Leading upto to the discussion on PDPA 2018 in the Parliament, there is an orchestrated opposition to the Data localisation aspect recommended in the PDPA 2018. However, the Face Book data breach which has reportedly compromised over 50 million accounts including about 5.6 lakh accounts of Indian customers of Face book has punctured the argument placed by those who are opposing the Data localization.
One of the strong arguments that was placed against Data localization was that Indian Data Centers are not secure enough and it will increase the attack vector etc.
Now it is proved that Data Centers in US could be as much vulnerable if not more if they were in India. The truth is whether the data center is in India or in US, the security threats are same. The security devices used, strategies used and even the hardware used are all same whether the data center is in India or in USA.
What is different is the service aspect such as continuity of service, the power cost etc which needs to be addressed. But this is not presently considered as an issue. The Manpower costs as well as the Land cost in India can be much lower than setting up of a Data Center in US or other foreign centers. Hence the cost factor is in favour of India.
What is critical for Data Security is however the “Manpower” . From the skill levels, Indians are on par with the rest of the world. Where the Indians may score over the rest is that Indian culture still respects “Ethics” much more than in the west.
Though there are elements in India which continue to corrupt the individuals, the inherent nature of Indians make it possible for Indians to raise above corruption rather than in the west where there may be a rationalization of corruption as a legitimate business practice. We have perhaps seen how in the last 4 years, Government of India has taken steps to curb corruption in India and slowly, a generation of young persons are coming up with a commitment to the national ideals which include honesty and integrity. If this is nursed properly, then the quality of Data Security Professionals in India would improve.
Thus the argument that if Data Localization is imposed through law, we will hurt the interests of the Industry is incorrect and has to be rejected outright.
We also need to recognize that what the PDPA 2018 wants is that “Sensitive Personal Data” collected in India need to be kept in India and in the case of other Personal data, only one active serving copy need to be maintained in India.
If we want the Government of India to protect our personal data, it is necessary for us to entrust it with the ability to put fences around it and this would be possible only if the law enforcement in India has an access when needed to conduct investigations when breaches occur.
On the occurrence of a data breach, a large part of the data repository becomes a “Potential Evidence” and is required to be retained. We cannot allow such data to be outside the control of the law enforcement and we cannot allow the Data Fiduciaries to remove them from access.
Now taking the Face Book incident,
a) We donot know how many Indian citizens have been affected adversely since we need to depend on Face Book for this purpose.
b) We believe as per the statement of Face Book that what has been breached is only “Access Token” related data and not other data.
c) Such data which could be normally expected to be in hashed form. But we are not sure if any plain text data has been lost.
d) We also need to know if the Access tokens lost included those which can be used in a “Store and Replay attack” on a “Face Book Banking Account” or similar critical use case scenario.
For all these questions to be answered today we are dependent on Face Book and cannot conduct an independent investigation, though CERT IN may have necessary powers under law.
There is definitely the Indian law which makes Face Book an intermediary and imposes due diligence and reasonable security obligations on Face Book and the remedies under Sections 43, 43A, 66, 72A etc of ITA 2000/8 which can be read with Section 79 and Section 85 to elicit cooperation from Face Book.
But in practice, Indian agencies will not be able to force Face Book except through a prolonged judicial grind through the High Courts and Supreme Court where the balance of favour is always with the Privacy Activists who will ensure that the Law Enforcement does not get access even to legitimate crime related evidence.
The reason that Data is not so easily accessible for the Law Enforcement since it lies else where. This makes a strong case for “Data Localization” so that if there is a data breach event, the local law enforcement authorities which in future includes the Data Protection Authority will be able to do its duty.
Now there is an opportunity for Face Book to prove that the apprehensions of the ideal situation where “Data Access” is sufficient and “Data Localization is irrelevant” does exist here, by providing access to the CERT IN to the Face book servers to conduct whatever investigations are needed to be done.
I believe that CERT IN should demand such access and ensure that the interests of the 5.6 lakh users who are reported to have been affected in the incident are protected. I also believe that the details of who all were affected and by how much is a “Potential Evidence” which may surface at some point of time in future and CERT IN may be called in to submit such evidence to Courts in India.
Already, Face Book has temporarily de-activated the “View-As” service and would perhaps delete evidence that may be present in their systems about the damage that has occurred. CERT IN has to take steps to secure the evidence in the form of what all Access Tokens were lost and what they contained etc.
We look forward to further developments in this regard.