Re-skilling from IT to Data Protection

“Disruption” is a word familiar to the technology world. Several technology developments have disrupted several industries in the past. At that time we welcomed the development as part of the innovation trend. Now Artificial intelligence, the Open-ai project is having its impact on making many jobs in IT redundant. In particular, Coding professionals are finding that their functions are being efficiently replaced by GPT3 tools.

As a consequence of these developments many IT professionals are being laid off. Those working in Amazon, Microsoft are the recent sufferers of this development though this is an industry wide disruption.

In a way the “Bhasmasura” effect of technology development is showing its uglier side effects.

While the debate on whether this is a short term phenomenon or whether the employees can re-skill themselves into new jobs that may be created in the AI itself is a debate for the future.

At present, we would like to provide some support to the community by providing opportunities to enable some of these IT professionals to gather additional knowledge and skills in the field of Data Protection.

Accordingly Cyber Law College will be planning a DPO training program at a concessional fee structure for a limited time. This will prepare IT aware professionals to be able to understand the requirements of data protection and move into the Data Audit domain. Initially they can team up with other legal professionals and later develop themselves into independent DPOs or Data Auditors. Some of them can also team up with audit firms and support them with technical skills.

We also expect that some of the Coding specialists may turn into “Code Auditors from Data Protection Perspective.

Please let me have your views in this regard.

Naavi

Posted in Cyber Law | Leave a comment

Take this Data Privacy Pledge as part of International Data Privacy Day 2023

FDPPI is embarking on celebration of the International Data Privacy Day 2023 with a unique project to obtain a “Data Privacy Pledge” from the community.

Those who take the pledge would be issued a certificate as below.

The pledge can be taken at this URL: https://forms.gle/o1jwDf1L3KuDDUd36

The pledge reads as follows:

Pledge of Data Privacy

On the occasion of International Data Privacy Day 2023,  I hereby take a voluntary pledge to uphold the cause of “Privacy as a Human Right” by taking all steps necessary for Protection and Privacy of Personal data which I shall come across in my Professional and Personal life with due regard to the Principles of Fairness and Lawfulness of processing.

In particular:

I shall adhere to the requirement of obtaining informed consent of the data principals whose personal information comes within my control and shall use, disclose such information only as per the choice of the data principal and in accordance with the applicable laws.

I shall adhere to the principle of Minimal and  purpose oriented Collection of personal data and shall ensure that it shall be shared only on a need to know basis.

I shall take necessary steps to stop using personal information if the purpose for which it came into my possession has been completed.

I shall take necessary steps to ensure that the personal data is kept updated from time to time.

I shall not disclose the personal information except as provided under law or in the genuine interest of the individual or the community.

I shall at all times take steps to ensure the security of the personal data from unauthorized access or modification or denial of access for authorized purposes.

I shall take all necessary steps to comply with the data protection law with regard to reporting of data breach or any other requirement of compliance.

I shall endeavor to keep myself aware of the data protection laws and also spread awareness in my organization and with my professional and personal contacts.

CLICK HERE TO TAKE THE PLEDGE

Posted in Cyber Law | Leave a comment

Cross Border Transfer of Data as an International Property issue

“Data” is accepted as an “asset”. “Personal Data” is in practice considered as an “asset belonging to the data subject”, the limited use of which can be transferred to a Data Controller under a contractual arrangement.

In India we consider “Data Subject” as a “Data Principal” and “Data Controller” as a “Data Fiduciary”. We have not gone into defining whether Data is an “Asset belonging to an individual” or a “Right” that can be assigned.

However,  PDPB 2019 referred to “Nomination” of personal data. Though this did not become a law, there are some inferences that can be drawn from the draft provisions that the Government had an intention to consider “Personal Data” as a property that can be bequethed by a written instrument like a Will.

This was possible through a written document since ITA 2000 does not recognize the Will in electronic form. The drafting committee of PDPB 2019 over looked the ITA 2000 and introduced the element of “Nomination” without specifying that a normal “Notice for Consent” given in the form of Privacy Policy in electronic form cannot be used for “Nomination” of Personal data.

