Naavi.org

In a significant departure from the “Make in India” posture, India which can compete with the world for global IT super power status has adopted a surprisingly  approach to hosting Government data on the cloud which is both a concern for information security and also a measure that could kill indigenous public sector organizations like NIC and BSNL.

Refer Article here

When Mr Modi took over, one of his policies which attracted me most was the idea of turning Public Sector units profitable by bringing in a “Private Sector Management Culture” instead of actually privatizing the holding. During the UPA days, there was a systematic effort to kill public sector to benefit vested private sector interests through corrupt practices. In this process, Air India as well as BSNL/MTNL turned sick only to make the private sector counterparts grow in strength. Part of this was due to the lack of efficiency of the public sector employees who failed to modernize their approach with the changes in the environment, but most of it was due to the active political support to the private sector competitors.

The “Make In India” concept was also a right step in this direction of making public sector operation profitable without privatization of ownership. Air India has now become better. Railways is showing significant innovative approach to stay profitable.  IT might not have done enough to exploit all the opportunities as it has stumbled from one bad decision to another such as the encryption policy, the Facebook policy etc..

Obviously, the private sector also has to survive and we need FDI and therefore there is a need to find a compromise solution in certain sectors where foreign investment is inevitable since indigenous services are not available. However in the field of telecom the local resources must be good enough to make a significant progress with indigenous initiatives lead by public sector agencies which have a huge infrastructure.

It is therefore necessary to find solutions to effectively use available resources in terms of hardware, software and network with BSNL and NIC as well as CDAC to ensure that a big part of India’s growth comes with the use of these public sector agencies. There is no need to kill these agencies just to promote private interests.

Even when the first dilution of this policy has to be accommodated, we need to first look at Indian Corporates before we turn to foreign agencies.

Indian private sector has the freedom to offer their services globally and so are the foreign companies operating in India. Hence we cannot be too restrictive to foreign businesses to pick up business opportunities in India and we need to accept that these are commercial operations have to go on for the sake of providing level playing field to international trade.

However, when it comes to handling of “Information” particularly from the “Government”, the issues of National Security should be paramount. With increasing interest in “Big Data” and data mining for international espionage, cyber terrorism and cyber war, we cannot jeopardize national security by exposing national security sensitive data to the international private sector companies who will not have any commitment to India’s national security and will also be under a legal obligation to provide a backdoor to US intelligence agencies.

Despite the growing friendship with US and the possibility of defense collaboration with them, India’s interests will be best served by keeping its cards close to its chest as long as feasible.

We therefore feel that the decision of the Government to consider allowing its departments to use cloud services of IBM, Amazon and Microsoft is retrograde. The Ministry of Electronics and Information Technology (Meity) should therefore revisit its proposal to host data from different Government departments on the services of these foreign companies even if they set up servers in India.

The Meity often takes its decisions in consultation with NASSCOM  which is highly influenced and driven by the interests of  private sector mostly of the Microsoft type. The bureaucrats in the department are either unable to take or not willing to take a tough stand against commercial interests represented by NASSCOM.

Naavi.org recently pointed out how DSCI promoted FIDO Alliance products by conducting special seminars in Bangalore and Mumbai (Is NASSCOM promoting an Online authentication system which is not ITA 2008 compliant?).

A trend has set in where NASSCOM becomes a shelter for retiring Meity employees and hence the cozy relationship is natural and will continue.

It is therefore necessary for wiser men in the PMO to ensure that the commercial influence does not corrupt the National Security posture of the decisions. Hence in certain areas, public sector agencies need to be given a priority treatment. If they lack necessary expertise or technology, efforts should be to fill in the gaps rather than blame the people who may be fighting a battle with one hand tied behind their backs.

Presently there are two areas in which Government can show its resolve to “Privatize the Management of Public Sector agencies” like BSNL and NIC.

First we shall consider BSNL. It has a huge telecom network which includes Optic fiber network and connectivity to villages through landlines. This network needs to be fully harnessed.

At the same time we are seeing Reliance Jio entering at the high end market of VoLTE and trying to capture a substantial part of the market. Today Jio is a greater threat for Airtel than BSNL. But in due course Jio may also start hurting BSNL if no corrective steps are taken now.

The other private sector players have already ganged up in a cartel to deny inter connectivity to Jio which is illegal and against their license terms. However, since it is a question of their survival, they will find some means to ensure that Jio services are disrupted from time to time to the extent that their customers will be frustrated enough to try to remain with the competing service providers. The legacy service providers may resist number porting to Jio and ensure that customers delay their shifting to Jio.

This fight will go to TRAI and TRAI’s decision whatever it be will go to Supreme Court and over the next 6 month, this battle will create a huge mess in the telecom segment that will put our Digital progress back by several years.

But BSNL cannot join this dirty fight. It has to protect its interest separately. We also need to find a solution to clear this mess in the larger interest of the country.

In this context, I see one solution here where there can be a “Win-Win” possibility for BSNL and Jio.

