Naavi.org

On 27th February, Angel one became aware of a data breach which it seems to have reported through email to its customers reported a personal data breach and has issued a notification to the data principals probably on March 2. According to one report nearly 8 million users have been affected by the breach.

Report at www.varuta.com

The data breach is reported to involve unauthorized access to AWS resources. The leak was not discovered by the Company directly and was revealed by the monitoring of the Darkweb by its dark web monitoring partner.

In an official statement, Angel One assured its clients that their securities, funds, and credentials were not affected by the breach. In a sweetly worded notice it stated as follows:

The breach re-ignites the issue of what are the responsibilities of the cloud service providers related to securing the access and monitoring of the data exfiltration.

Just as we expect Bankers to monitor their client’s access to the CBS system through an adaptive authentication system, we should raise a question on why is AWS negligent in placing security measures that should identify the data leak when the exfiltration is happening.

While we expect Angel one to encrypt the data and protect the log in from its side, it is reasonable to expect AWS also to protect its systems from unauthorized access just as we expect banks to monitor the authentication requests.

We should also request MeitY to consider that part of the AWS storage and other cloud service providers which caters to “Significant Data Fiduciaries” (Angel One may be one) should be declared as a “Protected System under Section 70 of ITA 2000” so that it is taken seriously by the cloud service providers.

Such systems may be identified as “DPDPA Compliant Storage Service”. If AWS can provide HIPAA compliant Storage service, it should be capable of providing DPDPA Compliant service also (May be a new revenue generation model for AWS and others).

At present the Angelone website does not contain any prominent notice though the email has been sent to the users.

Under DPDPA compliance we need to discuss if it is not necessary to report the data breach (Recent) as part of the notice for the new customers who may be joining the service.

FDPPI has already recommended that “All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023 “.. Along with this we must add that “In every notice information on past data breach information upto one year should indicated”

Naavi

I had the privilege of participating in the summit Bengaluru 2040 organized by Deccan herald recently .

The video of the discussion on Cyber Crimes is available here.

Naavi

When DPDPA 2023 was enacted, the focus of legislation was “Digital personal Data” and the way the industry is expected to collect and process. The law was drafted as a “Principle based draft and did not find it necessary to state that it was meant to protect the Right to privacy of an individual as envisaged under the Puttaswamy judgement.

The draft also surprised many because it did not provide personal compensation to data principals and instead indicated a possible fine of Rs 10000/- for data principals making false complaints.

Even now when the rules are being finalized, there is a continued demand that it should be more prescriptive and also that a percentage of the fine imposed on the data fiduciary should be paid to the data principal who raises a complaint.

The logic is that Government will impose a fine of Rs 250 crores based on the complaint of the Data Principal and enriches itself but does not provide any compensation to the data principal.

We have repeatedly clarified that the approach of the Government has been innovative and not making the law very prescriptive was a deliberate strategy. We have also further held that the Rules should also follow the “Minimal” principle and should continue to be principle based and not try to address all possibilities of issues that may arise in the implementation.

We are also in principle not supportive of providing “Explanations” within the law or rules which only restrict the applicability and create more avenues for breaking the law rather than following the law.

As regards the compensation to the data principals, we have insisted that Section 43 of ITA 2000 may be invoked by data principals for their personal compensation in case of data breach and the adjudication process under ITA 2000 maybe invoked.

Similarly we have reminded that several sections of ITA 2000 will continue to be relevant even after Section 43A is removed after the notification of Section 44 of DPDPA 2023 out of which Section 43 will be most relevant for claiming of personal remedy.

In the S Umashankar Vs ICICI Bank case, the TDSAT had clarified that Section 43(g) can be invoked when there is “Negligence” in following the “Reasonable Security Practices” prescribed by RBI. Extending this ruling, DPDPA 2023 is already considered as the “Due Diligence” and is applicable for interpreting both Section 79 and Section 85 of ITA 2000 and fixing responsibilities under Section 43(g).

Another lacuna which many point out in DPDPA 2023 is that it does not classify personal data as “Sensitive” and has removed the definition of “Harm” which was present in earlier versions.

However, DPDPA 2023 uses “Sensitivity” and “Risk to the Data Principal” while classifying organizations as “Significant Data fiduciaries”. Hence all those organizations which are processing “Sensitive Personal Data” as we generally understand will now be considered as “Significant Data Fiduciaries” (SDF)and will need to appoint a DPO, Conduct a DPIA and annual Data Audit.