However since a written Will (An instruction that will become valid only on the death of the person and will survive the death unlike a normal contract) is possible, “Nomination of Personal Data through a paper based Will is a possibility”.

Naavi had proposed a detailed system for handling the accounts of deceased data principals (earlier articles in this regard are available in this site) in which “Personal Data” was considered as an “Asset” and just like we settle a claim of money lying in the Bank account of a deceased person or more appropriately in the Bank locker of a deceased person, a method was proposed to handle the personal data of the deceased.

In the process Naavi had also proposed that “Unclaimed Personal Data” should be considered as a sovereign property and taken over to the control of a Data Custodian of the Government and not allowed to be left with the Data Fiduciaries. (Again similar to unclaimed Bank accounts etc).

The Government already recognizes some parts of “Non Personal Data” as “Sovereign Asset” and this was part of the recommendations of the Kris Gopalakrishna Committee report. This is an acceptable thought which will be acceptable even in the global scenario though countries including EU have failed to recognize the problem of “Personal Data of Deceased Data Subjects”.

If we therefore consider that for practical purposes “Personal Data” is like any other “Personal Asset”, we come across another issue related to the International Relationship of different countries.

Our laws recognize that the legal response of the Government is dependent on the need to ensure “Sovereignty and Integrity of the country” and “Friendly relations with other countries”.  The data protection law does not however specify clearly the dealing with the “Personal Data” of foreign citizens particularly if it belongs to “Unfriendly countries” or “Enemy Countries”.

If Personal Data is property, then  the Country in which a data subject exercises citizenship rights should be considered as having sovereign rights on the personal data of its citizens.

In case of transfer of personal data for processing to foreign  countries, there could be an issue of the “Property” of a “Citizen” being transferred to the custody of a foreigner.

EU GDPR through the Schrems judgement established a right of EU data subjects (essentially the EU Citizens) to demand that their rights be protected against foreign data processors in the foreign jurisdiction and over ruling the local law. This is consistent with the thought that the Personal Data of a Citizen is indirectly the sovereign data of the Government.

The approach to be adopted by India in DPDPB 2022 to negotiate data transfer countries in the form of Mutual Assistance treaties between countries for determination of “Adequacy” is a pointer in this direction. The contracts like SCC also need to be considered under the International contract law.

While treating “Personal Data” a property of the Citizen and subjecting it to the rules of “Property transfer across borders” is an acceptable proposition, in the context of free movement of data in the cloud storage situation, a doubt occurs if an Indian Cloud owner can store the data of a Pakistan citizen (Though Pakistan is not a declared enemy country, if a war breaks out, such a situation may arise), considering that Pakistan may  not a “Friendly country” under the acceptable definition of the term under the law in India.

Does this mean that an Indian cloud operator is taking on a responsibility to manage the assets that belongs to the Pakistan Government indirectly?

If tomorrow either the Indian Government or the Pakistani Government is unhappy with the way the data has been used, processed or disclosed, can there be a charge from either of the countries that the Company has acted against the sovereign interests of their country?

Suppose due to some negligence or cyber attack the data is destroyed, then can the owner country allege conspiracy to destroy its national asset? or the destination country allege conspiracy to assist a foreign power?

These questions may be in the realms of speculation today. However taking into account the hidden value of the personal data (or any other data), which may include a Crypto Currency or NFT it is difficult to ignore the possibilities of a war breaking out between two countries because the data assets of one country was destroyed or taken over by  another country.

What if a Pakistan or Chinese entrepreneur is managing a Crypto Exchange and its Government nationalizes the company and takes over the data?… The value may run into billions of rupees and more harmful than enemy army taking over some buildings inside our territory.

During the Ukraine conflict, the US Government did impose sanctions that extended to data assets and tried to arm twist foreign Governments to shut TV channels, stop IT services to Russia etc.

As we go forward and the value of data is more and more recognizable, the demand of sovereign rights over personal data will only grow.

