Naavi.org

A few days back honourable Chief Justice of India made a statement addressing the Government of India….”Take appropriate action…or else we will have to take action…”.

The concern was well appreciated since the incident was disgusting. Similar incidents happened earlier in West Bengal and Rajasthan but they were Congress/TMC ruled states and hence everybody was confident that the state is in safe hands where as Manipur state Government is with BJP and hence it needed to be criticised. We accept this as the norm of India.

But it cannot be said that the comment of the CJI was appropriate and the Supreme Court could threaten the Government. Did the threat imply that the Supreme Court would dismiss the Central Government? Could it impose its own Court monitored rule on Manipur? Could it order the arrest of Manipur CM for dereliction of duty? Could it censure Mr Amit Shah the Home Minister.. ?

Obviously in India, it is not possible for the Courts to impose emergency. The Supreme Court can only validate the emergency imposed by persons like Indira Gandhi and as long as history recognizes that Indira Gandhi imposed emergency, we also need to recognize that the Supreme Court validated the declared emergency.

Despite the ability to assume powers to re-write constitution even by a split verdict, Supreme Court should consider itself to be answerable to the people of India and has to respect the Parliament as the voice of the people. Supreme Court can also allow a system of national referendum over such issues where the Supreme Court differs with the Parliament so that people can express their views.

Following this development, Mr Badri Seshadri a senior citizen in Chennai (If I remember right, he founded Cricinfo.com which was later taken over by ESPN) was interviewed by a You Tube channel in which he commented

“The SC has said that if you cannot do anything, we will. Let’s give a gun to Chandrachud and send him there. Let’s see if he can restore peace.”

Based on a complaint made by a lawyer Kaviyarasu of Kadur Village, Badri Seshadri was promptly arrested and the Magistrate remanded him to 11 days Judicial Custody.

I am not sure if Badri Seshadri can be called a serious Political commentator as has been described by the media and the comment made by him was worthy of being considered an offence under Sections 153 (wantonly giving provocation with the intention to create riot), 153 A (promoting enmity between different groups on grounds of religion, race, place of birth, residence, language etc and doing acts prejudicial to maintenance of harmony and 505 1(b) (with intent to cause or which is likely to cause, fear or alarm to the public) of the Indian Penal Code.

One will need extraordinary genius to interpret these sections and fit it into the statement made by Mr Badri.

It is obvious that the Police wanted to place Mr Badri in jail for some reason and used this excuse. This is gross violation of the power of the Police to cause arrest. If the comment is considered “Defamatory” to the CJI, the CJI should have instituted a “Contempt of Court Proceedings” and not allow cases to be booked under Sections 153, 153A etc. Where is an intention to create riot or promote enmity between different groups etc? only God and Tamil Nadu Police and the Magistrate knows.

I am reminded of the Palghar incident some time back where two Muslim girls were arrested by the Shivasena led Government for “Clicking the Like Button” on Face Book about a post on deceased Bal Thackeray. At that time the whole country was up in arms against the arrest and ultimately the Supreme Court changed the law itself to express its displeasure on the arrest.

Now we have a similar situation here and the matter is closer to the Supreme Court since the defamation of CJI is the cause of the arrest.

As long as Justice Chandrachud remains silent on the arrest, it means that he endorses the arrest. When he can take Suo moto cognizance of violence in Manipur, summon Tushar Mehta ,demand action from the Government and threaten dissolution like action, can he not at least make a statement whether the arrest of Badri is a violation of the “Freedom of Speech” or not? This case should be considered as a personal case in which CJI is interested and hence his action or in-action will be deemed to communicate his views.

This is not just an issue which the BJP in Tamil Nadu should fight. This is an issue where Police are interpreting the law to their own convenience and the Judiciary by its selective silence encouraging such action. People like Prashant Bhushan and Kapil Sibal may not come in to defend when an ordinary citizen is wronged though they may happily walk in other cases. It is a national issue to be fought by all who respect or claim to respect Freedom of Speech.

