Naavi.org

Deccan Herald, the leading native English Daily from Bengaluru is hosting the prestigious Bengaluru 2040 Summit today at JW Marriott, Vittal Mallya Road. This invitee only event is expected to see the participation of several ministers of Karnataka besides many industry guests.

One of the discussions during the day would be on measures required to “Prevent Cyber Crimes in Bengaluru” particularly in the emerging technological developments.

The undersigned is privileged to be an invitee to this panel. In this context, I would like to share some of my thoughts on the topic here as a background to the ensuing discussion.

In the last 25 years of the existence of ITA 2000, we have made a very slow progress in understanding technology crimes and bringing it under the hammer of justice. Initially it was the inexperience of the Police and later the difficulties of successfully presenting the digital evidence to the satisfaction of the Courts. The Courts themselves needed decades to understand digital evidence and how to interpret them in the “Criminal Jurisprudence”. Even today we are not confident that in all cases Police and the Courts will be presenting their cases properly to enable conviction in a Court of law for any technology related crimes.

While most of the discussions on prevention Cyber Crimes start and end with “creating awareness”, we must accept that “Awareness is necessary but not sufficient”.

I consider the following three aspects which need attention on a priority basis.

✓Lack of accountability of Software Developers who release immature software products with bugs

✓Lack of Responsibility of deployers who deploy the software without assuming accountability for the adverse consequences….particularly when the software comes with a tag “AI”

✓Lack of Commitment for the Government, Judiciary and Police in regulating the Darkweb and Private Crypto Currencies like Bitcoins which are the lifeblood of Cyber Crimes.

✓Lack of cooperation of Intermediaries during Cyber Crime investigation

We need to address these issues at all levels to honestly find a path to salvation from Cyber Crimes. If we let challenging of every Intermediary regulation in a Court and the Courts are happy to place a stay on every progressive regulatory notification at the drop of the hat, we will not make any progress. India will continue to be the hub of global crimes and Bengaluru being the Silicon city will also be the capital of global cyber crimes.

In this context we can look at DPDPA 2023 as an attempt to enlarge the regulation where the “Intermediary Guidelines” under ITA 2000 have failed by increasing the possible civil penalty for Data consuming companies and their associate Data Processors to Rs 250 crores and beyond.

While the role of Adjudicators and Criminal prosecution under ITA 2000 may continue to remain as a remedy for personal victims of data breaches under DPDPA 2023 and sections of ITA 2000 such as Sections. 43, 65, 66B, 66C, 66D, 66E, 67C, 69, 69A, 69B, 70, 70B, 72A etc will continue to remain relevant and work along with DPDPA 2023 and the inquiries under Data Protection Board, there is a need to bring the Adjudicators and Police who are now tuned to ITA 2000 to DPDPA 2023.

The Judiciary also needs to absorb the new Cyber Crime Jurisprudence to their practice but improvements here can only from within the Judiciary and will take a long time.

It is important to recognize that the concept of “Due Diligence” under Section 85 and Section 79 of ITA 2000 now has a new elaborate explanation in DPDPA 2023 and should be taken note of in any cases involving “Data” and all Cyber Crimes against individuals where “Personal Data Breach” is always one of the causes.

Currently the laws have not been used effectively in choking the Cyber Crime economy by not regulating /dismantling the Dark Web and the Private Crypto Currency systems. The reasons are many but the intention is lacking at all levels.

The Future of Cyber Crimes will be dictated by the developments of AI and Quantum Computing and unless proper steps are initiated today, we will allow the development of Dark AI supporting the Dark Web and making it darker. The goal of Criminals is to make the entire web “Dark” by applying AI and Privacy laws in conjunction to ensure that no criminal will be detected by any law enforcement agency. If we do not recognize this heinous design and take appropriate Techno Legal measures, the future of the Digital society looks gloomy.

Naavi

The Telecommunications Act 2023 which is basically a regulation for the industry has certain provisions applicable to the use of Telecommunication services which has a bearing on the users as well. Most of the provisions of the Act became effective from 26th June 2024. Accordingly, Sections 1, 2, 10 to 30, 42 to 44, 46, 47, 50 to 58, 61 and 62 of the Act came into effect from June 26, 2024.

