Naavi.org

It has been an observation that Cyber Criminals try to target  such destinations where the possibility of reward would be high.  The recent attack on Cognizant through a ransomware called Maze indicates that despite the Company being well informed about Cyber threats and probably well equipped with experts to guide the Information Security aspects in the Company, it could be successfully compromised by the attackers. It could be due to the persistent attacks on a large number of employees through phishing e-mails and probably using the Work From Home situation which could have diluted the security measures that this attack was made possible.

It is understood that the Maze users have a history of demanding ransom upto US $6 million (Rs 42 crores) and also disclose upto 700 MB of confidential data of a company in the past.  So Cognizant would not escape easily if they chose to pay a ransom which could be of the order of US $10 million (Rs 70 crores). And this has to be paid in the form of Bitcoins which means that Cognizant has to invest in black money to the extent of Rs 70 crores. The share holders of Cognizant can object to the use of company resources for this purpose. It is possible that Cognizant may have some coverage of Cyber Insurance but whether it will apply to the payment of extortion arising due to the negligence of the company and if so to what extent is not known.

Further if the data that has been lost relates to personal data of EU countries, the company has to also face the GDPR fines which could be also debilitating. If the personal data lost includes Indian citizens or Indian companies, there could be action against th company through local courts. The company is fortunate that the Personal Data Protection Act is still not in place and like the Breach Candy hospital, this major data breach will go unpunished under Indian law. Though CERT-In may send a notice, it is unlikely to take any action an the company may relatively face less trouble from Indian regulators than from the EU GDPR authorities from multiple countries.

It is regrettable that  large company like Cognizant should have fallen to the malware and it will take some time to understand what really went wrong.

For the time being we would like to look at another dimension of the fraud and in particular how the inaction from the Union Home Ministry under Mr Amit Shah has contributed to this attack and will continue to encourage more such attacks.

Recently the MHA stepped into the shoes of MeitY and gave a security advisory on the use of Zoom video conferencing software. Though the advisory was meant for Government department, it was released as a PIB press note giving an opportunity to the ignorant media persons shouting that “MHA had declared Zoom as Unsafe”. As a result many members in the public including companies might have dropped Zoom and moved to more vulnerable tools.

However, MHA has so far not opened its mouth on the issue of “Bitcoins” and when a strange Supreme Court judgement came out indicating restoring of Bitcoin Exchanges, neither the Finance Ministry under Mrs Nirmala Sitharaman, nor the Home Ministry under Mr Amit Shah nor the MeitY under Mr Ravishankar Prasad, took interest in filing a review of the faulty decision .

Every body seems to be happy that the Supreme Court has taken the responsibility to give a sense of approval to Bitcoins on its shoulders and the industry can make hay while the sun shines by converting the legitimate white money in the country to digital black wealth in the form of Bitcoins and other Crypto currencies.

So far we were considering that Mr Amit Shah could be relied upon when national security is at stake and since Bitcoin is the currency of the criminals and terrorists, he would take steps to ensure that its acceptability as a currency for settlement of financial transactions would be recognized as a national security risk. This hope has been belied. Unfortunately he and his department has displayed no urgency in this matter while they rushed to give a premature advisory in the case of Zoom.

It is well known that to prevent a crime, the ability of the criminals to benefit from the crime has to be stopped. So if crimes like Cognizant attacks have to be reduced, it should be made difficult for the criminals to benefit by collecting the ransom  in Bitcoins.

The first step for the MHA is therefore to take steps to bring out an ordinance to ban Crypto Currencies forthwith so that the Ransom ware distributors are choked of the reaping financial rewards arising out of their crime.

Secondly, MHA should issue a notice to Cognizant not to pay the ransom since it would encourage similar attacks on Indian companies and also result in a Black Money transaction of an amount equal to the ransom.

I hope Mr Amit Shah is able to understand the long term damage that is being made to the Indian national fabric by allowing Bitcoins to continue to exist.

I request Mr Shah not to accept any view from his department that suggests that “Supreme Court has held Bitcoin as Valid”. Supreme Court has actually not validated Bitcoin or Crypto Currency. On the other hands, the three judges have delivered a cleverly constructed judgement like a Bollywood story so that without telling that Crypto Currency is a valid currency in India, they have created a false impression to let the industry benefit fraudulently.

The RBI and  the Finance Ministry should have come up with an amended Circular to re introduce the ban on Crypto Exchanges and the MeitY should have come up with the law on banning Crypto currency which is already in draft stage. But all the three wings of administration have remained silent or have been silenced by the power of crypto currency corruption.