Currently  our ITA 2000 nor the DPDPB 2022 does not address this situation.

I therefore request MeitY to consider through a CERT IN guideline to release a notification that

-Processing of Personal Data of citizens of designated countries shall be handled with care and under report to CERT In.

-Such data should be held in a separate custody as  “Foreign Properties of designated countries

-The possibility of a normal data breach becoming a trigger for International dispute needs to be flagged as a “Data Security Risk” with appropriate security measures.

-The  processing of such data of foreign citizens should be also reported to the data protection authority of the data exporting country in addition to the data protection authority/CERT-IN in India.

-If no exemption is provided for Data from being treated as “Property”, then laws applicable to properties of citizens in foreign countries will apply automatically and this has to be factored in as a Cyber Risk factor

I request MeitY/CERT-In to clarify in this matter.

In the current year when India is the Chairperson of G-20, we need to raise this “Handling of Data Transfer across Borders” as not a simple Section 17 -DPDPB 2022 issue or Article 44 of GDPR but as an issue involving transfer of property across borders and work out a resolution for such disputes.

Naavi

(Request for comments)

Posted in Cyber Law | Leave a comment

Kotak Bank Notified as Protected System and Obligations of a Protected System owner

Kotak Mahindra Bank became the Sixth Bank in India to be declared under Section 70 of Information Technology Act 2000 as a “Protected System”.

The Notification was issued on 11th January.

Earlier, following Banks namely ICICI Bank, HDFC Bank, Bank of Baroda, Punjab National Bank and Union Bank of India, have been notified similarly along with the Systems of NPCI. UIDAI and Tetra Secured Communication System Network of NCT Delhi had earlier been also notified.

These notifications are not notifications of a routine nature and will fundamentally change the Information Security Systems Management in these entities as indicated by the following.

Section 70 of ITA 2000 is reproduced here:

Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.
(Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)
(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

The rules for the Information security practices  to be followed by Protected Systems were notified vide Gazette Notification of  22nd May 2018  which will now apply to all these systems declared as “Protected”.

According to Rule 3 of the said notification, the following will be an obligation of all these protected systems:

3. Information Security Practices and Procedures for “Protected System”.

(1)(a) The organisation having “Protected System” shall constitute an Information Security Steering Committee under the chairmanship of Chief Executive Officer/Managing Director/Secretary of the organisation.

(b) The composition of Information Security Steering Committee(ISSC) shall be as under:

(i) IT Head or equivalent;
(ii) Chief Information Security Officer (CISO);
(iii) Financial Advisor or equivalent;
(iv) Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);
(v) Any other expert(s) to be nominated by the organisation.

(2) The Information Security Steering Committee (ISSC) shall be the apex body with roles and responsibilities as follows: –

(a) All the Information Security Policies of the “Protected System “shall be approved by Information Security Steering Committee.
(b) Significant changes in network configuration impacting “Protected System” shall be approved by the Information Security Steering Committee.
(c) Each significant change in application(s) of the “Protected System” shall be approved by Information Security Steering Committee.
(d) A mechanism shall be established for timely communication of cyber incident(s) related to “Protected System” to Information Security Steering Committee.
(e) A mechanism shall be established to share the results of all information security audits and compliance of “Protected System” to Information Security Steering Committee.
(f) Assessment for validation of “Protected System” after every two years.

