Naavi.org

The Government of India has now come out with a new version of the Information
Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which was first notified on 25th February 2021. On 28th October 2022, there was an amendment issued vide GSR 794(E). On 6th April 2023, there was another amendment vide GSR 275(E) in which “online gaming” was added to the regulations. Today’s consolidated version has one additional provision regarding “Fake News Verification Authority” to be set up by the Government.

In Part II of the notification, under Rule 3(b) the amended subsection (v) now reads as follows:

……The intermediary shall inform its rules and regulations, privacy policy and user agreement to the user in English or any language specified in the Eighth Schedule to the Constitution in the language of his choice and shall make reasonable efforts to cause the user of its computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that…..

(v) deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any misinformation or information which is patently false and untrue or misleading in nature 1[or is identified as fake or false by the fact check unit at the Press Information Bureau of the Ministry of Information and Broadcasting or other agency authorised by the Central Government for fact checking or, in respect of any business of the Central Government, by its department in which such business is transacted under the rules of business made under clause (3) of article 77 of the Constitution];”

What this means is that the Government will create a “Fact Check Unit” which will check and declare if any information is fake or false.

The industry therefore need not depend on the private Fact Checking organizations which are controlled by George Soros.

When in doubt the decision of this Fact Checking Unit will determine whether the information is fake and the Intermediary will be losing his Section 79 protection if such news is published and not removed on receiving the knowledge that a news is fake.

This also means that this unit will monitor the private sector fact checking services and give its stamp of approval. It will remove the uncertainty when two fact checking private sector agencies have a difference of opinion.

As could be expected the opposition political parties and the vested media interests have already started their campaign against the provision that it is curbing the “Freedom of Speech”. It should however be remembered that there is “No Right for Spreading Fake News” and hence the objections of the vested interests need to be ignored.

What these media journalists are either unable to understand or are deliberately misrepresenting is that if any fake news is published, it will only mean that Section 79 protection is not available to them and they have to face the law of the land. They are therefore welcome to continue their fake news publication business and face the law.

Crying that this is curbing their freedom of speech is itself a patently false news and will render these media vehicles susceptible to legal action if the intention is to violate any law.

We await the implementation of this system and a link to the content where PIB will maintain the list of reported fake news along with their views. Alternatively we need to see if PIB will start a help center type of service where a query can be raised by public to be answered by the PIB unit asap.

Copy of the Revised Intermediary Guidelines with amendments is available here

Naavi

The Intermediary Guidelines covering the Gaming Intermediaries which had been released for public comments has now been notified. This will be an amendment to the Intermediary Guidelines and Digital Media EThics Code of 25th February 2021.

Copy of the guidelines is available here.

The guidelines defines an “Online Game” as ” a game that is offered on the Internet and is accessible by a user through a computer resource or an intermediary. The “Online real money game” is defined as an online game where the user makes a deposit in cash or kind with the expectation of earning winnings on that deposit.

Additionally “Internet” for the purpose of this notification means the combination of computer facilities and electromagnetic transmission media, and related equipment and software, comprising the interconnected worldwide network of computer networks that transmits information based on a protocol for controlling such transmission.”

An online gaming self regulatory body will require to be established and should provide a verifiable mark to the relevant platform for “Permissible online real money game”.

The system of self regulation is similar to what Naavi.org had recommended as “Intermediary Dispute Resolution Policy ” for all Section 79 guidelines.

The Government reserves its rights to introduce similar regulations even in the case of online game other than online real money game in the interest of sovereignty and integrity of India ..etc.

The guidelines will come to force 3 months after atleast three Self Regulatory body has been established.

The real impact of the regulations on some of the popular gaming platforms need to be assessed. The industry may delay the setting up of self regulatory body to postpone the applicability of the guidelines and this could be a loophole deliberately kept in the guidelines.

Instead, the Government should have provided a time line of say 6 months for the setting up of the self regulatory bodies failing which the “Grievance Appellate Committee” of the Ministry should take over the responsibility envisaged for the self regulatory body till the formation of such bodies.

Naavi

This is a continuation of the previous article “The Great Data Robbery in India…64 crore data sets…weaponized for the next election...”

We have seen many data breaches from Hospitals. Banks, Payment Gateways etc. Most of these are targeted at financial crimes and result in ransomware attacks or direct phishing attacks. But what has been unearthed now in Cyberabad appears different. This data heist is not limited to financial objectives.

The classification of the data into different categories is really intriguing and raises alarm. The catch has been of a person who is said to be operating through a website “InspireWebz”.

We can stumble upon www.inspirewebz.com which is a website which is marketing several “Data Extractor Softwares”. Whether the arrested person is a user of this these tools or the owner of this website is not known. But the data extractor tools marketed in this website are clearly tools that can be used to commit what a data protection law would consider as “Objectionable Extraction”.

We are aware that DPDPB 2022 considers extraction of data from publicly available data space does not require specific consent. However, systematic marketing of these tools is facilitating criminals and hence the website should be considered as part of a “Conspiracy” to commit Cyber Crimes.

