Content Removal Requests from Government..
June 29: Google Transparency has reported a 67 % increase in the
requests from Government of India for content removal from Google
controlled sites in the current year. Requests have come from Courts,
Police and the Government agencies.
Related report in techgoss
GOI owes an Explanation to Public
June 23: The decision of the GOI to engage the services of Huawei,
China to set up a security lab in Bangalore in association with IISc is
a decision which baffles every observer of Information security. When
one peruses the Wikipedia posting on Huawei, we come across the following
"In October 2009, Indian Department of Telecommunications reportedly
requested national telecom operators to "self-regulate" the use of
Chinese-made equipment (including ZTE and Huawei), quoting security
concerns. Earlier, in 2005,
Huawei was blocked from supplying equipment to India's national network
2010, Indian security intelligence (CBI) insisted on canceling the rest
of the Huawei contract with BSNL and pressed charges against several top
BSNL officers regarding their "doubtful integrity and dubious links with
In April 2010, Sistema Shyam Teleservices Ltd., the Indian unit of
Russia's AFK Sistema, didn't get clearance to buy Huawei equipment.
In May 2010, security agencies in India became suspicious of Chinese
Huawei employees after learning that part of Huawei's Bangalore R&D
office building is off limits to Indians. The intelligence agencies also
noted how Chinese employees of Huawei keep extending their stay in
Bangalore for months on end. When security agencies launched an
investigation to probe the purpose behind these long-drawn business
trips by the Chinese staff of Huawei to Bangalore, they were told that
the Chinese were staying on to learn and master English in India."
Despite such knowledge if Indian Government first released the ban on
Huawei for supply of equipments and now goes one step ahead and makes
them the security partner for the country, it is difficult to understand
the thinking behind the decision.
China Intrudes into Indian Cyber Security System
June 23: India is aware through years of its existence that China
is one of the most cunning and a powerful neighbor with global
ambitions. China is like Lion and a Fox rolled into one. To trust China
and devise national security strategies is nothing short of committing
harakiri. This is what Indian Government seems to be heading for. It is
reported that Indian Government has taken a decision to let the
Chinese Company Huawei be their partner for securing the security
of systems used by telecom companies. Huawei being a major supplier
itself and China being one of the biggest global threats to Cyber
Security, the decision appears to be a complete compromise of the Indian
Cyber Security system. It can also mean that after some efforts, the
Indian scientific community including IISC have expressed their
inability to find out the vulnerabilities by themselves and need Chinese
help in this regard. Perhaps now we can consider appointing ISI as our
National Consultant for Counter terrorism measures!.
Related report in ET
Google Street View Blocked
June 23: It is reported that Bangalore Police has stopped the
Google Street View project in the name of national security. Since the
recording was only of what is viewable from a public space, the privacy
arguments are weak. As far as security, terrorists only need the
contours of a place which could be their targets rather than the
details. While Street view can be of assistance in their recce, it is
not a risk grave enough to require the extreme action. Probably the
decision needs a debate and review. If Google had been a Chinese Company
perhaps it would be easier for them to get security clearances!.
COS suggests Privacy Bill
June 22: The Committee of Secretaries (COS) of the GOI is
reported to have taken a decision to introduce a "Right to Privacy Bill"
applicable for all individuals living in India whether they are Indian
Citizens or not. Presently ITA 2008 itself has provisions under Sec 43A
which provide for privacy protection. Hence this bill is redundant. It
appears that the Bill is meant more for defining how certain agencies
can be authorized access of privacy information. It is indicated that
Insurance Companies can access health information, Employers may get
access to Bank data. Additionally telephone interception would be
authorized and intelligence will have access anyway. It is also stated
that the CAT constituted under ITA 2008 will be the appellate authority
under the Bill. This requires an amendment of ITA 2008. Further CAT at
present and is likely to be headless after June 30. Under the
circumstances the proposition of COS seems to be impractical.
Advocates frustrate CAT sitting in Chennai
June 21: ITA 2000/8 envisaged that the dispute resolution
mechanism under the Act would be a model judiciary system and
render quick and economic justice to public who are victims of Cyber
Crimes. But the advocates representing litigants are often found
to be adopting tactics that are meant only to delay things..
How IT Act is misused
June 21: Here is an interesting account of how IT Act has been
misused for internet censorship. It is found that some advocates
specialize in obtaining interim orders which amount to a relief
(punishment to the counter party) without any substantive case in their
favour. The trick is to file an application in an appropriate court.