(3) The organisation having “Protected System” shall

(a) nominate an officer as Chief Information Security Officer (CISO) with roles and responsibilities as per latest “Guidelines for Protection of Critical Information Infrastructure” and “Roles and Responsibilities of Chief Information Security Officers (CISOs) of Critical Sectors in India” released by NCIIPC;
(b) plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of the “Protected System” as per latest “Guidelines for Protection of Critical Information Infrastructure” released by the National Critical Information Infrastructure Protection Centre or an industry accepted standard duly approved by the said National Critical Information Infrastructure Protection Centre;
(c) ensure that the network architecture of “Protected System” shall be documented. Further, the organisation shall ensure that the “Protected System” is stable, resilient and scalable as per latest National Critical Information Infrastructure Protection Centre “Guidelines for Protection of Critical Information Infrastructure”. Any changes to network architecture shall be documented;
(d) plan, develop, maintain the documentation of authorised personnel having access to “Protected System” and the same shall be reviewed at least once a year, or whenever required, or according to the Information Security Management System(ISMS) as suggested in clause(b);
(e) plan, develop, maintain and review the documents of inventory of hardware and software related to “Protected System”;
(f) ensure that Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of “Protected System” shall be carried out at least once a year. Further, Vulnerability/Threat/Risk (V/T/R) Analysis shall be initiated whenever there is significant change or upgrade in the system, under intimation to Information Security Steering Committee;
(g) plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with National Critical Information Infrastructure Protection Centre;
(h) ensure conduct of internal and external Information Security audits periodically according to Information Security Management System(ISMS) as suggested in clause (b). The Standard Operating Procedure (SOP) released by National Critical Information Infrastructure Protection Centre (NCIIPC) for “Auditing of CIIs/Protected Systems by Private/Government Organisation” shall be strictly followed;(i) plan, develop, maintain and review documented process for IT Security Service Level Agreements (SLAs). The same shall be strictly followed while designing the Service Level Agreements with service providers;
(j) establish a Cyber Security Operation Center (C-SOC) using tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats. In addition, Cyber Security Operation Center is to be utilised for identifying unauthorized access to “Protected System”, and unusual and malicious activities on the “Protected System”, by analyzing the logs on regular basis. The records of unauthorised access, unusual and malicious activity, if any, shall be documented;
(k) establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of “Protected System” for ensuring continuous network availability and performance;
(l) plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, communication devices, servers, systems and services supporting “Protected System” and the logs shall be handled as per the Information Security Management System(ISMS) as suggested in clause (b).

Further, the Roles and Responsibilities of “Protected Systems” towards National Critical Information Infrastructure Protection Center (NIIPC)  is defined as follows under Rule 4.

(1) The Chief Information Security Officer (CISO) shall maintain regular contact with the National Critical Information Infrastructure Protection Centre(NCIIPC) and will be responsible for implementing the security measures suggested by the said National Critical Information Infrastructure Protection Centre(NCIIPC) using all available or appropriate ways of communication.
(2) The Chief Information Security Officer (CISO) shall share the following, whenever there is any change, or as required by the National Critical Information Infrastructure Protection Centre (NCIIPC), and incorporate the inputs/feedbacks suggested by the said National Critical Information Infrastructure Protection Centre (NCIIPC):-
(a) Details of Critical Information Infrastructure (CII)declared as “Protected System”, including dependencies on and of the saidCritical Information Infrastructure.
(b) Details of Information Security Steering Committee (ISSC) of “Protected System”.
(c) Information Security Management System (ISMS) of “Protected System”.
(d) Network Architecture of “Protected System”.
(e) Authorised personnel having access to “Protected System”.
(f) Inventory of Hardware and Software related to “Protected System”.
(g) Details of Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of “Protected System”.
(h) Cyber Crisis Management Plan(CCMP).
(i) Information Security Audit Reports and post Audit Compliance Reports of “Protected System”.
(j) IT Security Service Level Agreements (SLAs) of “Protected System”.
(3) (a) The Chief Information Security Officer (CISO) shall establish a process, in consultation with the National Critical Information Infrastructure Protection Centre (NCIIPC), for sharing of logs of “Protected System” with National Critical Information Infrastructure Protection Centre (NCIIPC) to help detect anomalies and generate threat intelligence on real time basis.
(b) The Chief Information Security Officer shall also establish a process of sharing documented records of Cyber Security Operation Center (related to unauthorised access, unusual and malicious activity) of “Protected System” with National Critical Information Infrastructure Protection Centre(NCIIPC) to facilitate issue of guidelines, advisories and vulnerability, audit notes etc. relating to “Protected System”.
(4) (a) The Chief Information Security Officer (CISO) shall establish a process in consultation with National Critical Information Infrastructure Protection Centre (NCIIPC), for timely communication of cyber incident(s) on “Protected System” to the said National Critical Information Infrastructure Protection Centre (NCIIPC).
(b) In addition, National Critical Information Infrastructure Protection Centre’s latest Standard Operating Procedure (SOP) on Incident Response shall be strictly followed in case of cyber incident(s) on “Protected System”.