I think BSNL and Jio should explore the possibility of collaboration where BSNL will provide a “Gateway Switch” to connect Jio customers to any network (Universal switch to connect to other networks from BSNL proxyID) where the request for connectivity from Jio to other networks are connected through a proxy server of BSNL so that the other networks will not be able to identify and filter out Jio requests. BSNL can charge a fee to Jio for the service. If these calls are to be dropped, the competitors would have to block BSNL connectivity requests also which will legally be “Denying Service to disrupt a Government Network” which can be considered as an offence under Section 66F of ITA 2000/8 (Yes, it is called Cyber Terrorism). I suppose therefore that BSNL will be a shield with which Jio can have a smooth business devoid of unfair practices.

In return, BSNL can ensure that it remains the king in landline business besides retaining its existing residual business in 2G, 3G and 4G voice and data. I also see a potential in running a secure 2G voice network for Government servants to avoid conversations between Government officials being tapped by international spy agencies.

This would also prevent Jio from eating into the landline business of BSNL in future since their Optical Fiber network has the potential for killing the BSNL landline business as well.

The strategy therefore would help BSNL survive and grow in its domain of strength and benefit by the interconnectivity proxy services that are suggested here.

I am sure that Airtel and others would oppose such a move under the TRAI guidelines as improper but I think there is a legal possibility of providing such services within the current license provisions. The threat of Jio-BSNL collaboration should be sufficient to soften the industry players to stop their unfair practice and grudgingly allow number porting and connectivity to Jio.

As regards NIC, its business potential can be in data center services and digital signature services. Presently NIC is restricting its services to Government sector. If MeiTY wants to open out Government business to private sector, there is no reason why they should mind if NIC also goes for private sector business. This may generate good revenue for NIC by bringing its service charges on par with the private sector. CDAC can certainly help NIC in technology upgradation. Even IDRBT may be able to merge its digital signature business with NIC so that the digital signature and e-sign business can be run as a profit making venture between NIC , CDAC and IDRBT.

This conglomerate should also be able to offer many commercial services to the citizens in the Digi Locker related services and Aadhar Authentication services and become hugely profitable.

I am aware that there are many technical inadequacies with NIC which need to be addressed. But CDAC is capable of addressing these technical inadequacies and the network of Government sector is large enough to harness the business across the country.  CDAC should also not drop its old project to find our indigenous operating system for computers.

If these two organizations namely BSNL and NIC-Private become profitable, then India’s Digital India dream would get a good boost.

Hope Government at the PMO level starts thinking of these possibilities without depending on recommendations from NASSCOM driven interests.

Naavi

In recent days, “Ransomware” has become a global threat to IT and requires some strong counter measures to be undertaken. A few months back, ransomware attack had been reported in Hyderabad and more recently, I came across an incident in Coimbatore where a corporate entity faced a ransomware attack. What is also threatening is that “Ransomware Kits” appear to be afloat for sale in the darkweb and more and more misguided persons may be tempted to buy and use “RansomWare as a Service” (RaaS).

Before this Ransomware virus spreads into an epidemic, we need to act decisively and take it under control. In particular, I request men in the Police force to set up special investigation teams to crack the reported cases and my first such request is for Police in Coimbatore where a report has popped up.

“RansomWare” by definition can be any “Computer Contaminant” (Call it Virus or Trojan if you like) that encrypts the user’s data and demands payment of ransom for unlocking.

The extortionist here is not interested in “Data Theft” and “Ex filtration” of data so that some Data Leak Prevention (DLP) defenses may not be able to identify the malicious activity. But the “Encryption Process” should be otherwise detected by a good Malware detection software if it is not a zero day threat. Since the early days of ransomware, most anti virus companies have tried to address the threat and identified specific “Ransomware Removal Tools”. (Refer this article: 7 Best Ransomware removal tools..). But like in the case of other viruses, the fight is continuous and will go on. Users need to be aware that despite the efforts of having the best antivirus software and managing its timely updations, risks still remain and need to be addressed on a war footing.

Any threat mitigation effort has to start with improving the awareness about the threat and hence we need to know more about the threat by creating an awareness about the threat amongst all the IT users in the organizations including the top management personnel who are as vulnerable as anybody else.

According to a recent note from US Government, in US  issued by HHS in the context of HIPAA Compliance, there have been 4000 daily ransomware attacks since early 2016 (300% increase since 2015) indicating the acceleration of the malicious activity. (See the Factsheet here).

The threat of Ransomware in India is grave and our Corporates need to build a robust defense system to mitigate the risks.

I wish all the corporate managers go through this informative article, “Ransomware-Practical view, Mitigation and Prevention tips” by Mr Tal Eliyahu. Microsoft has also released a guideline that is useful to read. ( Read Microsoft Note on Ransomware here).

The essence of the defense is to ensure that the possibilities of infection in the first place is reduced.

The first defense is ofcourse to equip oneself with a good Firewall and Anti malware software that can filter known threats. Keeping such software updated and properly configured goes without saying. The accompanying diagram (courtesy-Microsoft) shows the types of ransomware that we may encounter.

The infection may also occur due to visiting of unsafe or fake websites through the network, opening of e-mail attachments, clicking on malicious links in social media or even using a USB drive. Obviously, these are threats about which we are aware and have been discussing with our employees for a long time.