I therefore request honourable chief justice of India, Mr D Y Chandrachud to react to the arrest and either lodge his own Contempt complaint or demand that the FIR be withdrawn.

In the meantime the Madras High Court should take Suo Moto cognizance of the illegal arrest and provide relief. Even the DGP of Tamil Nadu can perhaps intervene and set things right if he wants.

While the investigation may continue even against the sections the Police have filed, at least the Court can order immediate release of Mr Badri under bail since we know that Courts give bail in many terror cases also without battling its eyelid. There is no investigation to be done by keeping the accused under arrest when the you tube video is available in the public.

If Democracy in India is under threat, it is these incidents that have to be noted as the incidents of murder of Democracy. I wish there was a national referendum on issues like this so that people’s views could be taken before Police excess being committed against citizens of the country.

I wish the New York times the terrorist friendly journalists of Wire and other similar journals some of them are in the heart of Chennai respond fairly to this incident or accept the criticism that they are all George Soros funded members of the Tukde Tukde India gang.

Naavi

Recently two judgements were reported from abroad one on a Canadian Court considering the Emoji Thumbs up as a digital signature, another where a victim of an identity theft was adjudged guilty of Trademark infringement. To this I would like to add a Supreme Court reference on Crypto Currency related crimes. I would like to place some comments on all these three Court incidents for better clarity of where the Judiciary is heading.

In the Canadian Case a farmer replied to a message with a thumbs up emoji and the Court held that it was an agreement to a sale contract and ordered the farmer to pay $61442 as compensation for default.

Some time back the Madras High Court in the case of S V Shekar case had expressed an opinion that “Forwarding” a message in social media is equivalent to endorsing the content of the message.

This kind of view was also expressed by the Supreme Court in the Shreya Singhal case where it accepted that “Clicking the Like button” on the FaceBook was equivalent to endorsing the message and hence the Police were right in arresting the Palghar girls but the law was wrong. (Section 66A was considered wrong and not the action of the Police arresting the girls for clicking the like button).

There has also been an earlier instance of a Court (probably in HP) which considered a whatsApp message as an adequate notice and “Blue Tick” as an acknowledgement.

In all these cases the Judges were wrong since there should be a “Meeting of Minds” when some action is to be construed as a contractual or malicious action. The judges were more interested in showcasing their expertise in IT. Judgements in US which use ChatGPT to come to judicial decisions also fall into this category of “TRP” oriented judgements and has to be condemned by right thinking persons in the society.

While we object to children being addicted to Google and forgetting their human strengths, these judges are showing their addiction and abject surrender to technology, abdicating their judicial responsibilities.

The Second instance was regarding the Australian Woman who was convicted ex-parte by the US Courts for trademark violation. The lady, Ms Luke was a victim of a hacker who stole her password for Paypal and used the account for collecting fraud proceeds. Adidas and National Basketball association filed cases claiming damages and damages of $293000 and $1.5 million were awarded against the lady in favour of NBA and Adidas respectively. The Courts gave this judgement against an Australian Citizen and as an ex-parte judgement.

I wonder whether it is possible to respect Courts with such judgements.

Today’s Hindustan Times reports that in a case the Supreme Court has questioned the Government why there is still no law on Crypto and why a separate investigation agency is not created for Crypto offences.

While it has become a habit for the Supreme Court to make comments for the Press to report in headlines particularly if the comment is against the Government, it must be noted that it was the Supreme Court which prevented the Union Government from making a suitable legislation by its judgement on a RBI circular.

Readers of Naavi.org are aware of the fight it has carried on against Bitcoins and highlighting the “Bollywood Judgement” of the Supreme Court. In this judgement, the Supreme Court came down heavily on the RBI for issuing a letter restricting the Crypto Exchanges from dealing with Indian Banks. The Supreme Court gave a clear indication that it was supporting the Bitcoin and wanted to give the exchanges time to continue their activities of cheating the public. This had such a chilling effect on the RBI and the Government that there is a complete silence on the legislation of private crypto currencies.