Most Courts donot dismiss a petition on the spot even if it is absurd or
ridiculous. They simply issue notice to the other party returnable after
two or three weeks. In the meantime the petitioner requests for interim
order such as stay on the publication. Court agrees on an ex-parte basis
since it is only an interim relief. Then the petitioner uses his other
tricks to see that the case is not heard for some time. If the
respondent appears he is given time of another three or four weeks to
respond. Even if he responds immediately, the petitioner will seek time
to file a counter. Then he will ensure that the counsel seeks
adjournments one after another on various grounds including that the
counsel has to go on vacation, he is seriously ill, he has to attend
another court etc. Adjournments may continue until the judge gets tired.
In the meantime the interim order will provide a relief. The case
of Kochar Vs Legally India represents one such case.
Bank Websites insecure
June 21: Security experts have found vulnerabilities in many Bank
websites including ICICI Bank and HDFC Bank.
Cloning of Debit Cards in Ranchi
June20: A group of youngsters selling car wash accessories in a
Petrol Bunk costing Rs 280/- for a mere Rs 30/- were found to be
insisting on payment by debit cards. It was found that they were later
cloning the debit cards and withdrawing money from the Bank.
Police have registered an FIR and arrested a few persons.
Article in TOI
Centaur Hotels in violation of Sec 43A
June 19: A
report in bangaloreaviation.com indicates that authorities in
Centaur Hotels New Delhi under the management of Air India has a
practice of loading scanned passport and credit card information of
customers on a public website. Out of the two, Credit Card information
is considered as "Sensitive Personal Information" under Sec 43A and
requires to be protected with "Reasonable Security Practices". It is
clear from the report that the information is in unencrypted form and in
a public server. This is a violation of the Sec 43A rules and exposes
the Company to liabilities. Though the liability arises only on a victim
claiming a damage, it is a "Risk" for which the company needs to provide
for under corporate governance requirements. It is however considered
under the law that the passport information is not "Sensitive Personal
Information". The rules have been deficient in this respect since
passport is today the most important identity document for an individual
and if duplicated can be a cause of many other identity theft related
frauds. It is understood that the page has since been taken down.
However this underscores the need for IT managers being trained in
techno legal information security.
USA Court Also holds Bank liable for Phishing
June18: When the adjudicator of Tamil Nadu decided in the S.
Umashankar Vs ICICI Bank case in favour of the victim of Phishing,
several Banks were upset. Their contention was that they have the right
to introduce any technology but they will not take absolute
responsibility for frauds despite law and RBI regulation being in favour
of the victim customer.
Earlier to this verdict, there was one German Court decision also in the
same light holding the Bank liable for Phishing. Now even a Michigan Court has given a similar verdict.
in India who want to ignore ITA 2000/8 law on use of digital signatures
or RBI's Internet Banking guidelines and are fighting to hold the victim
of a phishing to be made liable are slowly losing ground. After the G
Gopalakrishna working group committee report, notified on April 29,
2011, it appears that the last hope of the Banks that RBI will come to
their assistance is also lost.
It is time for Banks to upgrade their
techno legal security system as suggested by the Gopalakrishna working
group rather than living in the false hope that they can avoid
liabilities through protracted legal wrangles.
Banks must now focus on the October 31, 2011 deadline for their new IS
policy to avoid further accusations of "Negligence".
Related eport in Computerworld
More Opposition builds up for IT Rules
June18: The recent IT rules on Intermediaries and Cyber Cafes
have attracted criticisms from several quarters. While Cyber Cafe
regulations have been criticized for lack of concern for Privacy and the
impractical nature of the regulations, the Intermediary guidelines have
been criticized for the possibility that it would stifle free
Here is a good article on the subject
First Adjudication Application in Karnataka filed
June14: After a prolonged wait, the first Adjudication
application in Karnataka has been accepted by the IT Secretary. The
complaint has been filed by a customer of ICICI Bank who has suffered a
loss through unauthorized access to his account.
Tata Docomo Releases blocking of BloggersNews.net
June14: After several rounds of follow up it appears that Tata
Docomo has removed the blocking on www.bloggernews.net. It was pointed out to the company that blocking
of a website without appropriate sanction amounts to contravention of
Section 69A of ITA 2008 and makes the company officials liable for
imprisonment. Company has finally removed the block.
