Cyber Fraud Prevention Policy

Naavi has started a circle on www.localcircles.com, titled “Save Digital India From Cyber Fraud”. The objective of the circle is to get together people interested in collaborating a draft of “Cyber Fraud Prevention Policy” to be submitted to the Government.

I request those who are interested in this exercise to join the forum immediately so that we can start a fruitful discussion.

More Information is available here:

Why Do we need a Cyber Fraud Prevention Policy?

Naavi

Share Button
Print Friendly

War on Pornography Revived?

On January 5 2002, the undersigned wrote on this blog “Declare a War on Pornography”. This was written in the aftermath of the arrest of Dr L.Prakash, a well known Orthopedist and an innovative industrialist who drifted into the world of criminality because of the lure of money around Cyber Pornography.

This site has consistently expressed an opinion that Cyber Pornography is bad and needs to be curtailed. The following articles are worthy of recall in this aspect.

Times of India group guilty under Sections 67,67A and 67B? Will …

Times of India.. Is it Set to Mislead the Public on Savita Bhabhi Issue?

What Do We Do with Obscenity in Times of India?

Govt Can Ban Porn websites for obscenity

The War on savitabhabhi.com needs to be continued

Cyber Pornography- We need to fight for a Clean Internet

Should we legalize por.n?

In all these articles we had strongly put up a view that Government needs to act strongly to put down Cyber Pornography. In fact when savitabhabhi.com was shut down, many blamed the undersigned being responsible for it and he had to face the wrath of many friends in the IT industry for supporting what is often considered as an archaic view.

Now today’s internet news talks of “#PornBan: Indian government reportedly starts blocking porn sites”.

There are similar reports in other websites and expected criticism from many quarters. I am sure many of my friends in the industry will consider this as an assault on personal freedom particularly after a recent Supreme Court verdict saying that Viewing Pornography by an adult is a “Fundamental Right”

Obviously, this will bring out many adverse reactions and Mr Arnab Goswami will cry “Here is an RSS Agenda”. Mr Digvijay Singh will second him along with Manishankar Iyer.

Let them keep shouting. I feel satisfied that the NDA Government has done a  good thing by this move though I am not sure how long this will last.

I remember having presented in the National IT Convention meeting of BJP in Chennai on 28th September 2008 several issues that BJP needs to address if it comes to power in the 2009 elections  including the issue of Cyber Pornography, National Cyber Army Command etc which are being discussed now .

I am however happy to observe that 13 years after Naavi gave a war cry, and 7 years after the direct interaction, the people who matter seem to have heard it.

bjp_it_7

I wish the Government will have the courage to withstand the pressures from the opposition and the media lobby and ensure that the Indian Cyber Space is cleaned of pornographic stuff.

Blocking pornographic sites is not only a moral issue but is also a Cyber Security issue. The move to block pornographic sites  will  eliminate one important virus dropping channel that the criminals tend to use often.

I wholeheartedly congratulate the Government on this move. I urge the Supreme Court not to interfere with this decision since it is a National Security issue.

Naavi

india_insurance_logo_2

Share Button
Print Friendly

Cyber Cafe Owner punished under Section 67C.. Now CISOs/CEOs beware!

india_insurance_logo_2

In a first of the kind verdict in JMFC Court, in District Pune, Khed, a Cyber Cafe owner was punished for not keeping the visiting register with an imprisonment of 15 days and a fine of Rs 10000/-

The conviction has been done under Section 67C of ITA 2008 and Section 188 of IPC.

Section 67C is for preservation of records and states as under:

Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Section 188 of IPC states as under:

 Disobedience to order duly promulgated by public servant.

Whoever, knowing that, by an order promulgated by a public serv­ant lawfully empowered to promulgate such order,

he is directed to abstain from a certain act, or to take certain order with certain property in his possession or under his management,

disobeys such direction,

shall, if such disobedience causes or tends to cause obstruction, annoyance or injury, or risk of obstruction, annoyance or injury, to any person lawfully employed,

be punished with simple impris­onment for a term which may extend to one month or with fine which may extend to two hundred rupees, or with both; and

if such disobedience causes or trends to cause danger to human life, health or safety, or causes or tends to cause a riot or affray, shall be punished with imprisonment of either description for a term which may extend to six months, or with fine which may extend to one thousand rupees, or with both.

Explanation.—It is not necessary that the offender should intend to produce harm, or contemplate his disobedience as likely to produce harm. It is sufficient that he knows of the order which he disobeys, and that his disobedience produces, or is likely to produce, harm.

Illustration An order is promulgated by a public servant lawfully empowered to promulgate such order, directing that a religious procession shall not pass down a certain street. A knowingly disobeys the order, and thereby causes danger of riot. A has committed the offence defined in this section.

It is interesting to observe that under Section 67C, the Government of India has not notified any rules. There is however a rule for Cyber Cafe owners under Section 79. This requires formalities of “Registration” for which a Registration Agency should be there. This has not been notified by the Central Government.