The Supreme Court is directly responsible for all the losses the innocent Crypto users are suffering today out of crimes involving Crypto exchanges. Shedding crocodile tears today is hypocritical.

I wish the Courts everywhere display a greater sense of responsibility when it comes to the use of technology. Already “Fraud GPT” malicious chatbot is available for sale in darkweb and if Supreme Court has identified the need for a separate investigating agency for Crypto Crimes, they need to also suggest a separate investigating agency for AI crimes.

Courts should nudge the Government for appropriate legislation on AI and emerging technology rather than passing caustic remarks for the benefit of the news agencies to report with eye catching headlines.

Naavi

The new draft of the Digital Personal Data Protection Bill 2023 as to be tabled in the Parliament has been released by the Standing Committee on IT headed by Shiv sena MP Mr Prataprao Jhadav.

A Copy of the bill is available here

According to the report in ET, several opposition MPs walked out of the meeting of the Parliamentary Standing Committee on IT that adopted the report. Seven MPs including Congress’s Karti Chidambaram, TMC’s Mahua Moitra and Jawahar Sircar, CPI’s John Brittas and TDP’s Jayadev Galla opposed the draft. The objections which appear to be adhoc were on the provisions of the Data Protection Board and the RTI.

The provision on RTI has been discussed earlier. The changes that has been brought on the Data Protection Board are more in accordance with the earlier draft PDPB2019/DPA2021 and are an improvement over the interim draft of DPDPB 2022.

The more controversial Section 17 (Cross Border Transfer) and Section 18 (Exemptions/Legitimate interest) has been modified. Some changes in the “Deemed Consent” provision are also observed.

It is observed that the restrictions of any on the cross border transfer of data will be notified later. In the meantime any existing provisions of the law which could be stricter will remain in force. It is not clear if the RBI’s data localization notification can be considered as a law in this regard.

The full impact of the changes will be discussed in these columns subsequently.

We welcome the introduction of this version of the Bill and hope it will get passed soon.

Naavi

ISO 27701 was published on August 6, 2019 as an extension of ISO 27001:2013. It was a framework for management of Privacy of Personal data and included requirements for Privacy Risk Assessment, Privacy Impact Assessment, Data Protection Impact assessment and Privacy by Design.

It identifies PII controllers and PII processors as two categories of organizations which process Personal Information and PIMS (Personal Information management System) as a System within an ISMS system.

For certification purpose, only ISO 27001 is considered the Certification standard and ISO 27701 is considered a guidance document. Hence for any organization whose PIMS needs to be certified under ISO 27701, they need to be also compliant with ISO 27001 and certified for “ISO 27001 with extension of ISO 27701”.

ISO 27001:2022 is itself considered a “Privacy” related standard and under Annex A 5.34 states ” The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements”. Hence ISO 27001:2022 certification requires a consideration of the applicable law and its requirements. Hence ISO 27701 can only be a guidance. But it would be more appropriate if a new version of ISO 27701:2019 is released since the current version to which it is mapped is ISO 27001:2013.

Before ISO 27701 was published there was already another privacy standard ISO 29100 (2011) and also ISO 27018 (2014/2019). ISO 29100 is a framework that defines basic privacy terminology, defines roles of different organizations and contains a list of 11 Privacy principles. ISO 27701 makes a normative reference to ISO 29100. ISO 27018 is a PIMS framework and applicable only for PII processors. We can now consider ISO 27701 as a more comprehensive PIMS framework and applicable for both PII controllers and PII processors.

Additional PIMS requirements that ISO 27701:2013 requires as an extension of ISO 27001 are as follows:

Under Clause 5 the ISO 27701 provides PIMS specific requirements appropriate to an organization acting either as a PII Controller or a PII processor.

Clause 6 gives the PIMS specific guidance acting as either a PII Controller or PII Processor.

Clause 7 and 8 gives additional ISO 27002 guidance for PII Controller and Processor respectively.

