Beware of this Bal Aadhaar Phishing

There is an email in circulation about Bal Aadhaar which looks as follows:

The hyper link leads to a website www.yojanakhabar.com looking as follows:

The website is registered by an Arizona resident as indicated below:
This appears to be a “Phishing Website” and action is required to initiate Cyber Crime complaint against the Registrant who is assisted by the intermediary the Registrar.

I have notified UIDAI and I expect they initiate action failing which there will be lack of due diligence from their side also.

It is in such cases that I am seriously against the “Privacy Protection” of domain name registrations supported as a system by ICANN.

It is time some Court declares that Privacy Protection of domain name registration information is against public policy. This should be a compulsory disclosure requirement for all domain name registrants.

Indian Government can pass a notification under Section 79 of ITA 2000 to direct browser owners like Google or Microsoft to flag websites whose domain name registration information is not made public as a website of an “Unverified Owner” . Websites with digital signature of the server obviously would be exempted from this since the verification would be the responsibility of the server digital certificate issuing authority.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

First Objections, Next Suggestions and now change of goalpost… a conspiracy to delay PDPA?

“Person Who Knows”  (PWK)

“Nothing Personal about Data Protection Bill as JPC proposes to expand scope”… so says an article today in livemint.com

It is well known that there is a lobby of opponents to the PDPB and this media vehicle is part of such lobby which does not want the the Personal Data Protection Bill 2019 to be passed.

The main force behind this opposition are the multinational companies who are opposed to the “Data Sovereignty” principle and any hurdles to their continued exploitation of the Indian Personal Data market. They have the power to influence not only the media but also a section of the professionals and political parties to delay the passage of the Bill as long as possible. These articles are a reflection of such public relations exercise of creating a fake narration to mould amenable public opinion the way they want.

It is interesting to observe the sophisticated strategy used by these agencies to scuttle the Bill.

We can observe that initially there was opposition on the Bill particularly the Data Localization aspect. This was in the PDPA 2018 version.  When the Government buckled under the pressure of these MNC s and allowed free exploitation of personal data in the PDPB 2019 version, this objection became redundant. They these attackers switched to complaining about  “Excessive powers to the Government” and “Constitution of DPA by a committee of Secretaries”, and even roped in the support of Justice Srikrishna himself who was unhappy that CJI was not part of the DPA selection committee.

When JPC started hearing suggestions, some organizations tried to dilute the law by tinkering with the definition of “sensitive information”. They suggested that “Financial Information” should not be considered as “Sensitive” information so that no restrictions should apply for processing of financial information including transfer out of India. The Bill did not prevent transfer but only expected “Explicit consent” for such transfer and these opponents did not want even an “Explicit consent”.

The vested interests want financial information to be freed from restrictions so that they can continue to transfer financial information of Indian citizens abroad. If restrictions are placed, then “Data Laundering” like in the case of Trans Union silently taking over CIBIL with the connivance of the Banks would not have been possible. Even now, the privatization of the NPCI is recommended so that the entire UPI gateway can be spied upon.

The hypocricy of these agencies who oppose PDPB being passed is clear when we consider that at this point of time GDPR is pursuing a “Data Localization” policy by arm twisting the Data Exporters to obtain impossible assurances from the Data Importers of other countries to the extent that the only credible solution of EU data transfer is to set up a data center in EU itself. But these opponents donot have any objections to GDPR.

These opponents are typical “Pseudo Data Protection Proponents” who want India to give up all controls but are silent on GDPR trying to impose its colonial hagemony on India.

In this third wave of attack delaying the passing of the Bill, JPC was persuaded to listen to all business entities for their views.  Much of the precious time of the JPC was wasted on listening to business lobbying rather than how best to frame the law in comparison with GDPR or Singapore PDPA etc.

After these three waves of attack, it appears that a next wave of attacks is being planned represented by the above article in livemint.com.

If the story of livemint.com is true, it would mean that the JPC has been fully taken over by the “Delay Lobby” since the report suggests that

“The Personal Data Protection Bill is likely to undergo a complete transformation as the intent of the Bill is likely to get changed. Most of the members of JPC are of the view that the ambit of the Bill needs to be expanded and it cannot just be about personal data. JPC members are unanimous that PDP Bill should be about data and protection of data,”

This statement is attributed to a “Person in the know of development”…the mysterious and anonymous PWK.