For example the Act defines “Message” as any sign, signal, writing, text, image, sound, video, data stream, intelligence or information sent through telecommunication which is also an “Electronic Document” under ITA 2000.

In this Act some of the provisions overlap with the provisions of ITA 2000 which we need to take note of.

Also, the term “telecommunication” means transmission, emission or reception of any messages, by wire, radio, optical or other electro-magnetic systems, whether or not such messages have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception;. This may mean that an “E Mail” may come within this definition.

Also, “telecommunication identifier” means a series of digits, characters and symbols, or a combination thereof, used to identify uniquely a user, a telecommunication service, a telecommunication network, elements of a telecommunication network, telecommunication equipment, or an authorised entity. This could mean that “Meta Data” such as the IP address, IMEI number etc may come under this definition.

In the offences sections, Section 42 (2) states

(2) Whoever directly or indirectly or through personation—

(a) gains or attempts to gain unauthorised access to a telecommunication network or to data of an authorised entity or transfers data of an authorised entity; or
(b) intercepts a message unlawfully, shall be punishable with imprisonment for a term which may extend to three years, or with fine which may extend up to two crore rupees, or with both.
Explanation.—For the purposes of this sub-section,—
(i) the expression “personation” shall have the same meaning as assigned to it under section 416 of the Indian Penal Code; (Ed: Sec 319 of BNS 2023)
(ii) data of an authorised entity includes call data records, internet protocol data records, traffic data, subscriber data records and the like.

This is similar to Section 66, 66C of ITA 2000 and also the Section 69 of the ITA 2000..

Similarly, Section 42(3) states:

(3) Whoever,—
(a) possesses or uses without an authorisation, any equipment that blocks telecommunication;
(b) uses telecommunication identifiers not allotted or permitted in accordance with sub-sections (8) and (9) of section 3;
(c) tampers with telecommunication identifiers;
(d) possesses radio equipment without an authorisation or an exemption that can accommodate more than specified number of subscriber identity modules;
(e) obtains subscriber identity modules or other telecommunication identifiers through fraud, cheating or personation;
(f) wilfully possesses radio equipment knowing that it uses unauthorised or tampered telecommunication identifiers

This provision means that if any person wants to use the “Micro sonic Electricity Generator” of the Zimbabwean inventor Mr Maxwell Chikumbutso, it requires the license from DOT.

“Tampering with telecommunication identifiers” may include tampering with IP address and all services including Gmail or Proton mail, where Originating IP address of an email is replaced by a proxy IP address assisting in the delivery of spam mails, and fraudulent mails.

Now in a move that further underscores the link of the TCA2023 and ITA 2000, DOT has issued an advisory on removal of content on social media platforms on February 18th.

This has relation to an YouTuber who had posted a message on how to change the Calling Line Identification (CLI) number so that the recipient does not identify the caller.

This provision should the activities of Cyber Criminals and Spammers who assist the commission of a crime through “How to Commit a Crime” knowledge.

While this could have been covered under ITA 2000 itself, now we have an additional legal provision that is applicable to the promoters of such criminal activities including the YouTube or Instagram who are “Intermediaries” and may try to claim Section 79 protection.

The advisory also states that ” Any application that allows to tamper telecom identifier (like CLI, IP address, IMEI etc.) is abetting users in committing an offence by contravening provisions of Telecommunication Act, 2023 and therefore Social media platforms and Application hosting platforms are required to remove such content / applications that allows or promotes tamper of telecom identifier (like CLI, IP address, IMEI etc.) in contravention to the provisions of the Telecommunication Act, 2023. (P.S: This applies to many Security Companies and Security app development companies who may be inadvertently committing a contravention.)

In addition to removing such content / applications action against such entities may also be initiated under Section 42 of the Telecommunications Act who are involved in making/promoting such content / applications that aid commitment of offence under the Telecommunication Act, 2023.”

The advisory requires all Social Media Platforms and hosting platforms to comply with the advisory and also submit compliance to the department before 28th February 2025.