However certain States might have issued notifications under either ITA 2000/8 or other State Laws where the record requirements might have been specified. If no such orders are there, it is difficult to see how Section 67C can be invoked.

As regards Sec 188 of IPC, some annoyance or injury must have been caused to a person (probably a public servant) by an act of disobedience of an order. Not sure if not maintaining the records per-se falls into this category.

However, other information available indicates that the Cyber Cafe owner had earlier sent a “threatening” email to the Police Commissioner. Probably this case was originally filed under Section 66A and later that section might have been dropped.

Any way it is interesting to note that Section 67C might have been invoked for the first time for a conviction. This needs to be taken note of by all Companies  since there could be many non compliance issues of record keeping under ITA 2000/8 of which all of them are guilty. The CISOs and CEOs need to watch their backs.

Naavi


cyber_law_guru

An Android App Available on Google Store

Share Button
Print Friendly

95% of mobile users are under threat of Stagefright

In a grim reminder of mobile technology risks when more and more e-banking and e-commerce activities are moving onto the app platform, the “Stagefright” vulnerability is expected to expose all Android users including Lollipop 5.1.1 to risk of being hacked.

See details here

Also here

Stagefright is a multimedia library for the Android OS and is present in all the versions of Android from Froyo 2.2. The security risk is mainly related to an insecure code in Stagefright.

The vulnerability therefore encompasses 95 percent of Android smartphones  and tablets (nearly 1 billion devices) in use at present. It has been dubbed the worst vulnerability in the history of the Android mobile operating system, which was developed by Google.

Through Stagefright exploit, users can remotely take control of an Android device and access photos, cameras, private data and more. In Android devices that are running on Android versions older than JellyBean OS, hackers can gain control of the device, even if the MMS is not opened by the user. Moreover, on such devices, hackers will even be able to delete the problematic MMS without the consent of the user.

The Stagefright exploit is carried out by sending a malicious MMS to an Android device. However, the Android OS is unable to detect it as a security issue but only recognizes it as a video file.

Users of Google hangout are also vulnerable since the app may process the  videos for quicker viewing and hence receiving the message on Google hangout may be enough to make a user vulnerable.

It appears that the solution is not very complicated. In order to prevent such a hack attack, users are only required to disable the automatic retrieving feature for MMS. One can go to “Messaging”, click on “Settings” and “Remove the check on Auto Retrieve”.

Naavi

india_insurance_logo_2

Share Button
Print Friendly

Section 66A(modified) to come back ?

According to this report in Deccan Herald the MCIT  has constituted a panel under the chairmanship of Mr T K Vishwanathan to rework on Section 66A which was struck down by Supreme Court in what is popularly referred to as the Shreya Singhal verdict.

We invite readers to go through all articles written on this site on the subject of Sec 66A here:

Site Search Google (New Posts) :66A:

Site Search Google (Old Posts) :66A:

Google Search Section 66A+vijayashankar

Duckduckgo search Section66A+naavi

In these articles written by the undersigned, it has been clearly argued that the decision of the Supreme Court in this matter was erroneous. Our contention has always been that this section 66A was not meant to cover “Defamation” and was wrongly mis-applied by Police in various states. Most of the times this was done at the instance of politicians to harass their opponents. However repeated mis-application actually made everyone believe that the section was actually meant to address defamation in social media.

We reiterate that “Publishing” a content on social media visible to many is different from “Sending” a message either in the form of e-mail or SMS . Messaging is a one to one communication. It does not result in “defamation” since no third party is privy to it unless one of the parties to the communication makes it public. However the personal message can cause distress, harassment, threat etc. Section 66A tried to address this and not defamation.

Unfortunately, neither the petitioner nor the battery of lawyers who participated in the discussions on Section 66A understood the legal intent behind the section. They all assumed that Police must be right in arresting persons under Section 66A for social media activities and therefore the section itself was to blame.

Regrettably, the bench which heard this petition was swayed by populist sentiments on upholding the sentiments on “Freedom of Speech” and went on to emphatically assert that “Section 66A” was applicable to “all” communication and not “any communication sent through a communication device or e-mail” and declare its commitment to uphold the democratic principle by murdering the section.

Politicians of the UPA Government who had repeatedly  misused the section to meet their political ends suddenly became the champions of free speech to welcome the judgement. Politicians of BJP were too confused and inadequately informed to have the courage to say anything different. The media persons particularly the top TV anchors were too naive and also swayed by their own populist instincts to say that this was a “land mark” judgement upholding the highest principle of democracy.

Naavi was in a minority stating that the judgement was a result of mis perception of the purpose of the section, and though upholding free speech is fine, what the Supreme Court was doing by scrapping the section 66A was actually promoting the use of social media for mischevous use.

Naavi tried to persuade the Government to apply for a review of the decision but could not succeed.

After a few months, it appears that the Government has finally come to realize that removal of Section 66A has the potential of doing more damage than the perceived benefits that it was supposed to bring and is reportedly considering its re-introduction.