But what has changed is that the risks have grown bigger and crippling and this has to be driven home to the users. It is no longer fun to occasionally flout the security norms since virus infection is only a “Probability”.

We need to presume that the “Probability of Infection is always One”. 

The second line of defense is therefore to drill home the need to adopt a safe IT usage culture in the organization. I advise every organization to conduct an exclusive training session on the threat of ransomware and obtain a written commitment from every employee that he is aware of the threat and will take steps to ensure that he will secure himself and the organization against the threat.

The third line of defense is for the system administrators to ensure that the “Backup Process” is as good as it can be. Yes this will involve costs but it is better to invest here rather than pay the ransom in future.

How To Respond?

Notwithstanding the measures taken to prevent a ransomware attack, it is an unenviable dilemma that a company faces when it is actually confronted with a situation where it has to take a decision whether to Pay or Not. Obviously, the decision is dependent on the loss that the company has suffered. If it has not backed up its data and has been caught in the attack, then it has to evaluate how to extricate itself out of the situation.

Try all the removal tools that you may be aware of so that you will be able to extricate yourself if you are lucky.

Never hesitate to call in the Police. You need their assistance and they need your cooperation for accumulating knowledge to prevent such happenings in future.  Police can be of real help as I have indicated separately later in this article.

Assuming that the removal tools fail or there is no more time to try, the management may be forced to admit defeat and pay.

Once a victim agrees to pay, it means that the attacker feels the kick of success and will continue his exploitation of the same customer in future or others. It is like feeding the hungry devil who would ask for more.

However, it is not always possible to be obstinate and take the moral high ground to say that I will never pay. If the loss is unbearable, then the choice is “Pay and Survive to fight another day”.

There is no guarantee that once a payment is made, the attacker will oblige with a decryption key but it is the risk that some may have to take.

The Penance there after

It is however necessary to remember that the quality of the management is revealed not because they succumbed to the threat and paid up, but by the measures they take soon after. If for whatever reason one agrees to pay, then the victim has to take some urgent steps to correct their past mistakes by measures such as the following.

a) Create a “Clean” backup of data which does not have the infection. Ensure that the decrypted data is analyzed to remove any lurking trojan which may get activated once again.

b) Try to identify the source of infection and root it out

c) Harden the security measures so that the possibilities of re-infection is eliminated.

What the Police Can do

We should remember that ransomware attack succeeds only when the attacker successfully gets the payment for his efforts. This means that there has to be a reverse flow of money from your account to the other and here in lies the small possibility of detection and bringing the culprit to book.

According to Indian Law, “Ransomware Attack” can be classified as “Cyber Terrorism” since it strikes terror in the minds of a section of people, causes damage to property and uses denial of access and unauthorized access as an attack  strategy. According to Section 66F, the perpetrator of a ransomware attack can be imprisoned for life under section 66F.

I wish that Police first takeout an advertisement to publish this so that the India based extortionists at least will realize that buying a ransomware kit and sending it across to a few to try their luck is as dangerous as playing with a terror game or a drugs game and land them in Jail without Bail.

Though this may not deter the foreign attackers who work with Bitcoin payments, at least we will reduce the number of such attacks in India.

When such an attack materializes, the attacker will leave some trace through his e-mail (as in the case of the Coimbatore attack) or destination payment agent. There will be many “Intermediaries” who would be used by him to encash on his crime. Police need to neutralize them ruthlessly first by seeking their assistance and if they refuse to cooperate, applying section 69,69A and 69B provisions of ITA 2008 and locking up if necessary the executives of these firms for 7 years as the law provides. ( I suppose this will not be necessary if sufficient awareness of this threat is built up again through advertisements by the Police).

Since the tracing of the criminal can happen only during the payment cycle, I request all victims to contact the Police even if they are not confident that they will be of help in decryption. Police also should realize that even if they are not capable of decryption, they may be efficient enough to track the flow of money and eventually catch the criminal.

I wish that Police in each state as well as CBI set up a special “Ransomware Cell” to address this menace. Magistrates should be made to realize that “Ransomware is Cyber Terrorism” and they have to be strict in punishing the criminals once they are caught.

I sincerly believe that it is through such deterrance only that we may be able to slow down the spread of ransomware and we need to work towards this goal.

I call upon Coimbatore Police where one of the crimes have now been reported set up the first “Ransomware Task Force” in India and take up the reported case.

Simultaneously Bangalore Police which has the necessary expertise at the Cyber Crime Cell to also consider setting up a task force to build expertise in solving ransomware attacks if and when it is reported to them.

I look forward to their response.

Naavi

Message for the Public 

RansomeWare attack is Cyber Terrorism in India..There can be Life Imprisonment and No Bail for the suspects. Intermediaries who donot cooperate in investigation and donot put in practice “Due Diligence” and “Reasonable Security Practice” to prevent ransomware attacks are liable for 7 years imprisonment for their Directors and Executives.