This is better than merely classifying some of the data as “Sensitive” and leave the organization as an Non-SDF. Further the Government has so far refrained from giving definition of who will be an SDF and has left it to the discretion of the organizations to self assess themselves as SDF based on their own assessment of the “Sensitivity” of data processed and the “Likely harm that may be caused to the data principal from their processing”.

In this context of “Harm to the data principal”, the Consumer Protection Act 2019 (Notified on 9th August 2019) comes into prominence. Just as ITA 2000, BNS (New IPC) , BSA (New IEA) are to be considered as an associate law of DPDPA 2023, both Telecom Act and the Consumer Protection Act 2019 (CPA2019) are considered associate laws compliance of which is essential to fulfil the compliance of DPDPA 2023. In this context we can highlight the notification of 30th November 2023 where the Government highlighted the practice of “Dark Patterns” with a list of practices as examples.

The notification defined “Dark Patterns” as any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights.

In the Privacy Concept this can be considered as a “Practice that is harmful to the data principal” and is similar to the harm “manipulating the intention of the data principal” and “Deceiving the data principal to do things which he would not otherwise do”. This will apply to many E Commerce platforms who are all “Data Fiduciaries” under DPDPA 2023 and AI algorithms which process personal data.

The dark patterns singled out includes False Urgency, Basket Sneaking, Confirm shaming, Forced Action, Subscription trap, Interface interference, Bait and Switch, Drip Pricing, Disguised advertisement, Nagging, Trick question, Saas billing, Rogue malwares etc. (Kindly refer to the notification for explanations on each of these types of dark patterns).

The notification clearly prohibits use of dark patterns by stating “No person, including any platform, shall engage in any dark pattern practice”. The “Offences and Penalties” prescribed under the CPA 2019 include imprisonment and fine. A possible imprisonment of 6 months and fine of upto Rs 20 lakhs may be envisaged for most of the dark pattern practices provided that a complaint is filed by the Central authority authorized under the Act. (Similar to the powers of the DG of CERT In).

In view of these “Cross legislative Provisions”, DPDPA Compliance includes compliance of multiple laws as has been recognized by the DGPSI framework for compliance. This ensures that the “DPDPA 2023 as an Act and the rules to be framed thereunder” will continue to cover topics such as “Sensitive Personal Information ” and “harm to data principal” as well as “personal remedy” under different provisions of other laws.

It was earlier known that American Deep state had access to data gathered by certain Big Tech Companies. Now it has been confirmed by Mr Mark Zuckerberg of Meta that the Big Tech Companies were actually partnering the American Deep State in their nefarious anti-democratic activities.

This development has created a new Risk Profile for the users of Technology when they handle their data through the proprietary software of the US Big Tech. It cannot be ruled out that the same companies are also big influencers of Indian Big Tech Companies and their industry associations.

We have discussed earlier the transformation of CIBIL as an Indian Company to TransUnion, an US Company and how it helped in billion’s of sensitive financial transactional data of Indians falling into the hands of foreign agencies. A similar situation has arisen in the IT industry where today Indian data in its totality is under the control of Microsoft, Google, Meta and may be with many more companies.

The MeitY has a close relationship with this US Big Tech Companies and the industry associations where they wield enormous influences. Just as the USAID funds have influenced political interests in India, the US Big Tech Companies have been influencing our Government decisions including the delaying of the notification of DPDPA 2023.

Naavi.org has repeatedly expressed that MeitY calling these Big Tech Companies for closed door discussions for framing DPDPA Rules when the same companies are in Courts opposing the Intermediary Guidelines and other notifications is strange. This practice must stop forthwith. The MeitY should stop calling the Big Tech as well as their proxies in India for confidential consultation meetings whenever critical laws and rules are made for the IT industry.

After the disclosures by Elon Musk and DOGE of USA, it is time for the Indian Government to also rejig their Government machinery and create a DOGE-India and expose commercial influencers who are lobbying the Government policies.

It is also time for the Indian Judiciary to come above suspicions of being supportive of anti-Government lobbying by Big Tech in cases involving ITA 2000 or in future the DPDPA 2023. The CJI should review why decisions are being endlessly delayed in the case of Intermediary Rules. Apart from the WhatsApp/Meta case which is with the Delhi High Court, the recent case on Credit Rating Agencies is another instance which requires a watch by the CJI.

It is time we in India learn a few tricks from Mr Donald Trump in how to control Corruption at high places and taking quick and bold actions.

Naavi

P.S: I was just listening to an interview of Sanjay Sanyal (an advisor in PMO?) with News 18 who was pointing out how the health data of Indians were being controlled by an organization (NFHS) funded entirely by USAID and was delinked some time back. The case of CIBIL-TransUnion and Equifax etc is also similar where the US companies are taking control of Indian Consumer Financial data. I hope this brought before the Delhi High Court hearing the case.