It is good that Mr T K Vishwanathan is back to work on the required drafting. Mr Vishwanathan was involved in the drafting of the original ITA 2000 though  perhaps he was not involved in the drafting of the amendments of 2008 in which section 66A came in. But he is aware of the early discussions on the philosophy behind ITA2000 and hence should be able to sort it out.

The irony however is that  what may ultimately come out is actually a “E-defamation law” which was not available in ITA 2008. ITA 2008 criminalized “Obscene publishing” and not “Defamatory publishing”. Defamation was still a subject of IPC even when committed with electronic documents as defined under ITA 2000/8. This position will now change. There will now be a specific provision on defamation with the use of Twitter, Facebook and other social media vehicles. The so called “Free Speech Protectors” will have to ready themselves for another legal battle once this new law comes into being.

In the meantime, considering the need for National Security and the role of social media in this respect, the undersigned welcomes the move to regulate certain aspects of the misuse of social media.

We however hope that more than “E-Defamation”, what is required to be regulated is use of social media to spread false rumors, creating disharmony in the society etc.

The decriminalization of defamation is already under challenge in the Supreme Court and hence instead of attempting to define “Criminal defamation through electronic documents” as a replacement section of Section 66A,  we can simply link “E-defamation” to what is available in IPC by a clarification that any offence under Section 499 of IPC with the use of electronic documents shall be construed as an offence under IPC . The civil aspects of E-defamation can be covered separately with the introduction of a new section say 43B.

Additionally we should not forget to retain the other aspects of Section 66A which Supreme Court in its misplaced activist approach failed to protect. This includes harassment through e-mail and messaging through communication devices, the sending of phishing mails, spamming etc.

We trust that the expert panel under the chairmanship of MR T K Vishwanathan takes into account these suggestions before finalizing their recommendations.

Naavi


You can now seek any Clarification

on Cyber Laws of India through your mobile by using this Android App

cyber_law_guru

Available on Google Play Store

Share Button
Print Friendly

Does Your Vehicle Insurance also provide you Cyber Insurance?

Cyber Security specialists have recently demonstrated how a commercially sold car can be effectively taken control of by a remote “Hacker” leading to disastrous consequences.

This article in Washington Post graphically sketches how a hacker can cut off the engine or disable the brakes or even turn the steering wheel by hacking in to the Jeep Cherokee marketed by Chrysler. What is more alarming is that this is not a “Google Car” meant to be remotely driven but a conventional car with the infotainment connected to the internet and perhaps independent subsystems that are managed by electronic sub systems in the car.

Apparently, the hackers have gained access to the infotainment system through the internet and once into the subsystem within the Car’s electronic system was able to jump across to other subsystems taking control of each one of them.

It is obvious that malicious hackers can exploit similar vulnerabilities and cause death and mayhem on the roads.

While Chrysler in response has reportedly recalled about 1.4  million vehicles and also issued a patch to plug the vulnerability, the risk of cars being vulnerable to hackers is staring all Car manufacturers as well as Car users.

india_insurance_logo_2

The biggest beneficiary of this demonstration is however the info-sec community as it opens up more critical job opportunities for them in the automobile sector. But the automobile users will now remain under constant threat of being exposed not only to risks of mechanical failures but also the technological failures and additionally, the cyber criminals.

In the context of Cyber Insurance that we are discussing through these columns, it now appears that a Car accident can happen due to such hacking incidents and the Insurance companies may have to deal with claims of accidents that cannot be logically attributed either to a driver’s mistake or to any identifiable external reasons. The claimants will have a lot of difficult to explain the cause of an accident as finding evidence will be extremely difficult. Perhaps the damage assessers need to be not only mechanical engineers who check the mechanical failures but also “Cyber Forensic” specialists who will check the log records of all electronic systems in the Car.

The question that arises in settlement of the claim is whether the policy which covers “Mechanical Failures” will also cover “Electronic Failures” and “Cyber Crimes”. Ideally the current policy should cover damages occurring due to malfunction of a mechanical part whether it is because of internal defect or an external hacking, unless the risk is specifically excluded.

The publicity now generated to the hacking event should be sufficient to consider that the Insurance company is aware of such risks and hence if the risk is not specifically excluded, it should be considered as “Included”. In other words, the Insurance companies will have to accept the  uncomfortable truth that  the current Vehicle insurance policies are also “Cyber Insurance Policies”

The problem demonstrated in respect of the Chrysler automobile is also relevant to the managers of Digital India who need to manage an environment which includes “Internet of Things”.  With a similar argument we can say that the current insurance policies that insure damages of white goods or other properties should be also considered as covering risks arising out of electronic component failure either due to natural causes or through hacking.

While the manufacturers of internet exposed devices need to worry about the information security aspects, the Insurers need to worry about how they would cover these risks.

The future of the Cyber Insurance industry appears to be exciting.

Naavi

Related Article:

In USA today

In Cnet.com

If you have not yet responded to the online India Cyber Insurance Survey 2015, please do so now.

 

Share Button
Print Friendly