make a distinction on “Cost of Collection of Data” and  “Cost of cleaning up data by removing unwanted collateral data”. After this “Data Preparation”, the data would e ready to be used for some purpose. The asset needs to be valued at this stage by computing the cost upto the preparation of data ready for exploitation.

One example is that a company X has a license from Twitter or Linked in to parse its data and extract useful data. In such cases, the cost of data is easily determined by the license fee paid to Twitter or Linked in. Once the gross data is so gathered, the company may use its own filters to reject some data and retain some. This retained data is the data that is useful as raw material for the company. The cost of filtering may be ascertained by the specific software used for the purpose and the manpower cost assigned to the activity.  Additionally a share of the fixed costs can also be allocated. This total cost would be the cost of data in this context.

Once data is kept in store for further use, some user department may recall the data and create value added products (eg: a saleable report based on the information). This would be cost of production of the given product.

If the raw data is collected from say the website of the company X where a service is offered and customers register for the service using a web form, the cost of collection would be the cost of hosting the web form and a share of the fixed cost attributable to the maintenance of the website.

In a practical situation, companies may not be able to clearly identify the source of data and cost of its acquisition. However, in the days of data protection, it has become necessary for companies to set up an appropriate organizational structure to identify the sources of collection of data and hence it may be possible to attribute direct cost of collection.

However, this exercise of ascertaining the cost of data belongs to the domain of Cost Accounting and it will be necessary for the company to have the Cost Accountant work closely with the technology department and the DPO to arrive at a reliable cost of data.

Naavi

(DVSI stands for Data Valuation Standard of India… Refer www.dvsi.in for more information)

Companies often face the dilemma on payment of ransom when their data is captured and held hostage by a ransomware attacker. The attacker fixes a certain price for the release of the decryption key and often places the data for sale in the dark web. Acer had a demand of $50 million, CNA Financial reportedly paid $40 million and Colonial Pipeline paid $4.4 million. In India itself we had a demand on Cognizant for $ 5 million and different smaller amounts in different companies.

It is clear that in these cases the hackers had a perception of the value of the data they had captured and the companies paid the ransom because they felt that there was an opportunity cost in refusing to pay.  Insurance companies have their own practices on dealing with such instances and some may cover the ransom as part of their policy.

Further, darkweb often quotes a price list for many kinds of data. One such laundry list is here.

When thieves set a value for the data they may target and steal, it is necessary for the organizations which have these assets to also know that they have assets which are vulnerable to be stolen.

Managements often express surprise when a ransom demand is made and wonder “Do we have that kind of data with us”?. The reason is that so far the CFOs and CEOs were never told that Data is an asset though on the balance sheet it does not show up.

Corporate Managements need to ask themselves, if they are not representing the true value of their assets in the financial statements which they certify “This is a fair and true representation of the company’s financial position”.

If the CEO/CFO knows that the company has a Rs 5000 crore of data asset, they would not crib to appoint a DPO or CISO at the kind of remuneration they deserve or to invest in security products or employee training or atleast to harden their operating systems which they keep postponing.

Let’s therefore look to the future with confidence by valuing our data assets and bringing them into our balance sheets. …

Let our shareholders know what we are worth.

Let our competitors know what it would cost to take over our company.

Asatoma sadgamaya…tamasoma Jyotirgamaya…Oh DVSI, Oh DVSI…

(meaning From Ignorance, lead me to truth, from darkness, lead me to light..Oh Data Valuation Standard of India)

Naavi

(With apologies to the Rishis who gave us the Upanishad Vaakya)

After the Delhi High Court and Orissa High Court indicating that Right to Forget can be extended to a right to remove reference to an accused in a Court Judgement, the Madras High Court has now rejected the “Right to Redact” the identity of an accused from the Judgement.

In a Judgement delivered on 3rd August 2021 by Justice N. Anand Venkatesh in the WP (MD) no 12015 of 2021, the Court rejected a request from a petitioner Mr Karhick Theodre who had been charged earlier for an offence and acquitted , that his name be redacted from the judgement records.

Similar consideration had come for discussion in two other cases one in Odisha High Court and another in Delhi High Court where the interim decisions were in favour of the accused and acquitted person to get his name removed from access through internet searches.

Naavi.org had observed that the decision was faulty since it interfered with a “Fact” and enabled suppression of the right to information.

The earlier Supreme Court decision regarding the victim of a rape or sexual abuse or in cases of Juveniles, to be conceded such a right does not apply to the case of an accused who may be acquitted for reasons other than being innocent.

This current judgement of the Madras High Court is well reasoned and refused such a request.

We appreciate the decision of the Court which was assisted by the Amicus Curie Mr Arun Anbumani. It is also notable that the hearing was conducted virtually and concluded in quick time.

Naavi

The current controversy on Pegasus in India arises from  the petitions filed by various persons who all have one thing in common that they are known to be opponents of the current Government.

Just because all the petitioners are Anti Government, we cannot presume that Government of India used Pegasus to target all its opponents.

End of the day, Pegasus is a spyware and was commercially produced and sold by a company like many other encryption, decryption software or other security software. It was designed for use by security agencies to infect mobiles and conduct surveillance of various kinds.

It is feasible that many Governments across the globe could have bought this software for legitimate intelligence use. “Intelligence” is a necessary activity of a Government and cannot be wished away. Whether it is ISI or RAW, FBI or CBI, MI6 or KGB, or snooping on crime suspects is a reality. Considering the proliferation of terrorism in the world, such intelligence activity is the duty of a Government.