The same person seems to also say

JPC is unanimous in its decision that purpose of the Bill should be redefined and more clearly defined. Some members feel that earlier the Bill was a little vague and needed improvement. Now the focus is on data, not just personal but also non-personal, sensitive and critical data as well,”

It appears that these quotes are “Planted” to create confusion and continue the work of the lobby to delay the Bill and finally get it into a shape where it can be questioned in the Supreme Court as not in conformity with the Puttaswamy judgment. I donot think the JPC is “Unanimous” though it may be the view of some opposition MPs who are supporting the vested business interests. The demand to invite more and more business entities to be interrogated in the JPC is also a conspiracy to delay the JPC activity since the very objective of JPC is not to interrogate FaceBook or Twitter etc but to correct the clauses of the Bill.

The current suggestion to change the intent of the Bill is nothing but a conspiracy to get the Bill scuttled.

I suppose members of the Committee like the Chairperson Mrs Meenakshi Lekhi, Mr Tejasvi Surya, Mr Rajeev Chandrashekar and others recognize that this Bill is important for multiple reasons.

I would like to highlight that the passage of the Bill is already delayed beyond reasonable limits and the recent data breaches in Big Basket, Lupin, Dr Reddy Laboratories, Dr Lal Pathlabs or Breachcandy hospital indicate that the industry needs to be reined as early as possible.

We should also appreciate that  it is a commitment of the Government of India to the Supreme Court that a robust privacy protection law would be passed in India at the earliest. But it is now 3 years since the Puttaswamy judgement and according to the mysterious  “PWK”, we are still not clear on what should be the focus of the Bill. He feels that this Bill should not be limited to the “Personal Data Protection” but include “Data Protection”.

Does PWK know that Information Technology Act 2000 already is a legislation that provides for “Data Protection” of both Personal and Non Personal Data and we donot need another so called “Non Personal Data Protection Act”?

Unfortunately some people are unable to understand the concept of “Anonymization” which is the wall that separates “Personal” data and “Non Personal” data and liberates the personal data from the need for protection and takes it to the realm of “Governance” where a regulation as suggested by the Kris Gopalakrishna Committee takes over to unlock the financial benefits. Many seem to confuse “Anonymization” with “De-identification” and hence feel that “Anonymous personal data” can be “De anonymized”. This concept is inherently wrong since “De-anonymisation” means a “Criminal re-discovery of identity parameters”. Just as any “Encryption” can be “Decrypted” by hackers using brute force or other methods, anonymisation may be de-anonymised but this is a crime that is required to be tackled separately and is being done in ITA 2000.

If we accept that the universe of “Data” contains “Personal Data” and “Non Personal Data” and “Non Personal Data” includes “Anonymized Personal Data”, then we have a clear role for three legislations namely PDPA for security of Personal Data, ITA 2000 for security of  Non personal data and Non Personal Data Governance Act (suggested by Kris Gopalakrishna committee) for the unlocking of financial benefits in the non personal data.

If “Non Personal Data Protection” requires to be strengthened we need to tinker with ITA 2000 and there is no need for any new Act. Even the often referred to “Cyber Security Act” is redundant and the planned objectives of such an act can be achieved through amendments to ITA 2000.

It would be interesting to know if this mysterious PWK can clarify why do we need a separate law for “Non Personal Data” related Governance or Security instead of focussing on the Personal data Protection.

The Puttaswamy judgement wanted a law on protection of “Information Privacy” and PDPB 2019 which is a follow up of PDPB 2018 (Not withstanding some differences) tries to achieve this.

If  the Government now tries to convert this into a “Data Protection Bill” which is not meant to protect “Privacy” of individuals but only protect “Data”, then there is every possibility  that  the Supreme Court may strike down the law as not in conformity with the Puttaswamy judgement.  The JPC is being led to a trap to change the focus of the law from “Personal Data Protection” to some thing else so that the same PWK  can later argue in the Supreme Court that the Government abandoned the “Information Privacy” as suggested by the Supreme Court.

The JPC has to be careful because there is every indication that there are sympathizers to the “Delay PDPB Lobby” within the Government advisors as is evidenced by some earlier incidents.

We recall that some time back a piece of a shoddy note on “Encryption”  was issued by some official in MeitY and was subsequently withdrawn causing an embarrassment to the Government.  (An enquiry was ordered on the incident, details of which never came out).

Similarly notifications under section 69 of ITA 2000 as well as Intermediary Guidelines , the notification on Crypto currency ban, have all been issued and withdrawn as if it is a game of  one step forward and two steps backward.

There appears to be a clear conspiratorial strategy  by vested interests in creating more embarrassments to the present Government since it lacks conviction and is easily swayed by the views of these lobbies.

The livemint report is indicative of a similar attempt. From all angles the suggestion to change the focus of the Bill appears to be a “Conspiracy” to scuttle the PDPB 2019. While other countries in the world are working on how to tackle the uncertainties in business arising out of the Schrems II judgement, these suggestions are driving India back instead of moving forward.