We may recall that when Naavi.org pointed out IRCTC hacking several years back and the Digilocker hack during the Covid time and wanted the Government to put the fear of God on the hacker, there was no response from the Government. Finally the hacker showed his temerity to issue a defamation notice to the undersigned because DigiLocker authorities were not interested in taking action against the hacker and given an impression that the law enforcement in such matters does not exist in India. Though the hacker backed off after a while, the lack of action from the Ministry was disappointing.

This forbearance with the criminals that continues to be shown till date is the bane of our system and emboldens the “Andolan Jeevies” to jump to Supreme Court opposing every good move of the Government.

Some time back TRAI had announced that CLI linked to Aadhaar would be displayed in call messages, it was hailed by us as a good move but TRAI did not go through with the proposal obviously under the pressure of the industry.

The entire delay in the notification of DPDPA 2023 is also a tendency to yield to the industry pressures for not taking rigid action against data breaches.

Government has also not shown the courage to address the Bank Frauds issue by penalizing the Banks. I should recall that due to my efforts over 14 years in the Umashankar case where the Bank was held liable for Phishing after aa long legal battle which could have been reduced to a few months if RBI had responded to my requests” (Refer all judgements related to Umashankar case here).

At that time I had visited RBI in Mumbai and sought action against ICICI Bank and PNB for their negligence that assisted the commission of frauds. RBI was not able to understand their responsibility at that time. Finally TDSAT did rule that “Negligence” on the part of the Bank is a contravention of Section 43(g) of ITA 2000. (Now RBI is continuing its trend of supporting illegal activities by seeking exemption of DPDPA 2023 to the Credit rating agencies).

Ministry of Finance is not far behind in this reluctance to curb crimes and has been supportive of the Crypto Currency regime like Bitcoins despite knowing the adverse effect that can have on the country.

I have also been pressing the MHA to take action to curb the use of Dark Web and Private Crypto currencies as a measure of deactivating the digital eco system that supports the cyber crimes. I am yet to find a proper response in this respect even under the Amit Shah and Narendra Modi regime.

When Mr Ravishankar Prasad was the IT Minister, he initiated the Digital Media intermediary Rules and the Government promptly eased him out of the ministry probably because of the pressure from the BigTech and their agents in India.

In the light of such background , the advisory appears to be a bold step and we hope that the Telecom Industry follows it up with action.

Naavi

Also refer: Technology Intoxication is like Wheeling on the City Roads…

While discussing DPDPA 2023, we have often discussed the role of a “Data Processor” who is actually determining the means of processing under a proprietary software and tagged him as a “Joint Data Fiduciary”.

Yesterday I had an interesting discussion with the ETCISO leadership forum for Hospitality Sector in which the issue of some of the industry players like OYO and others who are not single property owners but have multiple own properties and several more franchisee outlets who are independent property owners themselves. In view of the umbrella branding the brand owner becomes the main customer contact. This also exists in the Make My Trip or Agoda kind of E Commerce services where also the customer relationship is on the brand owner and the property owner becomes a secondary contract for the data principal.

In such instances the Brand owner becomes the first contact for the data principal and the sharing of personal data is with the brand owner under his reputation, his privacy policy or Privacy Notice. However the service is delivered by the associate and data is again shared with the vendor who is also a Data Fiduciary.

In such cases the relationship can be structured as a “Data Fiduciary” and “Joint Data Fiduciary” or ” Data Fiduciary” and “Data Processor”.

The new thought which now comes forth is that if the Brand owner declares himself as an “Aggregator” and declares his “Purpose” as establishing the relationship with the property owner who is the service provider, he can limit his role in Data Protection law as only a marketing agent. If this is not properly structured, the Brand owner becomes a “Super Data Fiduciary” of many other “Data Fiduciaries”. The Data Fiduciaries process data for their own purposes under their own policies while the Brand owner has the vicarious liability on all the activities of the property owners.

Similar issues arise in the case of a hospital using the services of doctors on a consultancy contract where the doctor individually is a data fiduciary and the hospital is an aggregator of their services.