From the initial indications, the person arrested by Cyberabad police could have bought all the available tools in this website and later filtered and classified the data into different categories.

The press report referred to in the earlier article lists about 109 categories besides 25 state categories.

The classifications state wise had the following information.

The state-wide classification read along with the profession wise classification indicate multiple mis-use possibilities.

It could be used for all types of Cyber Crimes and also for structured AI assisted communication including sending deep fake videos to influence the free choice of the public during the next elections on the lines of what Cambridge Analytica was accused of.

It is time for data protection and cyber security community to debate how this threat should be viewed. Is it a simple cyber crime? or Cyber Terrorism?. Is it only an “Attempt” or an “Executed crime”? What are the labilities of all those who might have purchased the different packs of software? How have they used it? By this time all buyers should have been raided by NIA and records should have been collected on their activities.

Naavi

Following was a press note issued by Cyberbad police on a recent data theft investigation which is considered the largest data theft in the world.

Copy of the Press note

We shall discuss this in greater details in the follow up article.

What is important to note is that the seizure of the data indicates collection from different sources in a systematic manner and organization of the data according to location in different states, practice of different professions, holders of different credit/debit cards, Defence personnel, etc.

The systematic organization indicates that the data could be used for different purposes.

The statewide classification indicates that this was structured could be used for the election campaign purpose also.

This is a classic indication of how information can be weaponized for nefarious purposes.

Hence this is a bigger scandal than the Cambridge Analytica. It involves multiple states and perhaps an attempt to destabilize the country.

We donot know if this investigation leads to George Soros funding or PFI activities. The ramifications would be beyond Telengana and hence this needs a very serious consideration and investigation at the national level.

We congratulate the Cyberbad Police for their excellent work. However in view of the multiple state’s involvement and the potential use of the data for Cyber Crimes and also for manipulation of public opinion for political purpose, I request NIA to consider this as “Cyber Terrorism” under Section 66F of ITA 2000 and take over the investigation.

Naavi

Since 1971 when the first concept of a “Malware” surfaced we have been fighting the menace of Virus, Trojan, worm etc which are all “Malicious” programs that automatically spread into the user’s computer. The initial purpose of the viruses was to disrupt the operations of the user for fun or revenge. Gradually it was identified as an attempt to sell an “Anti Virus Software”. But the “Virus Eco System” turned greedy in financial terms and in later years it has become a “Criminal Extortion Tool” in the form of “Ransomware”.

India introduced ITA 2000 as a legislation which identified introduction of Computer virus or any computer contaminant as an offence punishable with 3 years imprisonment. After 2008, the amendments gave CERT In the powers under the statute to regulate the cyber security measures implemented in the industry. CERT In has been issuing many guidelines as well as advisories including the advisory on how to handle ransomware attacks. (September 27, 2022 advisory)

Indian companies are however oblivious to the existence of ITA 2000 and a regulatory agency like CERT IN. They are more enamoured by the ISO 27001 type of business driven audits and remain complacent.

With the advent of Artificial Intelligence, while responsible security professionals speak of using of AI for Cyber Security, the criminals have already started using AI for sending phishing mails and launching malware attacks. Hence even the ransomware attacks will increase.

We therefore urge organizations to take suitable steps to protect their organizations against AI supported cyber attacks.

Despite ChatGPT claiming that it does not support criminals, Cyber Security professionals have pointed out how ChatGPT can be misused. Just like a criminal lies when asked directly if he is a criminal, ChatGPT also denies its involvement in creating malware.

There have been earlier ransomware attacks where amateurs had used an e-mail contact for ransom discussion through “Crimeware assisting services ” like Proton mail. Now professional ransomware attackers are using ToxID to discuss ransom demand. (See here for information on Tox).

Tox which began in the light of the Snowden leaks, started with the idea of creating an instant messaging application that ran without requiring the use of central servers. The system would be distributed, peer-to-peer, and end-to-end encrypted, with no way to disable any of the encryption features; at the same time, the application would be easily usable by the layperson with no practical knowledge of cryptography or distributed systems.

During the Summer of 2013 a small group of developers from all around the globe formed and began working on a library implementing the Tox protocol. The library provides all of the messaging and encryption facilities, and is completely decoupled from any user-interface; for an end-user to make use of Tox, they need a Tox client.

Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization.

Now there exist several independent Tox client projects, and has thousands of users, hundreds of contributors, most of whom are criminals engaged in cyber crime and ransomware attacks.

Tox proudly says that it does not accept any donations probably because all the ransomware attackers pay their own contribution to this “Voluntary Criminals who developed Tox”.

It is unfortunate that law enforcement and law makers donot take sufficient steps to control these malware services and allow them to continue to be in business.

I request CERT In to take steps to ensure that Tox service does not enter the Indian cyber space. I am sure that some experts say this is impossible. But I donot believe that anything is impossible if there is a will. Where there is a will there is a way.

Tox is an intermediary which assists ransomware attackers and hence is ultra-vires the Indian law. Powers are already available within ITA 2000 to take action to declare Tox service as illegal in India. Hope CERT In has the will to use the power available to them under law.

Naavi