If Mr Amit Shah along with Mr Narendra Modi are the last repositories of honesty and lack of corruption in India, they should make moves to bring a ban on Crypto currencies immediately.

There is no need for the Government to wait for the current Covid 19 crisis to be over before taking action in this regard since this is the time when more such attacks will happen on other organizations since the “Work From Home” situation has exposed most companies to the risk of malware from the home environment jumping into corporate networks.

Stopping ransomware attacks is therefore a Covid priority. If Stopping Bitcoin circulation as a currency relied upon by the criminals is a step in this direction, this is also a Covid priority.

If the MHA, Meity, MOF and RBI are not collectively deaf, I suppose they will listen to this appeal for ban on Crypto currency.

Naavi

[This is an article first published in India Legal magazine]

On December 2018, the central government proposed to issue an amendment to the Intermediary Guidelines under Section 79 of the Information Technology Act, 2000 (ITA 2000). This was neither a new Act nor a new rule. It was only a proposed amendment to a rule placed for public comments.

However, it was challenged as unconstitutional by some activists and referred to the Supreme Court. The government is now expected to present a new version of the rule in the Supreme Court and the industry lobby is already mounting pressure on the centre to bend the rules to their advantage.

Section 79 and the rules therein are meant to bring accountability to intermediaries to prevent certain crimes such as defamation, spreading of hatred and disharmony, inciting violence and such through information posted on websites, blogs and messaging platforms. The role of intermediaries in fuelling such crimes and assisting law enforcement agencies in detecting and bringing to book the perpetrators is undisputed. However, these business entities are averse to accepting any responsibility for preventing their platforms from being used for fake news to disturb the community and as a tool for anti-social elements.

An internet intermediary, incidentally, provides services that enable people to use the internet. They include network operators; network infrastructure providers such as Cisco, Huawei and Ericsson, internet access providers, internet service providers, hosting providers and social networks such as Facebook, Twitter, Linkedin, etc.

The use of fake videos and Artificial Intelligence (AI)-based content for posting malicious material has made the problem more acute since the amendment was first proposed. Two of the most contentious aspects of the proposed amendments are that the intermediary is required to trace the originator of a message that flows through his platform and that he should deploy technology-based automated tools for proactively identifying, removing or disabling public access to unlawful information.

Objections have been raised on the ground that the intended measures are “technically infeasible”, infringe on “privacy” and put restrictions on “freedom of expression”. Given the propensity of courts to react favourably whenever activists quote Articles 21 and 19 of the Constitution, the industry lobby expects a climbdown from the government. After all, the government had buckled under their pressure when it diluted data sovereignty principles in the personal data protection act by dropping “data localization”.

The challenge before the Court is now two-fold. The first is to realise that excuses based on technical infeasibility are false and such measures are already being used by the industry for compliance with other international laws such as General Data Protection Regulation (GDPR). The second is that “national security” is as much the duty of the government and a fundamental right of citizens as the protection of privacy or freedom of expression of certain other individuals. The law should not allow disruption in the lives of innocent persons while protecting the rights to privacy and freedom of expression of some activists.

At present, most large intermediaries do scan the messages that pass through their services to identify the nature of content so that appropriate advertisements can be displayed when the receiver of the message reads them. Most leading companies, including Facebook, also use AI to read the messages and profile the users. Hosted content is also moderated and scanned for malicious codes as part of information security measures. Hence, the claim that it is impossible to make a reasonably effective check and flag objectionable content is not acceptable, particularly in the case of large intermediaries like Google and Facebook. As regards the proactive removal of content which is “unlawful”, this involves the judgment of intermediaries. However, if they are ready to proactively identify potentially objectionable content, the government can always suggest a mechanism for reviewing the tagged content and get it moderated.

Most data managing companies undertake a similar “discovery” exercise when it comes to complying with laws such as GDPR. There is no reason why they should not apply similar “data discovery” tools to identify offensive content and flag it for manual supervision. The technology is available and being used by the same companies who are resisting the request of the government. The Court should reject such claims. Their bluff needs to be called out.

We may also note that the Personal Data Protection Act, which is expected to be a law soon, has also brought in a provision whereby social media intermediaries have to provide an option to users to get them “verified” and the “verification” should be visibly presented with the account.

In other words, it will be mandatory for social media companies to identify the owner of a message and therefore make him accountable. In the case of WhatsApp, it must be mentioned that what is required is not “reading of the message” which is objected to from the “privacy” angle as the information may be encrypted, but only to identify the origin of a message. This can be technically achieved by tweaking the header information of the message and incorporating a checksum identity of the message. This can be identified at the server whenever it is forwarded.