Interesting possibilities arise in this context and DGPSI is making the necessary adjustments to factor such cases.

Naavi

In October 2024, a data breach was reported from Star Health and Allied Insurance which is reported to have breached data of about 170 million data subjects. Advocate Mr m G. Kodandaram has made a detailed legal analysis which is enclosed.

Read the Report here:

This has become relevant in the aftermath of the AWS FIR where a Cloud client alleges data loss with suspected unauthorized access. The FIR has been filed in this case under Section 66 and 66C besides other sections of BNS on “Cheating”.

Naavi.org had also discussed the Star health breach incident suggesting investigation at the level of CBI and ED.

These incidents reiterate the damage being created by the reluctance of MeitY to complete the formalities related to the DPDPA Rules and delaying the formation of DPB.

These incidents have highlighted the responsibilities of the CISOs, DPOs on the one hand and the Data Processors and Vendors on the other hand.

Many times, the companies are not aware of a data breach and the regulator like CERT In himself alerts the company about a data breach. In such cases the “Data Breach Notification” becomes a thing of acknowledging the lack of awareness till it is pointed out by the CERT In.

Once DPDPA becomes effective, sending notices to 170 million data principals as in the case of Star Health Insurance Breach itself is a big issue of concern to a data fiduciary.

When the data breach has the involvement of an intermediary cloud service provider who is a giant like AWS/Microsoft Azure/Google cloud, the data fiduciary is at a loss to understand how much he can rely on them to take accountability for the data breach.

Open for Discussion.

Naavi

Further to the brief report on the FIR reportedly filed by Adarsh Builders on AWS India ,

AWS has responded through their public relations representative from “publicisconsultants-asia.com” as follows:

“The claims against AWS in a recent news report are false. AWS operated as designed and is not responsible for the deletion of Adarsh Developers’ data.” – AWS spokesperson.

I have sought clarification on whether this is a counter accusation that Adarsh Builders have filed a “False FIR” in which case it will also be a threat that counter action may be launched against them or is it to be interpreted as “The allegations made in the FIR by the complainant are denied”.

I am expecting the reply.

The FIR also mentions Redington Group , Bengaluru as A2. I invite response from them.

I have also sought a response from Adarsh Builders and awaiting their reply.

Some of the key information in the FIR state:

“In May 2023, Saidalawi Safan, a business development representative from AWS, contacted the firm and insisted on using their cloud storage servers to ensure retrieval of data even in the events of cyber terrorism or act of sabotage or other events like lightning, earthquake, cyclone, flood, storms, etc,”

“Believing such assurance, in December 2023, the company procured cloud storage facilities with AWS through SAP implementation partner M/s SAVIC Technologies Pvt Ltd, Mumbai. The work order was issued to them to shift the company’s data from the earlier cloud storage facility to the AWS and also to maintain the data securely for three years until November 2027. The payment was agreed for Rs 88,59,924, including GST”

” On January 9, due to the actions of a few individuals at Redington and AWS teams, there has been a data loss”. (We were) further told that employees at Redington Group have entered into our storage area at the root level and deleted our account completely. This event has resulted in the loss of over six years of business data causing substantial financial and operational loss to the company. The deletion of SAP S/4HANA (a business suite used to manage data) has brought the business functions/operations to a complete halt and the vital financial records, supply chain data, customer information, and operational insights accumulated over years are now inaccessible”

Adarsh Builders has stated that they have recovered part of the data deleted and are trying to build the data of customers manually. However a “Personal Data Breach has occurred” and the firm should have reported the breach to CERT In. AWS, Redington as well as Savic Technologies also need to separately file their own breach reports to CERT In. Hope all of them are aware of the Indian data breach requirements.

Being a high profile incident the investigation and the subsequent developments in this case is likely to define the responsibilities of cloud service providers who in most cases are considered as sub contractors of companies. However due to the size of the international organizations like AWS, Azure or Google Cloud, the users take the service contracts on a “As is where is basis” as a “Dotted Line Contract”.

The law in India classifies such contracts as “Unconscionable Contracts” and the onerous conditions are likely to be struck down in a Court of law.