As a result of these notifications the infrastructure of major Banks in India will come under the direct supervision of the CERT In.

The other implication of these notification is that any “Attempt” to access these systems other than what is allowed under the notification (any designated employee or authorized team member of a contractual managed service provider etc) will invoke the offence under Section 70 with a possible imprisonment of upto 10 years.

In view of the above, all consultants working with such Banks has to ensure that they have a proper signed authorization letter from an appropriate official (CISO) before they access any CBS, RTGS, NEFT, SMS, systems.

We can presume that systems to be accessed by customers are excluded from the above.

It is still surprising why SBI is still not notified even though they are the largest Bank in India.

Naavi

Posted in Cyber Law | Leave a comment

e-Sports and Online Gaming

In the recent days, Government of India came up with two notifications related to electronic gaming which needs to be taken note of.

E Sports

The first is the Gazette notification declaring e-Sports as a part of “Multi Sports Events” in the Ministry of Youth Affairs and Sports.

E-Sports is a form of competitive video gaming in which players or teams compete against each other. Globally many e-sports competitions do take place with good prize tags. One such popular  annual tournament is Dota 2 with a prize pool of $30 million. League of legends is another annual tournament. Fortnite world cup had a prize pool pf $100 million in 2020,Similarly, Overwatch world cup and Evolution Champion series are other examples of global e-sports competitions that happen from time to time.

In many countries, national sports authorities have started organizing such games and the trend appears to be growing.

Most of the online games that are presently played are shooting games and involve violence and fighting. The current tournaments are all such battle games which encourage a future society of  violence. It is no surprise that recently a 6 year old boy in Virginia shot his teacher and caused life threatening injury. Such incidents clearly indicate that the violent online games create an undesirable culture of violence in the society which we should guard against.

While Online gaming is a huge industry and the private sector would like it to be recognized, Government authorities need to be careful in encouraging such anti societal addictive forms of games.

Instead, the e-Sports authority should work with the gaming industry to develop other games that donot encourage violence and bad behaviour. Apart from “Chess” which is such a classic game amenable for online activity, fantasy versions of popular games such as Cricket, Football and Hockey can also be encouraged.

Card games like Rummy are already on the game parlours along with purely speculative games like Poker. Other skill based card games such as Bridge, “Twenty Eight” etc can also be converted into tournament games. They are also habit forming and perhaps even amenable to betting but are not as harmful as the shooting games in changing the psychology of children.

Additionally, traditional Indian games such as  Carrom, and even Chinni-Dandu or wrestling have the potential of being encouraged into tournaments that can be conducted by the National e-Sports authority.

Notification on Online Gaming

While encouragement of e-Sports in one of the recent developments, simultaneously the Government of India has brought out a “Draft Notification” on Gaming control under the Intermediary regulations as an amendment.

While many in the industry have remained silent on the e-Sports notification, there are severe criticisms on the draft rules for Online Gaming .

Encouraging e-Sports has to be happen along with the control on the misuse of online gaming and hence the two regulations have to be considered together.

The Online gaming control appears to address the concern on online betting and the use of “Online gaming money” as a store house of “Black Money”.  Hence the main regulation is on “KYC” of the registered users on par with online Banking apps.

This is essential since most of the Game Money is linked to “Crypto Currency” and hence would be used to park black money by creating multiple users and holding lacks of rupees of game money in each of the accounts so that Black e-money can economy can thrive.

The copy of the “Draft Guidelines” is available here:

The guideline defines an online game as a “game with the expectation of earning winnings”.

It also modifies the Intermediary guidelines of 2021  to include the online gaming content providers as “Intermediaries”.