In view of the above, the technical infeasibility objections for not being able to trace the origin of a message is unsustainable in the current age of technology using AI. These are false excuses.

However, while issuing the new guidelines, the government may have to recognise that some views on Section 79 have been expressed by the Supreme Court in Google India Private Limited vs Visakha Industries and the proposed amendment has to be compatible with the views expressed therein. This case involved a complaint of defamation and the non-removal of the content by Google when demanded. It also opened a discussion on the concept of “due diligence” as per the version of Section 79 in ITA 2000 and an amendment made in 2008 which became effective from October 27, 2009.

The final outcome of this judgment was focused more on the applicability of the law with reference to the date of the incident. But during the course of the judgment, some important principles of international jurisdiction and the scope of “due diligence” emerged. These would be relevant in analysing the proposed intermediary guidelines. It may be noted that the original version of Section 79 required “due diligence” to be exercised to “prevent the commission of offence”. The due diligence under the old Section 79 had not been expanded with any notification of rules and hence was an open-ended responsibility.

In the case of the amended Section 79, which is applicable now, the law requires that “the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf”. It, therefore, extends beyond “prevention” when the data enters the control of the intermediary and monitoring throughout its lifecycle.

Additionally, the concept of “due diligence” has been detailed in the intermediary guidelines on April 11, 2011, which is now proposed to be replaced with an amended version. The Court recognised that the amended Section 79 provided protection from liability not only in res­pect of offences under ITA 2000 but other laws as well which was welcomed by the industry as an expansion of the safe harbour provisions.

At the same time, we need to observe that the scope of Section 79 has expanded significantly in terms of how the government may exercise its regulatory powers and also the level of control that the intermediary is expected to implement as part of the compliance requirements.

In view of the vindication of the current version of Section 79 in the Visakha judgment and the lack of sustainability of technical infeasibility objections raised by the intermediaries, they seem to have no option but to accept accountability that the amended guidelines prescribe. The challenge mounted in the Supreme Court may, therefore, end up only with a clarification on the procedures related to content removal.

However, the Court could suggest some standard measure to ensure that between the period when the victim notices the harm and brings it to the knowledge of the intermediary and until a Court comes to a decision, he would get some interim relief which is fair to both parties. Hence, if a notice for removal is received by an intermediary, pending an order from a Court, he should exercise caution to prevent continuation of the alleged damage. Ignoring the knowledge of alleged damage would neither be legally wise nor ethically justifiable.

In such cases, the content may continue but it should be flagged as “reported objectionable vide notice received from ….” with a hyperlink to the copy of the notice. The flag may be removed after a reasonable period such as 90 days if no court order is received.

This measure will ensure that the delay in obtaining court orders does not continue to harm the victim to the same extent as it otherwise would. If such a measure is not available, every complainant will seek relief in the form of an interim order to block the content.

If such a request is agreed to by the trial court, the content remains blocked until the case is settled which may last for years. It would be good if the suggested procedure of dispute management is included as part of the intermediary guidelines.

Lead Illustration: Anthony Lawrence

—The writer is a cyber law and techno-legal information security consultant based in Bengaluru

Based on specific request, Naavi/Cyber Law  is conducting a crash course on Personal Data Protection Act of India from 20th April 2020 to 25th April 2020 through virtual training for 2 hours on each day.

The program will be held between 8.30 am to 10.30 am.(IST)

The coverage would be as follows:

1.Evolution of Privacy Law in India. (ITA 2000-ITA 2008-Puttaswamy Judgement.Etc.) and .Understanding the Concept of Privacy and its relation with Data Protection

2.Applicability, Exemptions, Data Protection Obligations and Data Principal’s Rights

3.Grounds of Processing without Consent, Restrictions on Transfer of Personal Data outside India

4.DPA, Adjudication and Appellate Tribunal, Penalties and Offences and Grievance Redressal mechanism

5.Compliance Obligations (Transparency and Accountability Measures), Data Audits and DPO

6.Data Protection Challenges under New Technologies, Data Governance Framework, Interactive discussion and Review

The participation fee would be Rs 3000/- per participant.  Registration can be done by making the payment below:

The book is a manual for privacy activists, advocates, IT professionals, business managers, law enforcement officers and the government for comprehending the complex issues of personal data usage.

It not only explains the Act but discusses the different perspectives that make professionals draw inferences of the legal provisions. The author, Naavi, is a pioneer in cyber law, the author of several books on cyber law and cyber crimes and a visiting faculty at many premier law institutes in the country.

.…India Legal, April 20, 2020