We therefore look at how this case develops in the DPDPA era which is a continuation of the ITA 2000 (Section 43A) regime.

Naavi.org will be leading a discussion on “Obligations and Duties of Cloud Service users and providers” in a knowledge session discussion today at 7.00 pm. This will be open to a limited number of participants on registration and confirmation of registration.

Registration request can be sent here:

https://us02web.zoom.us/meeting/register/CIy9qD-YSBK0o1Bj6_D-nQ

Naavi

Copy of FIR:

Copy of AWS Terms

Copy of AWS India FAQ

Also Refer:

Bangalore Mirror

csoonline

livemint.com

This is a famous quote from John Dryden, an English Poet.

I am reminded of this while commenting on the DPDPA 2023 which by design or accident has many hidden gems that we often ignore in criticising the law.

In many of the interactions I have been having with industry experts particularly relating to the Comments on DPDPA Rules, I end up hearing criticisms from others which appear to be contradicting my own views on the positive features of the Act. Some times I feel that even the MeitY officials may not defend the law like what I may do.

The philosophy behind our approach to the DPDPA 2023 is that once the law is in place, we need to adopt to the laws until it is changed some time in future. We cannot expect that the Rules will be able to tweak the law and make it better. If there is any attempt then the law will be challenged in the Court and Indian Courts can easily be convinced to stay the law for an indefinite period.

Yesterday in the panel discussion organized by Center of Civic Society I reiterated that the DPDPA Rules should not be too detailed and continue to be “Principle Based”. I believe that we should not force MeitY to make the rules too detailed and give an opportunity for the vested interests to argue that it is ultra vires the law. For this reason, I have been advising the Government not to go too prescriptive in the rules as being advocated by the industry but remain generic.

It is true that in the Shreya Singhal case, Supreme Court expressed its unhappiness about the law being vague. But we all know that the supreme Court is not consistent and gives its views as it suits it for the moment. For example, in the Puttaswamy Case, one Judge said , “There is no need to define Privacy..” but went on to impose the liability to protect Privacy on the industry. The same judge even said that the …Even what is written in the constitution is not binding on the Court and they have the discretion to interpret the constitution as they deem fit. The Keshavananda Bharati judgement itself is a blot on the Indian judiciary and its ability to play a fraud on the Constitution but is a highly celebrated judgement which all our legal friends seem to swear by.

In our view, if the law is too prescriptive, it will only show the way how it can be violated legally under the principle, “What is not expressly prohibited under law is lawful” .

I would urge everyone to hear Justice Srishananda of the Karnataka High Court on “Difference between Offence and Crime” we will appreciate that society should discard this definition of what is lawful and unlawful. We should therefore ensure that law is not too prescriptive but deliberately let for contextual interpretation. This will prevent a situation where one judge regretfully remarked, “I know that the accused is guilty but I am declaring him innocent because the prosecution has failed to prove the evidence against him”.

Every one of us may be affected by a new law of the kind of DPDPA 2023 and our first reaction is always a reflection of our discomfiture. If I am a CEO, I am not happy with the new Compliance which requires more investment, effort and disruption of my current state of equilibrium.

In this state of mind, what comes to my immediate notice are the apparent short comings. However, when we reflect deeply we can find many positive features of the law that we can absorb and later convert to our benefit also.

If we are a “DPDPA Compliant Company” our long term sustainability is better addressed. If I try to cut corners today, I may have to fold up one day since we never know when the law will hit us badly.

“Compliance First” should therefore be the motto of every CEO.

The biggest strength of DPDPA 2023 is that it delegates the protection of Privacy to every Company that uses the Personal data because as a “Data Fiduciary” it is the trustee of the data principals. Government need not tell each company on what is lawful. They as “Trustees” have to figure out what is correct and exercise “Due Diligence” to protect the Privacy in the society.

This one principle is enough to elevate DPDPA 2023 above GDPR which provides the status of a “Controller” to a commercial company.

Let us therefore appreciate what is good in DPDPA 2023 and not try to only find faults….

Naavi

Naavi