Whenever a terrorist activity is reported, the first thing every opposition party asks is why there is an “Intelligence Failure”. But when it comes to Pegasus, the same opposition asks “Why there is Intelligence”?.

The petition in the Supreme Court is built on a weak premise that

a) there is a possibility that the Indian Government could have officially bought Pegasus,

b) there are a few mobiles in India which have Pegasus infection and

c) few of those persons whose phones are affected are political opponents of the Government and

therefore the Indian Government is guilty of illegal surveillance… Q. E. D.

On the other hand, it is observed that

a) Petition is filed by known political opponents

b) Petitioners have a motive to run a smear campaign on the Government

c) There are many previous occasions when the same petitioners have filed irrelevant and false petitions for political gains

d) There is no evidence backing the allegation

e) Demand for investigation is based on journals which are known to be anti-India campaigners

e) The petition has come 2 years after they first surfaced and just a day before the Parliament session and was used primarily to disrupt the Parliament session.

Hence it is a fact that the petitioners have knocked at the doors of Supreme Court with unclean hands and the demand is that a fishing enquiry be ordered at the expense of the exchequer to satisfy the political opponents.

Pegasus Infection

I would like to draw the attention of the honourable Supreme Court that Pegasus is a malware. While the company which is selling the software claims that it sells it only to authorized Government agencies, there is no guarantee that any of these Government agencies may use it to spy on foreigners.

I.O.W. a foreign Government can snoop on Indian Journalists. We are aware that there are foreign news agencies like NewYork Times which are reported to be scouting to recruit journalists who can run smear campaigns against the Government of India. There is a possibility that such anti-India business interests may also want to spy on Indians both journalists or activists.

Further any State Government including the West Bengal Government or Kerala Government could have used the spyware for its own use. Political pundits like Mr Prashant Kishore could have advised parties like Congress which have earlier used Cambridge Analytica to use Pegasus .

A few years back there was a malware called Stuxnet produced again by an Israeli agency to target Iran nuclear facilities. This malware was supposed to spread only though a USB drive since the targeted Iranian facility was an air-gapped system and not connected to Internet. However, Stuxnet was found to have infected many systems world over and reported to have even affected Rare Earth Minerals near Mysore.

Malwares are often developed for a certain purpose but gets out of control and spreads like the Corona virus which could have escaped from the laboratory where it was developed as a research product. The world is struggling to hold Chinese Government or the agencies funding the Wuhan Laboratory responsible for the Corona Virus if not for malicious intentions, for at least negligence. But the Indian politicians are more concerned about Pegasus indicating that their intentions are not clean.

It is told that Pegasus is a “No Click infection”  and in case a person receives an incoming Whats App Call which he does not pick up the instrument may get infected.

The Supreme Court should ask the citizens of India, how many of them have in the past few years received WhatsApp calls which either they have not picked up or when they pick up does not receive any response from the other end.  All these phones might have been infected with Pegasus. Does it mean that all these phones were targeted by the Indian Government and are being surveilled?. If so then my phone should also come into this category.

Anti Virus companies are unable to confirm if they have a detection tool to find out whether a given phone is infected or not. Hence the Supreme Court should consider any person who has ever received a silent WhatsApp call from an unknown person is a potential target of the Indian Government using Pegasus.

Hence Pegasus infection may be found anywhere and if all the mobiles in India are checked (If there was a method of detection), then perhaps we would know that crores of mobiles may carry the infection.

If it is not the 20 odd persons who have filed the petition, not the 1400 persons in India who might have been affected as per some reports but hundreds of thousands of persons in India many of whom are pro-Government, then where is the presumption that the Government of India targeted only political opponents?

The very presence of a large number of pro-Government or neutral persons who could have been infected by Pegasus against a relatively fewer anti Government persons who have approached the Government, makes this petition a purely speculative judicial exercise even to issue a notice.

It is incumbent on the petitioners to find some evidence that a given infection in one of the phones was actually done at the instance of the Government and the snooped data was being received and analyzed by a Government agency.

We are aware that in Delhi several operators were selling “Off the air” mobile signal catchers which was also used by private detective agencies. The petitioners need to prove that Pegasus has not been accessed by such private operators either in India or elsewhere. If Off-the air mobile signal catchers costing Rs 1 core plus were in the market in India a few years back, a more powerful Pegasus could be acquired by private detective agencies for several crores more since it could be marketed to the opposition political parties themselves to spy on Government supporters.

The Supreme Court therefore has to look at the pros and cons of extending this investigation. Even assuming that some evidence is presented by the petitioners and an accusing finger may be pointed at the Government, it is impossible to find clinching evidence. Even if any clinching evidence is found,, it is not possible for the Court to issue an order “Prohibiting surveillance”. At best Court may question the process of authorization of such surveillance.

Hence this entire exercise is futile, unproductive and is a waste of time for the Court. It is just to satisfy ourselves that we value Privacy of citizens and go to any extent to fight for the right. All of us know this is not true and our politicians and businessmen are not interested in passing the Privacy law because we donot consider it a priority.

I hope the Supreme Court will also not fall prey to this political game and dismiss the petitions without wasting too much of its energies.

Naavi

Also refer: NDTV.COM

Data has a value as everybody understands. But we need to go further in our discussion on what is the value of data, how it can be computed and how it can be brought into the balance sheet etc.

The latest issue of Data Protection Journal of India discusses these concepts along with the handling of the personal data of the deceased persons.

The journal is available free at www.dpji.in