Related Information

Stellar Data Recovery : Speaks of No Recovery-No Charge Policy

TrendMicro Screen Unlocker Tool

Ransomwarre Resistance from Kasparesky

AVAST ransomware Protection

Bitdefender FBI Ransomware infection

List of Free Ransomware Decryptor Tools from windowsclub.com

List of Tools from majorgeeks.com

How to Rescue your PC from Ransomware..PCWorld

Naavi has been trying to promote “Voluntary Compliance of Cyber Laws” since 2000 when ITA 2000 was notified. The slogan for “Cyber Law Compliance is the Corporate Mantra for Digital Era” was first stated by me in a CII seminar in Chennai in December 2000. Ever since, through various measures such as “Cyber Law Awareness Movements”, “ITA 2008 Compliance Drive” etc, the undersigned has tried to impress upon the Companies the importance of voluntary Cyber Law Compliance.

It is however sad to admit that the success of this campaign has not been anything to write about. Some companies started the compliance activity but could not sustain it since the conventional information security professionals have always considered that “Legal Compliance” is secondary to “Compliance to Technical standards” such as PCI DSS or ISO 27001 and after exhausting their efforts in technical security, they neither have energy nor money left apply legal compliance patch.

What companies and these professionals forget is that “Technical Compliance” is for the sake of pursuing a “Best Industry Practice” while “Legal Compliance” is for avoiding legal penalties. Technical Compliance is fashionable but legal compliance is life sustaining.

The object to pursue is therefore “Techno Legal Compliance” which is technically sound and also compliant with the legal provisions. Where the legal provisions are vague or inadequate, the better technical standards should prevail and vice versa.  Business prudence should therefore be to pick the best of the suggestions from the technical standards and legal prescriptions so that the security is defensible when charged with “Lack of Due Diligence” or “Negligence” when an incident results in a legal claim on the company.

Unfortunately, Indian Businessmen are by nature complacent and think that any legal problem can be tackled after the problem reaches a Court and there is no need for any pro-active measure to prevent and pre-empt a legal problem.

Some are so obsessed with the “All Is Well” syndrome that they think problems arise only for others and not for themselves. Some think that our Police are corrupt, Judiciary is ignorant and Lawyers are brilliant so that any problem can be tackled before it gets out of hand.

But this attitude was perhaps workable as long as the political system was also deeply corrupt so that things could be managed at the highest level. But after the demise of the UPA rule in the country and emergence of Mr Modi as the head of state, the freedom with which corrupt politicians worked around is slowly getting curbed. This has and will even more in the future percolate to the administrative layer where bureaucrats will also have to be less and less corrupt and start enforcing the law of the land.

It therefore does not pay to avoid   “Voluntary Compliance” of law as a deliberate business strategy. The strategy that “We will provide as much information security as is commercially feasible” which some institutions declare in their terms is a clear admission that they are deliberately under-securing their business for commercial considerations and such approach to security needs to be reviewed in the current “Less Corrupt” law enforcement context.

It is therefore necessary for all right thinking businessmen in different domains of activity such as Banking, NBFC, E Commerce, Health Care or any other sector to come together and formulate a “Legal Compliance Network” for their specific domain and guide the business managers. While they often come together for lobbying on commercial benefits, they fail to foresee the legal non compliance problem.

I have highlighted in the past that such lack of self regulation forced unwarranted legislation on UBER, OLA and other taxi aggregators. It also brought unwarranted attention on the E Commerce players such as Flipkart and Amazon. Now even the Health Care mobile app developers are facing the heat of such attention. If left unattended, the problems will not melt away. They tend to coagulate and cause an artery block sooner than later. Then there will be a need for a “By-pass” surgery to survive which could be crippling (Taxi Aggregators are already in this state) or worse result in some companies folding up.

In January 2016, India’s drug regulator namely the Drug Controller General of India has issued an order banning the online sale of medicines. (Refer article here)  Many online mobile app companies involved in such sales had and are still raising venture capital funding for such activities unmindful of the fact that there would be stiff resistance to their business even in the coming days.  Chemists have gone on strike and approached Courts to fight the online pharmacy activity as “Illegal”. (Refer here)

In view of these developments, the Union Minister of Commerce, Nirmala Sitharaman has already announced (Refer here) that the Government is working on regulating web pharmacies.

Now yet another front on which such new regulation is expected is in the area of E Commerce.  Today’s Times of India reports  that the Consumer Affairs Ministry has shared with the Commerce Ministry that 46 e-commerce companies  did not respond to e-mails sent to them for redressal of Consumer Grievances. In the same breath the Ministry has come out with a statement that they would come out with “Rules and Regulations” to regulate the E Commerce industry. (Refer here)

Let’s admit the fact. Our bureaucrats would be too happy to formulate new rules and regulations so that the “License Raj” in e-commerce prevails and booms even of E-Commerce withers.

The responsibility for leading the Government to such a situation lies with the industry which does not consider voluntary self regulation that can make the Government regulation redundant.

There is also a Consumer Protection Bill (A more detailed analysis of the same would be presented separately) that is being introduced in the Parliament to replace the Consumer Protection Act which will also make some significant changes to the lives of the E Commerce players.

I squarely blame the industry for its non-compliance of existing laws,and providing an excuse to the Government for introducing multitude of regulations.

