Naavi.org

October 17, 2000 was the day when Information Technology Act 2000 (ITA 2000) became effective. The essence of ITA 2000 was the legal recognition for binary documents and authentication with the use of PKI based Digital signatures. Together, legally valid digital contracts became feasible and E Commerce and E Governance got a foothold. This should be considered as the birth of “Digital Society of India”. This digital society has now developed and become “Digital India”.

Let us therefore remember this day as the “Digital Society Day”.

In order to celebrate the day, we at Naavi.org and FDPPI are having a discussion on “Taming of the Dark Web”. It is a short virtual Round Table discussion on Zoom and all are invited.

In order to preserve the benefits of Technology to the society, we need to curb the activities of Cyber Criminals. The presence of “Dark Web” and the “Dark Currency” in the form of private Crypto currencies enable criminals to continue their criminal activities. Criminals reside in Dark Web and come out from time to time to attack the Netizens on the surface and vanish back into the Dark Web.

The entry door for moving in and out of the dark web is the Tor browser and the currency for living in the dark web is the PCC (Private Crypto Currency). The communication tool for Dark Netizens to communicate with surface Netizens is the mail services like the “Proton Mail” which is used for sending not only the bomb threats but also the ransomware demands.

Despite knowing the adverse impact on the society from Cyber Crimes, we have allowed free conversion of PCC like Bitcoins to legacy currency so that all earnings in the dark web can be used in the civil society. We also encourage use of Tor browsers in young technology users as a part of security training. Many of the VPN services like the Proton Mail are used by security professionals to have anonymous existence.

It is however necessary to recognize that the Dark Web eco system is killing the society for the benefit of the criminal. We need to recognize this and put a stop to it.

The regulators are currently unable to reduce Cyber Crimes and the society is moving into an era where Cyber Crime is becoming an acceptable way of life.

Our own Government is hesitant to curb Bit Coins and is shamelessly happy to make money through taxation of Bitcoin transactions. Our security experts are unconcerned about the adverse impact of technology crimes on the society. Given an opportunity wee would try to take the benefit of Cyber Crimes by creating products for handling the adverse impact rather than preventing the adverse impact.

It is time that we realize that we as a society need to go for a direct attack on the crime syndicates by attacking the Dark web entry tools and dark web benefit exploitation tools. We therefore need to introduce strict regulations on the use of Tor Browser, VPN mail services like Proton Mail and the Private Crypto Currencies like Bitcoin.

Let us by law make it difficult for the Tor Browser and Proton Mail to be used by criminals with following steps.

1.Let us ban Proton Mail and all other mail services that donot cooperate with the law enforcement agencies in identifying the senders of email.

2.Let us make all Tor browser installations “licensable”

3.Let us mandate that all Tor users need to be registered as “Ethical Hackers”.

4.Let us mandate that use of Bitcoins (PCCs) is an offence and considered as an attempt at money laundering.

I suppose we can discuss all these in today’s discussion on “Taming the Dark Web”

Naavi

In October 2023 when Mr Rajeev Chandrashekar was the minister of IT, a draft national strategy on Robotics had been released for public consultation. In July 2024, Government announced that 5576 responses were received and closed. Since then no further news is there about the adoption or implementation of the draft policy.

A copy of the draft rules is available here.

A National Strategy for Artificial Intelligence which was published by NITI Ayog way back in 2018. Now an AI & Emerging Technologies Group has been set up by the MeitY to promote adoption of new technologies. Several reports have been issued by this committee from time to time. Government has also launched an India AI mission to propel innovation.

There is a need to follow up on these initiatives and its integration with the developing regulations. FDPPI would like to pursue this during the IDPS 2024.

Naavi

The Dark Web by definition is different from the legal “Deep Web” which is hidden from access through publicly accessible search engines like Google. Deep web is a space controlled by individual entities for their legitimate use and not illegal use. It is like a company’s premises where the entry is limited to authorized persons only.

On the other hand, by definition, the “Dark Web” is a “Zone of Illegal Virtual Operations”. It is in the dark web that criminals exchange crime tools, sell and buy drugs, weapons etc.

Having defined the “Dark Web” as the Criminal’s work place, there is no need to discuss if Dark Web needs to be allowed to exist. Without doubt it has to be eliminated though we may be incapable of doing it. Our incapability to fight the dak web is no justification not to declare it illegal and look at every body entering the dark web with an eye of suspicion.