In ISO 27002, PIMS specific guidance is found in clauses 5,6,7,8,9,10,11,12,13,14,15,16 and 18.

The additional control objectives and controls introduced for a PII Controller in the annexe 7.2 are to determine and document that processing is lawful, with legal basis as per applicable jurisdictions and with clearly defined and legitimate purposes.

Under this control guidance is provided through sub controls for determining the legal basis, obtaining consent, conduct of privacy impact assessment, security of PII etc.

Clause A.7.3 is the next additional control with the objective to ensure that the PII principals are provided with appropriate information about the processing of the PII and to meet any other applicable obligations to PII principals related to the processing of their PII.

Under this Controls for protecting the rights of PII principals such as providing information , right to withdraw consent, right to erasure etc.

Clause 7.4 addresses the objective of ensuring that the processes and systems are desgned such that the collection and processing are limited to what is necessary for the identified purpose, by default.

Clause 7.5 addresses PII sharing, transfer and disclosure which includes cross border transfer requirements.

Table B provides similar guidelines applicable to Data Processors.

Thus ISO 27701 extends ISO 27001 to cover controls identified with Privacy protection as per laws such as GDPR. The annexures also provide mapping with different aspects of GDPR.

Though ISO 27701 does not directly address the needs of the Indian requirement like what PDP CMS does, since the principles of privacy covered in the ISO 27701 are similar to any other data protection laws, ISO 27701 can be used along with ISO 27001 for an ISMS-PIMS establishment along with a well constructed Statement of Applicability.

A Russian ransomware gang CLOp has reportedly been exploiting a zero day vulnerability in a secure file transfer software called MOVEit and has reportedly affected hundreds of businesses in UK and USA.

Moveit is a managed file transfer software product produced by Ipswitch,inc which encrypts files and uses FTP or SFTP protocols to transfer data. According to wikipedia, a stable release of the software is dated 2019. The program is used by many organizations including PWC, E& Y, BBC, Shell, British Airways, Boots, Zellis and several government agencies such as U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the Minnesota Department of Education, the Novia Scotia government etc.

It is surprising that the vulnerability remained undetected and unpatched showing the lack of security oversight in the software product industry worldwide. Though thousands of high profile companies used the software, it is surprising that no audit had brought out the security vulnerability.

The attack has rightly renewed the call for holding the software developers legally responsible for lack of “Reasonable Security”. Under the Indian law, if the software supplier contract is a “Service Contract”, the software company may be liable as an “Intermediary”.

If it is an outright sale, then the software developer may claim transfer of responsibility on the basis of “As is Where Is” sale contract. However reasonable disclosure of the product vulnerabilities or alternatively an access to code audit is essential for the software supplier to escape full liability as an “Intermediary” under ITA 2000.

Naavi has always advocated such a liability and as a measure of better security and it appears that Whitehouse’s National CyberSecurity Strategy has also called for similar measures.

Speaking on behalf of the software developers, Naavi has advocated that apart from the reasonable efforts at testing before a “Stable Release”, every developer should mandatorily run a “Bug Bounty Program” and try to continue the testing in the public space with a reward program implemented fairly. This is a compliance measure included in the now increasingly appreciated PDPCSI (Personal Data Protection Compliance Standard of India), a framework of compliance designed by Naavi and implemented by FDPPI in its certification audits.

We may also highlight that this software MOVEit may be classified as an “Automated Personal Data Processing Software” and hence use of the software was subject to regulations like GDPR. Compliance in such context required a DPIA by the user organization and a requirement of an assurance certificate from the licensing organization.

It is now the turn of GDPR supervisory authorities to question the users of MOVEit and demand payment of penalties for not conducting DPIA when they started using the software.

According to securityweek.com the company has now started releasing security patches which will apply necessary changes to Moveit transfer and Moveit Automation, the two products affected by the vulnerability.