For example, the current Consumer Protection Act automatically applies to E Consumers since “Business done with electronic documents” is nothing different from “Business done with paper documents” and hence all laws applicable for paper based business is also applicable to E-Commerce. Further under Section 79 of ITA 2000/8, E Commerce companies need to ensure that no offences are committed with the use of any message that passes through/processed by them unless they can prove that they have exercised “Due Diligence”.

One of the aspects of “Due Diligence” is providing a “Grievance Redressal mechanism” on the website. If the Government now finds that some E Commerce companies donot have a working Grievance Redressal sysem, it si only the tip of the ice berg. There are many more non compliance issues which if identified, will make these businesses uncomfortable.

And, it will not be just 46 E Commerce companies which are non compliant with laws. Almost all of them are non compliant with the basic aspects of Section 79 of ITA 2000/8 and common consumer law.

Most of these web based businesses donot provide their identity in the form of physical office address to which legal notices can be sent. They donot declare who are their promoters nor their grievance redressal officer. They provide a TOS in electronic form which is not a full fledged disclosure. Many donot provide proper Privacy Policies. Topping it all is the lack of or inadequacy of grievance redressal systems.

Some of these deficiencies can be attributed to the fact that the business managers are ignorant of the laws and are preoccupied with other business priorities. Some are however not because of ignorance but solely because they donot care.

Naavi attributes this to “Technology Intoxication” that makes them blind to the regulatory requirements.

Unfortunately, it is this callous attitude that irks the regulators and makes them wield the stick in the form of new regulations. Once the regulations are out and they start pinching, the businessmen will start complaining that  Government is curbing business through bad laws and cry infringement of their rights.

Now all Taxi aggregators have become “Taxi Operators” and consumers have also lost out in the process because competition is being stiffed out. The “Kala-Peela Taxi Driver’s syndrome” will soon come to the OLA and UBER companies also since they feel empowered that they have been “Licensed to Exploit” and any new entrant will find the barrier to entry too stiff to break. This is the re-entry of license raj in E Business.

Once E Commerce was the entry point for low resource wielding entrepreneurs who could just start any business by just opening a web site. Soon, there will be a plethora of regulations that makes it difficult for small and micro businesses to enter business dominated by the license wielding giants.

We can expect such  license raj in all E Business activities starting with the E Pharmacies and E Commerce.

I however believe that Mr Modi is conscious of the “Ease of Doing Business” concept and If the E-Business industry wakes up from their slumber, they may still be able to work with the Government to avoid setting in of a new license raj in E Commerce which will be detrimental to growth in competition and end up more anti consumer than what it tries out to be.

Will they?…. Oh ..are they listening? or happy counting their Venture fund contributions?

Naavi

Related Article:

Online Pharmacies form an association

Office of Online Pharmacy raided

The Reliance Jio launch on 5th September 2016 will start a new era in Mobile industry in India. The “Mobile” as a concept was a replacement to the phone and the initial positioning of the device was as an “Instrument for talking”. “Voice” carriage was therefore the central purpose of the mobile network and the entire industry built its business on this concept.

Use of mobile for “Data” started with the advent of “Smart Phones” and was secondary to the use of mobile for voice. Most of the mobile network was more robust for voice carriage and data connectivity was always poor. But consumers did not complain too much since the main purpose of them holding a mobile device was for voice interactions and hence they were tolerant of the bad “Data Over Mobile” availability.  Some managed with “WiFi” at home and Office and “Voice Only” when on the move.

Now, suddenly, Jio is changing the fundamental nature of the mobile usage from voice to data usage.  It’s proposition is that all voice will be carried over the IP network only as data. “VoLTE” (Voice over LTE or Voice over Long Term Evolution, similar to VoiIP which is Voice over IP) is therefore their USP. Jio network is an “All LTE” network on the 4G band. (P.S: Refer this article for more technical information)

VoLTE enabled Phones

Jio is also selling LyF brand mobiles which are specially configured for VoLTE. Many of the other  mobiles are also capable of operating in the LTE bands used by Jio.  But at present it appears that only phones with the Qualcomm snapdragon chipset may provide the complete HD voice experience which VoLTE is expected to provide.

Additionally, Jio is introducing a “JioJoin” app which may enable any non VoLTE enabled phone user to make vice calls over the LTE networks. It is however said that the call quality in an VoLTE phone would be far better than through the app. The free offers of 3 month unlimited data is perhaps only for certain declared brands of the phones and mainly the LyF brands. In other phones, Jio SIM may work but the free offer may not be available.

If the user’s phone is not capable of working in the LTE bandwidths of 2300 MHz, 1800 MHz and 850MHz, it may not be able to receive Jio signals. 2300 MHz is critical since JIO has Pan India license in this bandwidth. In the other two bandwidths it has license only in few circles.

With the use of “Free Voice” offer that Jio is offering, it is possible that a large number of voice users from the prepaid segment may switch over to Jio SIMs since they get unlimited voice at Rs 149 per month. If the users prefer data, then they have to move to rs 499 per month scheme where they may get 4GB data under the plan. (Night data would be unlimited). At this rate the cost of using Jio would be about half of the existing plans of other service providers. (They may also drop their rates shortly to retain the customers).