The “Dark Web” thrives on a legitimate need for “Privacy” but the problem is “Privacy” is misused by criminals to hide their identity and run their business. The crimes have a reward in financial terms which are supported by the Crypto Currencies which act as the “Bankers to the criminals”. Hence Crypto Currencies (Privately managed) like Bitcoin are the support base for dark web apart from the Tor browser that enables access to the dark web.

If Dark Web has to be outlawed, we need to outlaw “Private Crypto Currencies” as well as the “Tor” browser or any other system that is used to access the dark web.

While “Privacy” is a legitimate right, “Confidential Banking is a legitimate right”, “Encryption for security” is a legitimate right, “Anonymity for security” is a legitimate right, these rights are bounded by the need not to cross the border of legality and cause harm to another individual.

This is a fundamental principle that every one agrees but is not able to support when the push comes to shove. The society is now at a time when we should bite the bullet and “Outlaw the Dark Web along with its components such as Bitcoin/private Crypto currencies and the Tor Browser”.

Just as Crypto Currencies may still exist like the Digital Rupee, or Guns in private hands may exist under a licensing system, we may still retain Tor as a “Licensed Software” to be used only by the law enforcement or registered security agencies who are committed to the legal activities.

Many may feel that this is impossible just as we cannot eliminate drugs, smoking or prostitution by just making laws against them. However it does not mean that the society should express passive support to any activity that is harmful to its larger good .

It is true that the existing laws itself make “Dark Web” and use of “Bitcoins” or “Use of Tor” illegal and punishable either as a crime or an attempt to commit a crime. Both DPDPA and ITA 2000 are laws which try to regulate and punish misuse of electronic information and are supported by BNS 2023. Section 15 of DPDPA 2023 imposes a duty on a data principal not to “Impersonate”. Section 66C and 66D of ITA 2000 makes “Impersonation” a cognizable offence. Section 4 of DPDPA 2023 prohibits illegal processing of personal data and ITA 2000 imposes criminal penalties for causing harm due to such processing.

Despite these laws, the society will not appreciate the need to keep Dark Web at a distance unless the Government comes out with a declaration that “Dark Web use is unlawful”. If any person is seen entering the Criminal’s Adda, it is his responsibility to explain to the law enforcement that his visit was for a legitimate purpose. More appropriately, any visitor to the criminal’s den has to take prior permission of the law enforcement.

I therefore call upon law makers in India to specifically pass directions to outlaw Dark Web, Private Crypto Currencies and Tor Browser and make their use subject to a strict licensing system.

This means that “Possession of Tor browser” should be considered as a “Prima Facie Evidence” of an intention to commit a crime and subjected to prior licensing just like the Gun licensing law. No organization should be able to sell tools that facilitate entry to Dark Web except under license.

I am aware that this suggestion may be radical but it is essential to protect the integrity of the digital society.

Those who agree or not agree are invited to participate in the virtual round table organized by Naavi.org and FDPPI on 17th October 2024, in commemoration of the “Digital Society Day” . You are invited to join the Zoom meeting between 6.30 pm and 8.00 pm in the link given above.

Naavi

P.S: Naavi.org urges the specialists to refrain from educating our youngsters on how to enter Dark Web. This is a promotion of crime. (Attention: Content Writer)

Also refer: Report on FBI strategy to disrupt Illegal Dark Web activities

The Star Health Insurance Data Breach has been in news for some time now. The Company also seems to have acknowledged the breach. As per this article in India Today, 31 million data principals might have been affected in the breach and the personal data is reportedly being sold online.

The the data has been accessed by an identity under the name xenZen who has also suggested that the data was sold for US $150000. The net price is as low as 38 paise per data set which is not realistic. The normal price for such data .

One indicative price list of data is as follows:

The type of data leaked in the Star Health breach is indicated as

• Full Name
• PAN No.
• Mobile No.
• Email
• Date of Birth
• Residential Address
• Insured Date of Birth
• Insured Name
• Gender
• Pre-existing Disease
• Policy Number
• Health Card
• Nominee Name
• Nominee Age
• Nominee Claim %
• Nominee Relationship
• Insured Height
• Weight
• BMI

The leak also indicates that the CISO of Star Health Management Mr Amarjeet sold the data but later tried to change the deal terms.