One of the vulnerability patched is a SQL injection vulnerability that allows an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. Using this vulnerability, an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

The patches also covered multiple high-severity Progress MOVEit Transfer vulnerabilities that allowed authenticated attackers to gain unauthorized access to the MOVEit Transfer database. where by an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

Security investigators in KROLL have reported details of the codes exploited by the hackers and indicate that over the course of approximately 14 minutes, threat actors were observed exploiting a MOVEIt web server, dropping a web shell, establishing connections to the web shell, and initiating automated data enumeration and exfiltration preparatory steps. They also noted that there were no active user sessions created in the table, no log entries and no unusual activity appearing within the MOVEit logs. At the end of the 14 minutes, a new threat actor IP address established a web shell connection and what followed for the next several hours were several thousand GET and POST requests which, when overlayed with the available firewall logging, indicated several large volumes of data being transferred to the new IP address.

Kroll observes that because of the exfiltration method used, it can be missed during initial forensic investigation. However the organizations need to carefully observe the GET and POST requests executed and if any uptick is observed, additional measures triggered to confirm the malicious activity.

The lessons that Privacy professionals should take from the incident are

a) Document an assurance from all software suppliers that they have undertaken reasonable measures of testing and the installed version is free from zero day vulnerabilities.

b) Conduct and document a DPIA when new software products/services are used

c) Initiate a “Exfiltration Watch” which observes any accelerated activity and raise alarms as a part of the Data Leak Prevention strategies.

Software developers need to revise their testing process to stand the test to be called “Reasonably rigorous” and support by continued bug bounty program”.

Buyers of software need to review the contracts to see if they have a Code review option or an indemnity against zero day vulnerabilities or at least an insurance back up.

Naavi

Comments welcome

Also Refer:

Bug Bounty Policy as part of Corporate Governance Responsibilities

various articles at naavi.org

More details on the attack

In the series of articles so far, we have discussed the Scope of ISMS under ISO 27001 as well as the Leadership requirements and some aspects of Planning.

In this article let us list out all the requirements specified under Clause 6 of the standard documentation related to “Planning”.

Under this clause, the document specifies

6.1: Actions to address risks and opportunities

6.2: Information Security objectives and planning to achieve them

6.3: Planning of changes

Under 6.1, the organization shall make an assessment of the risk, establish a risk acceptance criteria, how the risks can be addressed. Planning should also cover actions required for continual improvement and also address “Opportunities”. The mention of “opportunities” indicates that we need to plan with a “Risk-Reward” perspective so that implementation of ISMS does not adversely conflict with the business development. For treating the risk, efforts shall be made to make use of the controls suggested in Annexe A. Apart from detailed planning with responsibility assignment, resources etc, the ISMS needs to recognize the possibility of changes and how they are to be handled.

In providing “Support” for the planned activities, it is necessary to ensure that the organization shall determine the competence of the people assigned with specific roles and retain appropriate documented information as evidence of competence. It is also necessary to build appropriate awareness across the organization with appropriate internal and external communication policies. The activities shall be properly documented and updated and an appropriate document control system shall be adopted so that reference would be facilitated.

Under clause 8 on “Operation”, the standard document requires an operational planning and control system to be developed including the schedule for periodical changes.

It is interesting to note that clause 9 of the standard speaks about the need for measuring the effectiveness of the ISMS implementation. Most of the time this is ignored in implementation since there is no clear template for the same.

In this context we may appreciate that PDPCSI specifies the Data Trust Score (DTS) system and FDPPI has developed a specific suggested mechanism for evaluating the maturity of PDPCMS through a DTS number. A similar approach can be extended to the ISMS also if the DPCMS is used as a framework.

ISO 27001:2022 also requires an established internal audit programme as well as a management review and corrective action.

Lastly the standard document specifies that the ISMS must focus on “Continual Improvement” .

The 10 clauses of the standard document are supported by the 93 controls in the Annexe A, which has been drawn from ISO 27002 which needs to be referred for detailed explanation of any of the Annexe items.

We shall try to review these 93 control items in subsequent articles.

Naavi