Security Risks of Smart Phone usage

Since Jio will promote a higher use of Smart Phones because of “Free Voice” feature, the risks associated with the use of Smart Phones such as viruses and Trojans that can commit frauds and identity thefts is also going to increase exponentially. We may see this impact in more Bank frauds and Mobile wallet frauds in the coming days.

Government Officials may use 2G phones for better security

Assuming that there will be a largescale migration of users to Jio, then the voice networks on 2G will have a lower bandwidth usage. If other operators also start offering VoIP over the 3G network and free voice calling, then the 2G frequency band may become redundant for most mobile users excepting those who use it only for voice and use the old 2G only mobiles. This would mean an under utilization of the band and unless the license holders find alternate uses, they may prefer to drop their licenses in this frequency bandwidth. Unless the Government reduces the auction prices of these bandwidths to non significant levels, it will remain unauctioned with the Government.

Perhaps the Government may start using this band width more and more for their inter-governmental communication over old non Smart phones which are considered less hackable. If BSNL can use these bandwidths for communication between Government officials with some network level encryption, we may be able to solve the need for a secure communication system in the Government. The quality of voice calls may also improve with lower call drop rates since the usage will be thin.

Interceptions on the Voice over Data transmissions

On the other hand, the service users who start using VoLTE and VOIP will convert all voice transmissions to data and carry it over the networks creating a huge data on temporary transmission and capable of efficient security monitoring through Big Data analytics. From the security perspective this is good but from the privacy perspective, there could be some concerns.

It is understood that Reliance Jio has already installed a Lawful Intercept and Monitoring (LIM) system to make the encrypted flow of information available to security agencies in clear readable form.  (Refer this article)

It is not clear what kind of encryption is used by Jio network and whether it is under the old 40 bit encryption norm applicable for ISPs.  Now, under ITA 2008, Government was supposed to provide new guidelines for encryption under Section 84A which has not yet happened.  Since guidelines under this section are yet to be issued, this is one task which the DeiTy has to address quickly.

Private Encryption of Voice

Since the voice transmissions all happen through data which is amenable for data mining, many users may shift to the use of user level encryption of voice transmissions with the use of Apps. If there is a large scale use of such software, there will be other murmurs and complaints from the law enforcement and perhaps a point of confrontation between the law enforcement and the privacy activists. (We need to check if the current apps for these purposes are compatible with the use of VoLTE and JioJoin apps.).

Whats App Calling

Perhaps many would continue to use WhatsApp calling as a preferred mode in view of the end to end encryption provided by the app.

“WhatsApp calling over Jio network” may therefore provide the security but without the “Free Voice Feature” that Jio offers. Users now have the option to trade data costs for Whats App calling with encryption capabilities to protect their privacy.

According to one estimate,  it costs Re 1 per minute of WhatsApp call on 3G and Rs 2.50 per minute on 2G network. A 4G LTE WhatsApp Call may cost about 50 paise per minute which is more or less equivalent to the current voice tariff. (These cost estimates are on the basis of old data rates which Jio will bring it down to less than half. Hence the cost for a WhatsApp call on Jio could be around 25 paise per minute).

Thus Reliance Jio is causing disruption on many fronts. Apart from shaking up the manufacturers of Mobiles and Processors to make them compatible with VoLTE calling, it is bringing changes in the Mobile Banking Security, Encryption and Big Data Scenarios.

Let’s watch how things unfold.

P.S: I invite technology experts to send their feedback and make corrections on any technical aspects discussed above

Naavi

Related Articles:

Quora

September 1, 2016 will be a red letter day in the history of “Reliance”, which is a household name in India, made so by the great Mr Dhirubhai Ambani. Mr Dhirubhai operated in a different era where licensing was the key to industrial success. Though he stared as a boy who dispensed petrol in petrol bunks, Dhirubhai overcame the odds in the society to raise a large conglomerate. Though some times, his achievements were credited to manipulation of the license raj system, what remained in the end was that Dhirubhai created a huge manufacturing base in India giving employment to thousands of people. He also shared his wealth to millions of his share holders through his own disruptive Stock Market practice of ” Debentures” converted into “Equity”. I would credit much of India’s stock market growth in the 80’s to Mr Dhirubhai’s entrepreneurship and willingness to share the benefits with ordinary people.

The second generation of Mukesh and Anil developed the enterprise though they so far had not established an intention to share the corporate wealth with public the way Dhirubhai did.

Now as the third generation of Dhirubhai family enters the management scene, Mukesh has unleashed the “Reliance Jio” which has the potential to stir up the entire telecom scenario in such a way that we can describe it as a “Disruptive Moment” in the Telecom industry.

Will this “Free Voice” over mobile and “Globally Cheapest Data over LTE network” transform our society as we have never envisaged is the moot point of discussion today.