The dispute between Cognizant and Infosys related to the alleged trade secret theft has now reached a Court in Dallas. Though media is calling it as a “Trade Secret theft”, it appears to be a plain data theft and not an IPR issue.

The accusations stem from unauthorized access to the Facets and QNXT platforms of TriZetto, which Cognizant alleges Infosys used to extract proprietary information for its benefit.

It is unfortunate that the two well known Indian software companies are fighting in US courts and sullying the image of the country. They could have ideally used the Mediation route to resolve their issues rather than washing the dirty linen in public.

Naavi

Deccan Herald, the leading native English Daily from Bengaluru is hosting the prestigious Bengaluru 2040 Summit today at JW Marriott, Vittal Mallya Road. This invitee only event is expected to see the participation of several ministers of Karnataka besides many industry guests.

One of the discussions during the day would be on measures required to “Prevent Cyber Crimes in Bengaluru” particularly in the emerging technological developments.

The undersigned is privileged to be an invitee to this panel. In this context, I would like to share some of my thoughts on the topic here as a background to the ensuing discussion.

In the last 25 years of the existence of ITA 2000, we have made a very slow progress in understanding technology crimes and bringing it under the hammer of justice. Initially it was the inexperience of the Police and later the difficulties of successfully presenting the digital evidence to the satisfaction of the Courts. The Courts themselves needed decades to understand digital evidence and how to interpret them in the “Criminal Jurisprudence”. Even today we are not confident that in all cases Police and the Courts will be presenting their cases properly to enable conviction in a Court of law for any technology related crimes.

While most of the discussions on prevention Cyber Crimes start and end with “creating awareness”, we must accept that “Awareness is necessary but not sufficient”.

I consider the following three aspects which need attention on a priority basis.

✓Lack of accountability of Software Developers who release immature software products with bugs

✓Lack of Responsibility of deployers who deploy the software without assuming accountability for the adverse consequences….particularly when the software comes with a tag “AI”

✓Lack of Commitment for the Government, Judiciary and Police in regulating the Darkweb and Private Crypto Currencies like Bitcoins which are the lifeblood of Cyber Crimes.

✓Lack of cooperation of Intermediaries during Cyber Crime investigation

We need to address these issues at all levels to honestly find a path to salvation from Cyber Crimes. If we let challenging of every Intermediary regulation in a Court and the Courts are happy to place a stay on every progressive regulatory notification at the drop of the hat, we will not make any progress. India will continue to be the hub of global crimes and Bengaluru being the Silicon city will also be the capital of global cyber crimes.

In this context we can look at DPDPA 2023 as an attempt to enlarge the regulation where the “Intermediary Guidelines” under ITA 2000 have failed by increasing the possible civil penalty for Data consuming companies and their associate Data Processors to Rs 250 crores and beyond.

While the role of Adjudicators and Criminal prosecution under ITA 2000 may continue to remain as a remedy for personal victims of data breaches under DPDPA 2023 and sections of ITA 2000 such as Sections. 43, 65, 66B, 66C, 66D, 66E, 67C, 69, 69A, 69B, 70, 70B, 72A etc will continue to remain relevant and work along with DPDPA 2023 and the inquiries under Data Protection Board, there is a need to bring the Adjudicators and Police who are now tuned to ITA 2000 to DPDPA 2023.

The Judiciary also needs to absorb the new Cyber Crime Jurisprudence to their practice but improvements here can only from within the Judiciary and will take a long time.

It is important to recognize that the concept of “Due Diligence” under Section 85 and Section 79 of ITA 2000 now has a new elaborate explanation in DPDPA 2023 and should be taken note of in any cases involving “Data” and all Cyber Crimes against individuals where “Personal Data Breach” is always one of the causes.

Currently the laws have not been used effectively in choking the Cyber Crime economy by not regulating /dismantling the Dark Web and the Private Crypto Currency systems. The reasons are many but the intention is lacking at all levels.

The Future of Cyber Crimes will be dictated by the developments of AI and Quantum Computing and unless proper steps are initiated today, we will allow the development of Dark AI supporting the Dark Web and making it darker. The goal of Criminals is to make the entire web “Dark” by applying AI and Privacy laws in conjunction to ensure that no criminal will be detected by any law enforcement agency. If we do not recognize this heinous design and take appropriate Techno Legal measures, the future of the Digital society looks gloomy.

Naavi