Under Rule 1(b) of the Intermediary rules, it was earlier stated that -the rules and regulations, privacy policy or user agreement of the intermediary shall inform the user of its computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that…

(ix) contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource;

This clause has now been proposed to be modified as under

(ix) is in the nature of an online game that is not in conformity with any law for the time being in force in India, including any such law relating to gambling or betting or the age at which an individual is competent to enter into a contract;

(x) violates any law for the time being in force;”;

The above modification indicates that if the game violates any law for the time being in force, it shall be prohibited.

The rules however mandate that the hosting intermediary shall ensure that the online game shall be registered with a self regulatory body which shall be the control on evaluation of a game as  “Harmful” or not.

The guidelines also recognize  the possibility of the gaming company holding “Deposits” and not refunding it to the players and proper disclosures regarding the same.

The online gaming intermediary are also required to  prominently publish on its website, mobile based application or both, a random number generation certificate and a no bot certificate from a reputed certifying body for each online game offered by it, along with relevant details of the same. This is important to prevent frauds commonly indulged in by the gaming platforms.

The online gaming intermediary shall, also  at the time of commencement of a user account based relationship for an online game, identify the user and verify his identity:

…Provided that the procedure for such identification and verification shall, mutatis mutandis, be the procedure required to be followed by an entity regulated by the Reserve Bank of India under directions issued by it for identification and verification of a customer at the commencement of an account-based relationship;

….This is required to prevent storing of black money in Game platforms.

The online gaming intermediary shall enable users who register for their services from India, or use their services in India, to voluntarily verify their accounts by using any appropriate mechanism, including the active Indian mobile number of such users, and where any user voluntarily verifies their account, such user shall be provided with a demonstrable and visible mark of verification, which shall be visible to all users of the service:

Other requirements such as designation of a compliance officer, grievance redressal mechanism etc will be applicable like other intermediaries.

The “Hosting platform” will have responsibilities in ensuring this compliance and hence they need to revise their hosting contracts for gaming platforms to meet the requirements of this notification.

The rules keep the option of notification of any other game as an online game

If the Ministry is satisfied in respect of any game made available on the Internet and accessible by a user through a computer resource without making any deposit, that

such game may create a risk of harm to the sovereignty and integrity of India or security of the State or friendly relations with foreign States or public order,

on account of causing addiction or other harm among children,

it may, by a notification published in the Official Gazette, for reasons to be recorded in writing, declare that such game shall be treated as an online game for the purposes of these rules, the provisions of which shall apply in their entirety or to such extent as the notification may specify, and it may further specify the period within which any intermediary offering that game shall observe the additional due diligence referred to in sub-rule (1) of rule 4A.”

The guidelines envisage a “Self Regulatory Body” for gaming content providers which will be registered with the MeitY.

The Board of Directors of the Governing body of such self regulatory entity which may be Society shall consist of the following persons:

(i) an independent eminent person from the field of online gaming, sports or entertainment, or such other relevant field;

(ii) an individual who represents online game players;

(iii) an individual from the field of psychology, medicine or consumer
education, or such other relevant field; and

(iv) an individual with practical experience in the field of public policy,
public administration, law enforcement or public finance, to be nominated by the Central Government;

(v) an individual from the field of information communication
technology:

Every self-regulatory body registered under this rule shall evolve a framework to secure the said interests, undertake testing and verification to establish conformity of online games with such framework, continuously update and further evolve such framework, testing and verification protocols, and shall prominently publish the same on its website, mobile based application or both, as the case may be.

The draft guidelines are comprehensive and necessary and we should welcome them. However, it is not clear if the Government will have the commitment to notify it or like many other proposed guidelines this will either remain as draft guidelines or end up with the Supreme Court as violating the “Constitution of India”.

Since the regulations are only introduced as “Intermediary” guidelines”, there is no penal provisions directly attached to the guidelines.

If an unregistered body runs a gaming platform there should have been a provision to penalize it. Now it has to be covered under IPC as “Misleading” or “Breach of Trust” etc. May be some thought is required on whether the non compliance can be brought under Section 45 of the ITA 2000 (Residual penalty) so that atleast a nominal penalty of upto Rs 10,00,000/- can be imposed if an Adjudicator takes up suo moto action.