Early Aadhar Holder is a SIMI Activist
June12: Even before the UID scheme is to take off it is learnt
that a SIMI activist has been one of the early holders of an Aadhar Card
in a fictitious name. Close on the heels of the report of theft of two
laptops containing UID data, this report nails the claim of the
Government that the security of the system has been taken care of.
Despite being warned, Sri Nandan Nilekani has always maintained that the
UID scheme cannot be misused as a security threat. Unfortunately his
confidence has been proved incorrect. It is therefore necessary that at
least now, UIDAI reviews its systems and ensures that national security
is not compromised.
P W C Davidar Honoured
June11: Cyber Society of India (CySi) honoured Mr P W C Davidar,
the former Adjudicator of Tamil Nadu with the award of a "Fellowship" in
recognition of his outstanding services rendered as the Adjudicator of
Tamil Nadu during his tenure as the IT Secretary. It may be recalled
that Mr Davidar had the credit of the first adjudication decision in
India in the case of S.Umashankar Vs ICICI Bank. Subsequent to this
historical decision, 16 more adjudication applications have been filed
in Tamil Nadu making it the State with the most active Adjudication
system. During the occasion Mr N.Vittal former CVC was also awarded a
Life Time Achievement Award. Speaking on the occasion, Mr
N.S.Vishwanathan, Regional Director of RBI recalled how RBI has always
upheld the interests of the customer and emphasized that "Security" is an
important aspect of Banking. He recalled the words of the Deputy
Director of RBI that "it was improper to pass on the liability of a
cyber crime to the Customer". The award function was followed by a
workshop on different aspects of Cyber Crimes in relation to Banking.
The program was attended by several Bankers.
Related Report in Hindu
IRCTC Fraud. One Ticket Agent Arrested
June7: Naavi.org has been pointing out that online IRCTC booking
through Tatkal is being fraudulently taken over by agents. Complaints
have even been lodged with IRCTC on this account. We have also exposed
one software professional who had posted a client side script which
could be used for overriding others in booking the tatkal tickets. This
software professional removed the contents of his site but there are
others who are also posting hacking guidelines for IRCTC site. In our
complaint to IRCTC we have been suggesting IRCTC that they whould
conduct a CBI enquiry on an analysis of tatkal bookings to prevent this
fraud. We have also suggested that agents should be disabled from Tatkal
booking for the first 15 or 30 minutes.
Similar views are also held by others.
We are glad to note that one such agent
has been arrested in Mumbai for such fraudulent booking. He is
reported to have made 44 bookings under Tatkal on a single day.
There is a clear indication that IRCTC officials must be involved in
this fraud. a good analysis has been
given by Mr Amish to estimate that the fraud may be valued at around
Rs 10000 crores. IRCTC has also modified its rules to accommodate the
agents. When online booking was started, agents were not allowed the use
of the facility. Later they were included. Then IRCTC also made a change
regarding the ID card details to be provided. Earlier the full details
of the ID card including the serial number had to be provided at the
time of booking. Now this is not required. Passenger can give any ID.
While this appears to be a move to help customers, it is actually meant
to help the agents who may not have proper ID documents of the
Cyber Bullying by Vodafone?
June7: The attitude of Vodafone in filing a defamation suit (Refer
article in FE) against a dissatisfied customer expressing his
complaint on the Internet smacks of "Corporate Arrogance" and needs to
be opposed by all consumer oriented organizations. Differences do arise
between a customer and a consumer oriented business entity. Most matured
business houses follow the axiom "Customer is always right" and go
out of the way to placate a complaint. When the company is not
responsive the customer is forced to post his complaints in various
consumer fora as well as his personal web space.
In the event the facts presented are false there is a legal right to
file a defamation suit. However in most cases the money rich company
files a case only to harass the individual. Unfortunately our unfriendly
legal system is a night mare for most individuals. Often petitions which
ought to be thrown out in the first place are admitted by Courts making
the respondent spend time and money to respond to an unsustainable legal
dispute. The case then drags on and on and the proceedings become a
punishment to the consumer hurting him more than the original dispute.
It has been my personal experience that Vodafone service is bad and I
discontinued the service for the same reason. I donot know the
details of the current dispute but it appears that the person is so
agitated that he has contacted the higher officials and also posted
their contact numbers for others to see. It is ridiculous that the
Company claims that the customer can go through only the customer care
facility and should not contact other officials. We all know that
customer care is only one of the contact points for the customer and it
often is not able to solve all the issues. In such cases, since
the consumer's contract is with the company and any service
charges paid by him go to fund the salary of all the officers of the
company it is the prerogative of the customer to contact any
official including the CEO or even the Board of Directors to seek
resolution of his complaint. Each such person has a duty to the
consumers and are vicariously liable for the warranties made on the
service either through advertisements or otherwise. Hence writing to
them or publishing their contact numbers for others to contact them
cannnot be considered as an illegal activity. If they feel inconvenient,
it is the price they pay for being the officials of such a company.