We may now expect in the next wave of friendly suggestions that

“it is not enough to change the focus of PDPB 2019 from Personal Data to Non Personal Data but make some amendments to the constitution itself so that under Article 21 we can add Privacy as a separate fundamental right rather than relying on the 9 member Supreme Court decision.”

This can effectively postpone the bill until the next Parliamentary election and BJP gaining the necessary majority for Constitutional amendment.

The motivation behind the planting of this story with insinuations reflected in the article  is indicated in the  same report which suggests that JPC is likely to hold three sittings in the near future to finalize the bill. This ppears to have created panic amongst the camp that wants to scuttle the bill which has prompted it to come up with this  ridiculous fake plant.

I hope, Mr Gyan Varma to whom the article is credited should reveal his anonymous source namely the PWK who appears to be creating this “Fake Narration”.

Alternatively I wish  the JPC Chair person should come forward and deny the report.

We are expecting that the Bill will be presented in the Parliament in February as confirmed by Mr Ravi Shankar Prasad during the Bengaluru Tech Summit 2020 and it will be passed into law in the coming session.

Naavi

(P.S: Some corrections were made to the earlier version of this article to provide better clarity)

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Summit within a Summit

Bengaluru Tech Summit 2020 (BTS 2020), was successfully conducted by the Karnataka Government on November 19, 20 and 21st. The summit was inaugurated by the honourable Prime Minister Mr Narendra Modi and several dignitaries from India and abroad were part of the proceedings.

The BTS 2020 had multiple tracks covering both IT and BT segments such as One Health, Innovation Corner and Knowledge Hub. The technical discussions covered Drones, Robotics , Cyber Security, Digital Learning, etc. Unfortunately despite Data Protection being an important area which affects both the IT and BT segments and India is in the verge of passing a data protection law, there were no specific coverage of data security in the program. Both the PM and the IT minister during their speeches made reference to Data Security and the forthcoming law underscoring the importance of the topic.

Recognizing this void and not let the Bengaluru Tech Summit go without a discussion on Data Protection, FDPPI stepped in with its own summit Indian Data Protection Summit 2020. holding two high powered panel discussions on each day covering different topics on the Data Protection such as the law in the pipeline, (PDPB 2019), the global laws such as GDPR, the professional opportunities emerging because of the new law , the challenges posed by the Schrems II judgement of he EUCJ, the innovative Data Trust Score system in the Indian law and FDPPI’s own innovation of the Personal Data Protection Standard of India.

Never in the history of India such an elaborate public webinar had been held on the subject available free for the participants.

IDPS was covered through Six panel discussions involving more than 25 professionals participating in panel discussions structured in the following sequence.

  1. Recent Data Breach Incidents and PDPA of India
  2. PDPA of India is not a clone of GDPR
  3. The Challenge of being a DPO
  4. The enigma of cross border data transfer
  5. Data Trust Score the Indian innovation
  6. A Unified Framework for Data Protection Implementation

It was interesting to note that the  battery of experienced Data Protection Professionals who participated in the program were all members of FDPPI.

Na.Vijayashankar, anchored the entire program and added his enlightening thoughts to the discussion.

The program was highly appreciated by the participants.

During the program, FDPPI also announced their programs which included

    1. Certification pf Data Protection Professionals
    2. Unified framework for multiple data protection law compliance-PDPSI (Personal Data Protection Standard of India)
    3. Launching of the Data Disputes Mediation and Arbitration Center on an Online platform
    4. Launching of an annual award for “Champion Data Protection Professional” along with “Champion Data Protection Team” and “Champion Data Protection Organization”.
    5. Launching of the Data Protection Journal of India as a quarterly journal from the next quarter

The IDPS will be repeated each year and is likely to become a flagship event in the field of Data Protection in India in the coming years.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

A Constitutional Crisis is being triggered by the Kerala Ordinance on Defamation

When Section 66A of ITA 2000/8 was scrapped, by the Supreme Court in 2015, most people hailed the decision of the Supreme Court as a torch bearer of “Freedom of Speech”.

Naavi.org had its reservations on the scrapping since it felt that the Supreme Court had come to a wrong decision by not distinguishing between “Publishing” and “Messaging”  and also for not reading down the section instead of scrapping it all together along with the provisions related to Spamming, Cyber Stalking, Cyber Bullying, Cyber extortion, Cyber harassment etc.

The Central Government has not since then come up with an alternative to Section 66A and only trying to work with tinkering of the Intermediary guidelines in a half hearted manner. Hence fake news and cyber defamation continue without appropriate controlling measures under ITA 2000.