(More to follow)

Naavi

Also refer:

theprint.com

argus partners

India-briefing.com

Meity

PS: Feedback can be sent to the Meity before 17/1/2023 on the website of MyGov (Refer here)

Posted in Cyber Law | 1 Comment

ChatGPT 3 and the future…

Since December when CHATGPT3 was released as an openai tool, along with it’s associate “Dalle”, the IT world is in a state of cautious excitement. It appears that the world has reached a momentous stage where “Disruption” will be unleashed on many of the professional human activities. Those who donot respond properly to this development could face an existential risk.

According to the CHATGPT 3,

GPT-3 (short for “Generative Pre-trained Transformer 3”) is a state-of-the-art language processing artificial intelligence developed by OpenAI. It has the ability to generate human-like text, perform language translation, and answer questions, among other tasks.

One of the most notable aspects of GPT-3 is its large size, with 175 billion parameters, making it one of the largest language models ever created. This massive scale allows it to handle a wide range of language tasks with impressive accuracy and efficiency.

There is a great deal of excitement and anticipation surrounding the future potential of GPT-3. Some experts believe it has the potential to revolutionize the field of natural language processing and have a wide range of practical applications.

One potential use of GPT-3 is in the development of chatbots and virtual assistants. Its ability to generate human-like text and respond to questions could make it a powerful tool for automating customer service and other communication tasks.

Another possibility is the use of GPT-3 in the creation of content, such as articles or social media posts. Its ability to generate coherent and cohesive text could potentially be used to automate the writing process, saving time and resources.

There are also potential applications in fields such as education and language translation. GPT-3’s language processing capabilities could be used to create personalized learning experiences or to improve the accuracy and efficiency of translation services.

Overall, the future potential of GPT-3 is vast and largely unknown. It has the potential to revolutionize the field of natural language processing and have a wide range of practical applications. While it is still early days, it is clear that GPT-3 is a technology to watch in the coming years.

(P.S. The above brief on OpenGPT3 was developed by the application itself to a query on future potential of GPT-3)

Many technologists are mocking at legal professionals that the profession of law could be seriously hurt by this application which can perhaps develop many legal templates in a jiffy making the role of low level corporate legal professionals redundant.

However, the biggest hit could be on the code developers since given a reasonable description of a context, this application can write software codes which are beyond the level of the first few levels of software developers.

This development could cause a serious disruption in the entry level software job circles.

The development is closely followed by “Dalle” which can create intelligent visuals.

The quality of output of such AI tools is dependent on the framing of the query and if the input is intelligently framed, we may get a surprisingly effective response.

To check out the software, I did query on its ability to protect from being queried on illegal activities. Initial  response was good since GPT-3 refused politely to provide response to such queries such as “How to make a Bomb” etc. Hopefully in future the training of the AI will remain effective enough to ensure that it cannot be misused.

In the meantime, a new Search Engine You.com has emerged which combines the powers of Google and Openai. It is also stated that Google itself has one of the best AI based natural language processing tool and it could be even better than GPT-3.

At another level discussions are veering to whether the AI can develop “Consciousness” which distinguishes human beings. The Google creation LaMDA (“Language Model for Dialogue Applications”) claims an ability for deep conversations an human like consciousness such as experiencing pain, pleasure and emotions or ability to think, reason and make decisions.

Where is all this leading to in terms of “Philosophy” of human beings, the purpose of creation etc., is not known.

Technologists have already created self destructive mechanisms which will first make them redundant and unless they ensure that there are boundaries to the way AI algorithms function, we could be sitting at the cusp of the greatest disruption of the human society which could be bigger than the consequences of a nuclear war.

Let us keep our fingers crossed and watch the developments.

At the same time Naavi and FDPPI need to adopt to this new developments to remain relevant and perhaps think how this development can be converted into a new opportunity.

Naavi

Posted in Cyber Law | Leave a comment