The hacker also invites journalists to contact him on his email for proof etc.

Data Breach is not new in India but what is strange in this instance is that the name of the CISO is given along with an indication that the management is also involved in the data breach.

There are several issues in this case which are beyond the scope of investigation by the Company itself. In fact the more company wants to investigate, it will vitiate the evidence in violation of law.

The value indicated is not realistic and hence there is a prima facie doubt that some body who wanted to frame the CISO and blame the company is involved in this data leak. In view of the doubts raised on the company and the CISO himself, an internal investigation is not reliable.

Further, the consideration involved is in US dollars and hence there is also a FEMA angle.

From all angles this is a case to be investigated by CBI and ED and extend to other employees of the Company as well as competitors of Star health Insurance who are the beneficiaries of this data leak.

The CERT In also has to start its investigation. However this investigation is beyond the scope of a single organization involved in Data Breach investigation.

We urge that CERT IN should file a complaint with CBI and ED to trigger an investigation , assist them in the investigation and find out the truth behind this data breach.

In the meantime, we re-iterate that the existence of “Proton Mail” kind of services and the dark web itself is the root cause for such crimes and the country as a whole should declare Proton Mail as a “Terror Outfit” and take up the investigation as a “Cyber Terrorism Case”.

There is an urgent need to completely ban Proton Mail in India and also ban the use of Tor browsers making it an offence to use them without license. The MHA should also look into this case and bring some fundamental changes to our legal system so that Cyber Crimes are not facilitated by the existence of dark web and its allies like the Proton Mail.

Naavi

Sri Ratan Tata has lived a full productive life which any body can be proud of. While we regret that his leadership would no longer be available to guide the Indian industry, it is our duty to remember and follow his vision and principles.

One of the notable observations about his career is his commitment to the good of the nation. He was an example for other industrialists and exhibited this commitment in no small measure when he took over Air India.

Naavi and FDPPI appreciate this spirit of working for the benefit of India and follow similar principles of indigenous approach to what we do whether it is DGPSI as a framework or C.DPO.DA. as a Certification.

We therefore would continue to remember him and dedicate one of our annual Privacy Awards we normally distribute during our annual flagship event “Indian Data Protection Summit 2024” (This year to be conducted on November 30 and December 1 at Bengaluru as a hybrid event), to “Commitment to National good”.

More details would be shared separately.

Naavi

Currently Cyber Insurance covers first party damage in case of any data breach. This covers cost of recovery of lost data, legal and forensic costs and perhaps some consequential damages such as third party liability claims.

In the post DPDPA scenario, there is a concern about the cost of the Administrative fine which could be substantial. It is a grey area whether this fine if any can be insured.

By the nature of the fine, it is levied because of the non compliance of law besides other reasons such as causing harm to the data principal. It is therefore difficult to provide coverage since in principle, insurance cannot protect and reward non compliance of law.

However, in most cases when fines are levied, the data fiduciary may claim compliance and it would be a matter of the regulator not agreeing that the measures taken were adequate enough. It would be a matter of debate whether there was “Reasonable” measures and “Due Diligence” on the part of the data fiduciary. It is possible that a breach was attributable to the action of a third party despite reasonable measures taken by the data fiduciary for compliance in good faith. It is like an automobile accident which occurs despite careful driving and not because of blatant violation of law such as driving in the one way street in the opposite direction or driving in a drunken state.

If automobile insurance as well as the law for punishment to drivers for rash and negligent driving can distinguish between what is rash and negligent and what is not, should there be a similar discussion on the fines levied for DPDPA non compliance?

In most cases, the order of the regulatory authority may specify the root cause and whether there was gross negligence or lack of food faith in the incident on the part of the data fiduciary. If so, should a “DPDPA Liability Insurance Policy” cover not only the cost of conducting investigation, legal defence , meeting the liability to the data principals but also the administrative fine (may be subject to a sub limit)?

The insurance industry needs to ponder over this.

On the part of Auditors FDPPI would like to offer

a) An Assessment of DPDPA readiness for an Insurance company to accept an insurance proposal

b) An assessment of DPDPA penalty liability when an incident occurs or an inquiry is ordered by the Data Protection Board.

These assessments can be structured for the needs of the Insurer and conducted at the instance of the insurance company.

They may be different from the assessment made as “DPDPA Gap Assessment” or “DPDPA Compliance implementation Assistance”.