The inability of the Central Government to come up with an alternative to Section 66A since 2015 when the judgement was pronounced has now lead to a situation where Kerala Government has come up with an Ordinance under the State Police Act which challenges both the Supreme Court as well as the Central Government’s powers and intentions to regulate the Cyber Space.

Section 90 of ITA 2000 states as follows:

Power of State Government to make rules

(1) The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely

(a)the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6;
(b)for matters specified in sub-section (2) of section 6;

(3) Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.

Since ITA 2000 was a central law, it was interpreted that under Section 90, States only have powers to frame rules for implementing the provisions of the law and not frame new laws by themselves.

However, under the argument that “Law and Order” is a state subject, some States made laws under their Police Act applicable to Cyber Cafes, Online Gaming etc. Now this trend has been extended to the Kerala Government’s Ordinance related to “Publishing of information in electronic form”.

Copy of the Kerala Ordinance

The Kerala Ordinance states as follows:

Amendment of Section 118 of Kerala Police At 2011 (8 of 2011)

In the principal act after Section 118, the following section shall be inserted namely:

118A: Punishment for making, expressing, publishing or disseminating any matter which is threatening, abusive, humiliating or defamatory:-

Whoever makes, expresses, publishes or disseminates

through any kind of mode of communication,

any matter or subject

for threatening, abusing, humiliating or defaming a person or class of persons,

knowing it to be false and

that causes injury to the mind, reputation, or property of such person or class of persons or any other person in whom they have interest

shall on conviction, be punished with imprisonment for a term which may extend to three years or with fine which may extend to ten thousand rupees or with both.

Presently it is being interpreted that this ordinance is applicable for publications in Twitter or FaceBook or other social media.  The LDF government has reportedly said that this amendment was done to ‘control cyberbullying’.

We can look at the impact of this ordinance under two assumptions.

Firstly, the ordinance uses the term “any kind of mode of communication”.  This does not specify that “Electronic Communication” is part of the ordinance. Since legal recognition to electronic document as equivalent to paper document was provided through ITA 2000 which is a central law and Section 90 of that law restricts the powers of the police to only issue rules for implementing the law as provided there in and not introduce a new penal section with imprisonment etc., it can be argued that the ordinance may not be applicable for electronic documents.

The legislative intent of the Police Act is also to be considered as restricted to the regulation of the police activity and ideally it should refrain from passing a law carrying punishments unless that is related to the prevention of carrying out of duties of the Police as envisaged under the Act.

For example if the defamation is of a “Police Officer” and aimed at preventing him from discharging his duties, then the Police Act could be considered as having jurisdiction to make regulations.

But infringing on a Central Law meant to provide legal recognition to electronic documents and regulate crimes associated with cyber crimes, should be considered as ultra-vires the Section 90 of ITA 2000.

It is however possible that this view may not be acceptable to the majority of legal professionals who may say that “Maintenance of Law and Order” includes regulating the Cyber Activities and hence the State Government has the power to make laws of this nature.

While we donot support this view, we can continue our discussion further presuming that this is the popular and acceptable legal position.

Under this assumption. “Any Mode of Communication” used in the ordinance may be considered as inclusive of electronic mode of communication and hence the social media comes into relevance.

The clarifications given by the politicians indicate that this law is not meant to regulate the “Media” and hence it may be used only to punish “Individual Citizens” who express themselves on platforms which are not considered as “Social Media”.

A doubt that comes to the mind here is, If Twitter is a Social Media and Kerala Government does not want to apply this law to Twitter, then a contributor to the social media called Twitter may claim to be a “Social Media Journalist” and his publication becomes “Social Media Journalism”. Hence politicians are assuring that they may not be targeted.

However, since no body believes the politicians this assurance has no meaning.

The next point to be noted is that this section will be applicable only for postings which are “Known  to be false”. If the person posting the message does not “Know” that it is false but believes that it is “True” or it is in fact “True”, then the section is not applicable.

This means that unless there is a prima facie evidence established by the Police that the information is “false and the person is aware that it is false”, there is no cause of action under this section.

The section requires “injury to the mind, reputation, or property of such person or class of persons or any other person in whom they have interest“.

It is not clear what is meant by “in whom they have interest”. Perhaps this could be interpreted that the person to be charged should have an intention to defame a person in whose defamation there must be some interest of the person.

If we presume that Kerala Government has the power to make laws covering Cyber defamation or Cyber bullying as was the scope of Section 66A of ITA 2000, then the amendment is a direct affront to the Supreme Court in the Shreya  Singhal judgement.