Hence the stand taken by the Company is clearly anti consumer. This
bullying attitude of Vodafone needs to be condemned. It is preposterous
to suggest that ITA 2008 should be applied against a consumer who posts
his complaint in his facebook profile whether it is private or public.
The remedy for such arrogant behaviour of a Company is a consumer
movement against such a company. Now that there is MNP, I think people
should express their dissatisfaction by severing their relationship with
the company. A Consumer company which is anti consumer is not a company
to be associated with. Perhaps we require a Cyber Anna or a Cyber Baba
Ramdev to take up the cause of such cyber bullying.
Bangalore losing status as IT Capital of India?
June6: It is reported that the ASSOCHAM has said that
Bangalore is set to lose the prestigious tag as the IT City. Results of
a survey of 800 CXOs is said to indicate that nearly 30% of the
Bangalore based CXOs were keen to shift to Gurugaon and 25% to Noida.
Naavi has been trying to persuade the State Government to take up
measures to ensure that Bangalore remains the destination for IT
industry. When a hard core an IT professional was elected as an MP of
BJP it was hoped that he would take steps to promote IT industry in
Karnataka. However the Government has its priorities set elsewhere.
Judging by the lukewarm response to some of the initiatives of Naavi to
make Bangalore the focus of IT Security from the Government, it appears
that ASSOCHAM survey conclusion may become a reality sooner than
expected. With the change of Government in Tamil Nadu and Mrs
Jayalalitha assuming the Chief Minister's role, it is expected that
Chennai and Tamil Nadu will also initiate steps to wean away IT
investments. Recently a group of North Eastern States chose to
headquarter their IT promotion initiatives from Hyderabad instead of
Bangalore or any other place. This indicates that outside
Karnataka, the perception is growing that Bangalore is no longer a
recognized IT hub. Unless Dr V.S. Acharya, the IT Minister and Mr
M.N.Vidyashankar the Principal Secretary, IT and BT recognize the threat
and initiate immediate remedial measures, before the end of the current
BJP Government's tenure, Bangalore would have lost its identity as the
IT capital of the country. I invite the attention of the National IT
Cell of BJP and Mr Janardhan, the Chitradurga MP who was a former IT
professional to take interest in devising strategies to change the
"Vinaashakaale Vipareeta Buddhihi"
5th June, 2011:
When Jaya Prakash Narayan (JP) was arrested in
June 25, 1975, it was stated that he commented "Vinaashakaale Vipareeta
Buddhihi". I am reminded of that development today. After the arrest of
JP and other political leaders and declaration of "Emergency", on 26th
June, 1975, a few publications protested the Emergency measures by
printing blank editorials. It was the beginning of a two year dark
period in the history of India when dictatorship ruled the Country. It
is 36 years since that event and we have history repeating itself with
the midnight swoop on Ramlila Grounds and arrest of Baba Ramdev who was
protesting against Corruption. By its action, the Government has
indicated that it is better to suspend democracy rather than take
steps to prevent corruption. I am now reliving the days of June 26, 1975
and reminded of the famous words spoken by JP which was then headlined
by Indian Express. Yesterday I speculated on "Emergency" measures.
Unfortunately it has become a reality today. . Let's wait and see how
media and other political parties react to the current situation. At the
point of time when this is being posted, there is still no "Emergency".
I hope that 2011 is not 1975 and hence the situation may not
worsen into an "Emergency" situation. However, It is a sad day for
History is being created in India
4th June 2011:
A globally historic event has just begun in India
in the form of the Anti Corruption Movement mobilized by Baba Ramdev.
After the Non Cooperation movement of Mahatma Gandhi, this could turn
out to be the biggest mobilization of people in India for a cause and
perhaps may outscore even the anti emergency movement of Jayaprakash
Narayan. What is unique about this event is that non political forces
have come together to root out corruption which is the biggest menace in
There are very few persons left in the country who are
still swearing by non corrupt practices and they are often ridiculed as
impractical. Many politicians who were expected to be honest have came around
to the view that today it is not
possible to avoid corruption in public
life. But now there is a renewed hope. Ramdev's movement has gained support
across the country and along with Anna Hazare's team has become a
formidable force which the Government cannot ignore.
We may recall that BJP had in fact included in its last election
manifesto that black money abroad will be brought back to India. Dr
Manmohan Singh also promised after Congress came to power that they will
bring back black money within 100 days. We may therefore say that both
political parties are in principle supportive of Baba Ramdev's demand.
While the Government was effectively killing the Lok Pal movement of
Anna Hazare, it is unlikely to succeed killing the Baba Ramdev's
movement. It is however possible that the Government may resort to an
"Emergency" like action of arresting of Baba Ramdev and crushing the
movement. Hopefully Government will see reason and accept Baba Ramdev's
demands without much delay.
Whatever turn the movement takes, it is clear that 4th June 2011 will be
a historic day in the history of not only India but the entire world.
October 31, 2011 is the first deadline for Bankers under GGWG
June 3: The April 29th circular of RBI advising implementation of
the recommendations of G Gopalakrishna Working Group recommendations has
set a specific timeline for implementation of the recommendations. One
of the principle deadline would be October 31, 2011 by which time Banks
must put in place policies and procedures which donot require extensive
investment. This may include the setting up of the IT Strategy
Committee, Risk Management Committee and the IT Steering Committee as
well as designation of a CISO.
The circular suggests a Quarterly review process and the first calendar
quarter after the issue of the guideline falls on 30th June 2011. It is
recommended that the Board meeting within this quarter may take on
record the receipt of the RBI guidelines and initiation of the first
steps towards implementation of the recommendations. The second
quarterly review by September 30 may discuss steps taken during the
first 4-5 months so that the Bank will be ready with the compliance
requirements for October 31, 2011 including a quick "Gap Analysis".
As an experienced past Banker and a techno legal information security
practitioner, Naavi offers GGWG Gap Analysis" service for Banks to
enable them comply with GGWG recommendations. Interested Banks may
contact naavi at email@example.com
(+919343554943) for further details.
Six year Imprisonment for HIPAA Violation
June2: An Alabama Court sentenced Mr Isaac Earl Smith,
to six years in prison for his role in a prescription fraud scheme that
included crimes of healthcare fraud, aggravated identity theft and
violations of HIPAA.
US Postal Services Introduce "Adult Signatures"
June 1: Naavi.org had in the past made suggestions regarding
introduction of "Adult Passes" in the Cyber Space for receipt of adult
content. In the meantime it is interesting to note that US Postal
authorities have introduced a service called "Adult Signatures" where
the mail is delivered to adults above 21 years of age upon verification
of age. It should be a forerunner to the concept of "Adult Pass"
suggested by naavi.org.
HHS Includes "Disclosure" as part of Privacy Rights
June1: In a conceptually significant development, HHS has
proposed a change in the Privacy laws related to HITECH Act according to
which the data subject would be entitled to know who has accessed his
information. In the light of the powers which the Indian Government is
likely to exercise under the new rules under ITA 2008 on Privacy, this
is an important disclosure requirement that should become part of every
HHS notification for public comments :
Directory of Mobile Numbers
June1: Mobile numbers are considered "Personal information" and
are protected by privacy. However we should debate if there is a
need to reconsider the issue of privacy of mobile numbers. When a person
receives a call or SMS from a mobile number, his privacy is disturbed.
When he receives multiple calls or multiple SMS numbers, it annoys a
person and it may invoke Section 66A of ITA 2008 as an offence. In such
a case the recipient of the anonymous call has a genuine right to know
the identity of the person making the call.
It is therefore necessary for all mobile service providers to introduce
a mechanism where by if a person receives more than 3 calls from a
mobile number during a period of one month, he is entitled to demand the
identity of the caller from a repository of mobile directory. This is
the privacy right of the call receiver pitted against the privacy right
of the caller.
This provision of disclosure on demand should be introduced as
part of the "Due Diligence" of the intermediaries since identity of the
caller is the first essential step for the call receiver to invoke the
protection of ITA 2008.
The exact procedure of how a demand can be made, what evidence need to
be submitted etc can be decided.
In order to implement the same it is also necessary for every Mobile
Service provider to provide a free online copy of billing details so
that the call receiver can extract the statement as a proof of having
received multiple calls from a given number within a particular time.
DIT has the power to issue such guidelines under Section 79/Section 67C
/Sec 85 of ITA 2008. Reactions are welcome.