Yesterday, as Mukesh made his speech at the AGM, the market capital of Airtel, Idea and even RCOM dived by over Rs 13500 crores as doubts surfaced if these companies can exist after the Jio onslaught. But at the same time even the Reliance stocks did dip indicating that the shareholders of Reliance thought that this was a  business strategy to eliminate the competition though it may bleed Reliance itself for some time. Ultimately, whoever has the deeper pockets may survive and Mukesh thinks that he has the deep pockets to ride over a phase where there could be large scale loss of business and revenue for the incumbent operators who have some sunk costs to manage. Survival of these companies will require a high marketing acumen and some innovative as well as painful initiatives that these companies may have to initiate.

Inevitably the Government will be dragged into controversies since while on the one hand the Modi Government should be happy at any initiatives that will help its Digital India Campaign, which Reliance Jio project services would definitely do, there are policy issues of inter connectivity between Jio and incumbent players which will be contested both at the level of the DeiTy as well as in the Courts. Government needs to ensure that it does not get dragged into controversies that it favours either one or the other group in resolving the crises.

Government also has a responsibility to see how its own BSNL services are revamped to meet the competition. During the UPA days the popular thinking was that BSNL was deliberately choked by corruption at political level to provide advantage to the private operators. But in the last few months, the current Government appears to be trying to change this perception and now is another opportunity for BSNL to show that it is not much behind the other Private players when it comes to strategizing on the market issues.

At the Consumer level, if “Voice Calls” are not charged, it would be a great boon to “Predominantly Voice users” such as the College going youth who can be seen endlessly talking on the streets. Soon other operators also need to make “Voice” free.

As regards the heavy users of Data including those who are shifting to making calls on the data network such as WhatsApp or Skype, the reduction in data charges to half of existing levels at the base level and further down at higher levels will be a boon. For most of us the mobile bill will come down by 50% immediately if we shift to Jio services.

We should therefore welcome the entry of Jio into the mobile services market and hope that consumers will eventually benefit.

The services will be commercially launched from September 5, 2016, which is this year’s “Teacher’s Day”. Just as a “Teacher” shapes the future of a student, it is possible that Reliance Jio may shape the future of Digital India through its service.

We may separately look at the technology issues that may arise on account of the Jio strategy in a separate post.

Naavi

In the last two posts, I have highlighted the call for early appointment of the Chair person of Cyber Appellate Tribunal (CyAT) which is vacant since July 2011 and the inadequacy of the NCRB system to recognize the extent of Cyber Crimes that occur in the country.

In this context, there is a need for a total revamp of the Cyber Judicial system in India for which I place some suggestions here. I hope the message will reach the right persons and necessary action will be initiated.

In particular action would be required from

1. Mr Ravishankar Prasad who is the minister for DeITy and Law
2. The Secretaries attached to department of IT, Law and Home affairs
3. Chief Justice of India
4. Chief Justices in the States and Union Territories
5. Chief Ministers of different States
6. IT and Law Secretaries in different States
7. PMO
8. Heads of Police in different States
9. Heads of Institutes of Law Education and Police Training all over India
10. Members of the Media

My suggestions can be classified into following six heads.

1. Awareness Building
2. Crime Reporting
3. Adjudication
4. CyAT
5. Special Magistrate Courts
6. Special Mediation Centers

1. Awareness Building

Whenever we discuss solutions related to Cyber Crimes and Cyber Security, “Creating Awareness” continues to top the discussion table and often ends with it. There is no doubt that “Creating Awareness” is necessary but we need to also address to whom should we create awareness and regarding what.

First level of awareness building is to the public that there is a law called ITA 2000/8 and if they have any issues, they can seek protection from law. But immediately they will ask, which Police Station should I reach out and which Court should I approach. Given the general reluctance of public to step into any Police Station, unless people feel that there would be a definite benefit they will not approach the Police. While there are many knowledgeable Police officers, there are more number of station level policemen who are not familiar with Cyber Crimes and are reluctant to accept any complaints.

There is therefore a need to create awareness amongst all the Police Stations. Despite some efforts there is still a lack of effort in ensuring that our police stations are equipped to accept a Cyber Crime complaint. Today we see a board in most Police stations about the number of complaints received under various types of crimes. I donot seem to have seen the list including any “Cyber Crimes”. In fact I would like to see “How many policemen including constables are there in the police station and how many of them have been trained to understand Cyber Crimes” as part of the information these police stations should display.

I have once suggested Bangalore police to have “Station level Awareness Exercise ” on Cyber Crimes so that every Constable is trained to understand Cyber Crime. Just as we conduct workshops in schools, workshops on Cyber crimes should be conducted in every police stations. Advanced courses can be conducted for SIs and investigating officers but base level awareness is required to every body.

Similarly, awareness need to be created with advocates, Public prosecutors, Magistrates and judges at all levels. CJIs need to monitor how may judicial officers are in the state and how many of them are proficient in Cyber Crimes. Judicial Academies need to work on a specific target in this regard so that 100% of magistrates and civil judges go through at least the base level workshop within the next one year.

An action plan for this can be developed and implemented by every State under the guidance of the Chief Justice of the State High Court.

Awareness also needs to be built for every IT Secretaries in India since they are “Adjudicators” and function like a Civil Judge in respect of all offences under ITA 2000 upto a loss of Rs 5 crores.

Lack of awareness at any level whether it is the victim, or the Police or the Lawyers or the Judiciary should not be a reason why Cyber Crimes donot get registered.

I am sure that budget is not a constraint since we can use an army of Law Professors from different Law Colleges to conduct such base level programs, if necessary by first conducting a “Training for Trainers”.

Naavi has conducted programs under the “Karnataka Cyber Law Awareness Movement “way back in 2005 to spread the Cyber Law Awareness in India and can still contribute to a new wave of such activity if some body in Karnataka or at the Central Government level is interested.

2. Crime Reporting

Assuming that awareness is built up at all levels, the next problem to be tackled is the means of reporting of a Cyber Crime incident. If we want to get the correct picture of the Cyber Crime scenario in the country, we need to break the reluctance to register Cyber Crime complaints at the police level. It is appreciated that if Complaints are registered but not resolved, some may interpret it as an inefficiency of the Police and hence Police are reluctant to register a complaint which they are not confident of resolving.

We therefore need an “Impersonal System of Crime Reporting” where the incident is reported online. Every incident reported should be numbered whether they are converted into a complaint or not. Police should establish a network of “Friends of Cyber Police” in different parts of the City who may be approached by the victims for guidance. These FOCPs can vet the complaint and load it onto the system on behalf of the victim.

The system should escalate the complaint to a suitable Police officer for conversion into a formal complaint and issue of an acknowledgement. The higher authorities in Police may take follow up action as may be required though the first task of recognition of Cyber Crime is achieved through this process.

Every incident may be technically considered as an “Attempt” to commit a crime and therefore can be recognized as a registerable Cyber Crime. Hence there should be no technical issue is mandatory registration of FIRs for all verified complaints.

This will help in the assessment of the resources that need to be committed to Cyber Crime mitigation in the long run.

3. Adjudication

Adjudication was a wonderful system which ITA 2000 suggested for resolution of civil claims for damages arising out of contravention of any provision of ITA 2000. It provided for quick resolution, and suo-moto powers to the adjudicators to take remedial action. In 2003 in view of the fact that the Judicial system was not prepared to take up the challenge of adjudicating on technology related issues, Government made all IT Secretaries of states as “Adjudicators” for the respective state. These officers were tech savvy and senior enough in the bureaucracy to conduct proceedings of adjudication as an “Enquiry” process. Appeals were available to the CyAT.

However over a period the Adjudicators have shown no enthusiasm to take up this responsibility both because they are otherwise engaged in the developmental activities as also because there is a conflict of interest since some of the cases involve business interests of IT companies. Additionally just as Judicial officers were lacking in technical knowledge, the IT Secretaries were also found to fumble with the legal knowledge when required. As a combination of all these factors, today the system of Adjudication is almost non existent.

There is therefore a need to review and revive this system. One way out is for the State Judiciary to train some of their Judicial officers in Cyber Crime related issues and set up a parallel team of Adjudication Empowered Judicial Officers. Once the IT ministry issues necessary notification, these officers can start taking up complaints.

Alternatively, every Adjudication set up which today consists of the IT Secretary can be made a two member bench with the Law Secretary of the State being the second person. This will provide the relief in terms of knowledge deficiency but may not solve the problem of lack of time for these state level senior officers. The team of trained judicial officers may therefore be a better solution to meet the requirements of Adjudication.

These Adjudicating officers should be mandated to use Video Conferencing wherever feasible so that the cost of adjudication is reduced.

Again a suitable framework for training and sustaining this system can be developed if the State High Court Chief Justice takes interest.

4. CyAT

The issue of CyAT has been discussed earlier. Presently there is a set up in Delhi with a good infrastructure and also a technical member. If only a Chair person can be appointed, the system can restart its activities.

However there is a need for CyAT to sit in different States and use Video Conferencing so that victims need not travel to Delhi for their cases.

It should be mandated that the CyAT regularly sits in different State Capitals and conducts its proceedings and also set up at least one bench in South India to enable economical access to the public.

5. Special Magistrate Courts

While the Adjudication and CyAT takes care of the civil disputes, there is also a need to set up special magisterial courts in the States to handle Cyber Crime cases exclusively. This will speed up delivery of justice and also build expertise in specific Judges who can support the system at higher levels as days go by.

This is an action which again needs to be handled by the State High Court.

6.Special Mediation Centers

ITA 2000/8 provides for compounding of most offences including those which come under the category of criminal offences. Hence there is a scope for mediation and Conciliation both in the case of Civil and Criminal proceedings.

If therefore a good system of mediation can be developed, this will reduce the burden in the system of Adjudicators and Magistrates and help in the quicker delivery of Justice to victims.

There could be many other measures that may help in improving the Cyber Judicial systems but what is discussed above is a list of suggestions that can be considered.

It is to be remembered that an efficient Cyber Justice System is not only required for the success of the Digital India program but also is essential for India maintaining a good “Ease of Doing Business ” index on a global scale.

I hope the relevant authorities in the Government take necessary action in this regard and provide some relief to the public reeling under the onslaught of Cyber Crimes.

Naavi