If the power of the Kerala Government to bring out this law for punishing  use of electronic documents as part of an expression of opinion as per the “Freedom of Speech” enshrined in the Constitution, then every State Government may make their own Section 66A and later every other section of Chapter XI of ITA 2000 and create their individual versions of ITA 2000.

This will lead to a chaotic situation and breaking the structure of the Union of India. Hence it has to be curbed at the very beginning itself.

In order to ensure that ITA 2000 remains the only law for regulating electronic documents, it is necessary for the Government to recognize that “Cyber Space” is a different jurisdiction which should not be considered as belonging to a “State”. It should be always at the Union Level . Hence Cyber Laws should belong to the Central Government. The implementation can be delegated to the local police but law making should remain with the Center.

As a further improvement, the implementing Police can also be made a “National Unit” and brought directly under the Union Government administration so that Cyber Police will be a national cadre. This will enable better expertise to be built up and resources to be shared.

If Cyber Laws are allowed to be created and implemented under local laws of the State or later under Municipalities etc., then movement of people within the country would be highly restricted since police in one state will start enforcing their writ in another state and people would not like to travel to a state at which any of their twitter posts may be found objectionable.

The way police in a state implement the law is best showcased by the Maharashtra Police under the Shivsena Government and no person will be safe in expressing any opinion which may remotely be objectionable to a politician in a rogue state.

The Kerala Ordinance should therefore be seen in this context of creating a highly objectionable precedent and hence should be scrapped forthwith.

Naavi

P.S: ” Responding to the adverse views about the Ordinance, the Chief Minister of Kerala has made an announcement that the provisions of the Ordinance will not be implemented. However, the ordinance needs to be withdrawn by the Governor officially or allowed to lapse.  However the principle of Cyber legislation to be in the central domain as a legislation of Cyber space needs to be pursued.”

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Indian Data Protection Summit 2020: Day 3 of 3

The second day of IDPS 2020 was successfully concluded with two panel discussions namely one on Data Protection Officers and another on Cross Border Transfer of Data.

The  summit will conclude tomorrow with a discussion on Data Trust Score and PDPSI.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Indian Data Protection Summit 2020 (IDPS2020): Day 2 of 3

IDPS 2020, the three day Indian Data Protection Summit 2020 was successfully launched yesterday the 19th November 2020.

The IDPS 2020 is being held concurrently with BTS 2020 (Bengaluru Tech Summit) as a virtual summit on Zoom platform.

The program started at 2.oo pm with Naavi introducing the event along with the objectives of FDPPI .During his brief introduction Naavi highlighted the following projects of FDPPI.

    1. Certification Programs for “Certified Data Protection Professional-Module I,”, “Certified Data Protection Professional-Module G,”,  and the forthcoming modules of Technology, Audit and Behavioural Skills.
    2. Introduction of an Implementation Framework “PDPSI” or “Personal Data Protection Standard of India” as a unified framework for implementation of multiple data protection laws in an organization.
    3. Introduction of  “Online Data Disputes Mediation and Arbitration Center” (Online DDMAC) as a platform for resolving disputes related to the data disputes between individuals and organizations as well as one organization and the other.
    4. Institution of an Integrated award on an annual basis firstly for an individual as “Champion Data Protection Professional”  in India  along with a recognition for the “Champion Team” supporting the individual and the “Champion Organization” supporting the team.
    5. Introduction of a Quarterly journal “Data Protection Journal of India” to be a helping hand for knowledge dissemination within his organization.

Naavi’s talk was followed by two panel discussions.

The First Panel discussion  was on ” Recent Data Breach Incidents and PDPA of India” where experts Mr Sudarshan Mandyam, Ritesh Bhatia and Dr Mahendra Limaye discussed some of the recent data breach incidents in India and introduced the proposed Indian Personal Data Protection Act of India.

The Second panel discussion followed on the theme of “PDPA of India is not a Clone of GDPR” and further explored the proposed Indian Act in comparison with the GDPR.

The program was well received.

The IDPS will continue today with two more sessions first session starting at 11.00 am (90 minutes) and the second a 4.00 pm (90 minutes). These sessions will discuss “The Challenges of being a DPO” and “The Enigma of Cross Border Data Transfer).

Experts, Ms Bhimesh Karadi, Anil Chiplunkar, Satish Kumar Dwibhashi and Sameer Mathur will constitute the first panel and Rajesh Vishwanathan, Nagendra Javagal and S. P. Arya would  constitute the second panel.

We look forward to professionals attending today’s sessions in good number.

The session is free to attend and the link information is available here:

Naavi

P.S: In case you are attending the Bengaluru Tech Summit 2000, donot forget to visit our stall.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment