Naavi.org

FDPPI is an organization of the data protection professionals and by the data protection professionals. The organization is supported by the aggregation of activities of its members.  For practical reasons some members are designated as “Supporting Members” so that they act as divisions of FDPPI for generation of revenue through their activities. But all other members are like flesh and blood of the organization. If they are active, FDPPI is active.

This concept extends to the conduct of IDPS 2022 the flagship event of FDPPI. We would like to make this event the flagship event of the Data Protection Community in India of which FDPPI is a part.

The event is being conducted as a 3 day virtual event between 11th, 12th and 13th November 2022 between 2.00 pm and 8.00 pm (IST) or 8.30 am GMT to 2.30 pm GMT.

During this time and day, the event would be live. During these 18 hours we can accommodate perhaps 6-8 keynotes and another 6-8 panel discussions.  This  means that we can listen to around 30 -35 speakers and share their thoughts with the audience.

The canvas of discussion is “Privacy and Data Protection” and the theme is “Shape of Things to Come”. We therefore need to discuss the current laws in India and elsewhere, the technology of protecting Privacy and data, the Governance of Data for protection and monetization and many other related issues.

We are fully aware that the number of available speakers and the amount of knowledge they can contribute are much more than what we can present in 3 days. We cannot accommodate them all despite our best intentions.

We are also aware that this is a dilemma that is faced by every organizer of such programs world over. There are too many deserving speakers who ought to be heard. But either the organizers cannot reach out to them or the speakers are not available at the required time and place for the event. This often results in losing an opportunity to hear the experts and some times disappointing speakers who are eager to share their knowledge.

FDPPI therefore has opened it’s doors for speaking opportunities during the IDPS 2022 to the community so that IDPS 2022 is to be an event of the Data Protection Professionals by the data protection professionals and for the data protection professionals.

We therefore invite data protection professionals who would like to contribute their thoughts to the “Shape of things to come” in the domain of Privacy and Data Protection in the IDPS 2022 to send us recorded video clips preferably of less than 5 minutes. These recorded videos would be broadcast on the IDPS 2022 platform during the time 6.00 am (IST) to 12.00 noon (IST). This will ensure that the content would be available for the US-Australia time zone as an extension of the live sessions which are more suitable for the India-Gulf-EU time zones.

The video may be kindly recorded if possible with the background setting of the image provided above. Naavi would be available for checking the topic of discussion as well as for a participative recording of the views as a conversation if it is preferred.

The end objective of this exercise is to ensure that IDPS 2022 becomes an event of the community of data protection professionals.

We hope that we will also be able to show case the professionals who would otherwise miss participation in the event. For the upcoming speakers this is an opportunity to be present on this platform.

I request all professionals to make this concept a success.

Naavi

A Discussion has ensued on the regulatory structure for online gaming in India. Today’s news paper reports suggest that a confidential report has been submitted by a Government panel on regulation of online games such as Dream11, Rummy circle etc.

The focus appears to be the games which have become casinos with a large part of speculation and chance  built into the winning. As against this, “Skill games” including say the online chess playing arena will continue to represent another end of the spectrum of online games where “Skills” are more prominent than “Chance”.

The driving force for the regulation seems to be the “Taxing” of income of the game operators under GST.

The regulation will try to therefore consider how “Chance” based games donot turn into “Online betting centers and casinos”.

Mixed with these games for money, are the games like the “Blue Whale” which create social issues in the community and also have to be regulated.

To make the issue complicated, we also have the emerging “Meta Verse” where “Gaming” evolves into a more immersive interaction.

The “Crypto Currency” system where a hashing challenge determines the winner of a Bitcoin/Crypto currency is also a “Game of Chance” since there is no skill is involved in the winning.

If the idea is to charge GST, it will be essential to “Value” the winnings in the form of “Loyalty coupons”, “Coins”, “Cryptos” etc and the regulation will be incomplete without such data valuation.

Most games also appear as “Mobile Apps” and may involve malicious apps that may steal data or commit frauds of other kind.

Some games are harmful by being addictive and some are educative (cross word puzzles, hangmen)  or brain stimulating (sudoku, memory games).

In some instances game rewards are issued as loyalty points that can be used as currency within the game. If they cannot be converted into legacy currency or tradeable crypto currency, the rewards live within the gaming system. But if they can be encashed to legacy currency then there are other issues such as taxation, gambling etc. Many games have a monetization plan where external legacy currency can be used for buying game currency. This mixes up legacy currency with game currency and problems arising thereof need to be recognized.

In view of the above, “Gaming Regulation” does not end with  just an appointment  of a “regulator” but has serious implications on every aspect of Cyber Crime law and Data Protection Law.

In order to ensure that the regulation addresses only such concerns of the society that needs to be regulated, there is a need to clearly define and segregate different types of gaming so that appropriate regulation may be imposed.

The definition of “Online Gaming” used in the  Online gaming (regulation) bill 2022 which  was introduced in April 2022 on which the panel must have deliberated and issued a confidential report on 31st August 2022 states as under

“Online Gaming” means games played on any electronics device including Personal Computers, Mobile Phones, Tablets and other devices;

This is a generic definition and does not address the issues that arise regarding how an online Chess game is distinguished from a Blue Whale game or a Dream11 or Rummy circle or a Crypto Currency mining game.

The bill tries to create a regulator (Online gaming commission) and issue licenses to gaming servers so that others who donot have license can be declared illegal. (Section 5 of the Bill).

It exempts hosting and other backend services provided from India for those who operate gaming outside India  and protects the interests of such service providers.

The offences may be recognized as cognizable and also invoked by the intervention of the regulator.

The challenging part of the legislation is section 19 which overrides other legislations by stating

“The provisions of this Act, shall be in addition to and not in derogation of the
provisions of any other law for the time being in force and, in case of any inconsistency, the provisions of this Act shall have effect to the extent of such inconsistency. “

This requires an interplay of this  legislation with ITA 2000 and also the IPC.

Details of regulation are left to the rules.

The most important part of this legislation would be

1. Segregating different types of gaming such as Educative, Fun, monetary, harmfully addictive, etc
2. Ensuring that “Crypto Currency mining” come within the definition of “Chance based gaming” requiring a license.
3. Ensuring that game only rewards donot get converted into legacy currencies.

A detailed debate is therefore required before this regulation comes into existence.

(Let us discuss this further. I invite comments)

Naavi

Reference:

The Online Gaming (regulation) Bill 2022

Singapore introduces online gaming regulation

Shortcomings of online gaming bill

Government panel calls for regulatory body, new law for online gaming

Functionality and Security are two dimensions of any software that needs to be balanced through regulation. Internet and E Mails were created with a purpose of effective communication and hence functionality was the prime concern in the design of protocols such as TCP-IP or SMTP.

With the growing use of Internet and E Mail for business, the need for Security in these protocols has become critical. Hence the current systems need augmentation for security considerations.

One of the problems which is confronting the internet society is the problem of “Phishing” where unauthorized and  impersonated e-mails are used for commission of frauds.  This must be addressed if we want to improve the trust in Internet communication.

Preventing misuse of E Mails requires two aspects namely authentication of the origin of the E Mail and prevention of modification of the E Mail content in transit.

These two security controls are addressed through “Digital Signature” and “Encryption”.

India has adopted a PKI based system based on a central regulatory authority namely the CCA (Controller of Certifying Authorities) granting licenses for Certifying Authorities who in turn control the Digital Certificate issue system.  The Digital Certificate issue/Signature  system consists of the use of accredited hashing algorithms and public-private encryption along with the creation of the key pairs, embedding them in tokens etc.

These Certifying authorities also provide the “revocation” and “Verification of Non-revocation” of digital certificates to ensure that the community can use the system with assurance.

The popular e-mail systems like G-Mail however are not designed for the use of the digital signature system and users need client side applications to use digital signatures for authentication or encryption.

When a single pair of public-private key is used both for authentication and encryption of content, a problem is likely to arise when crime investigators require access to encrypted content through the exercise of powers under Section 69 of ITA 2000. Sharing of the private key under this circumstance will need an issue of a new digital certificate for further use of the subscriber.

Presently the solution to this problem is to issue two key pairs with one set being used for authentication and another set used for encryption so that when required or as a certificate issue protocol, the private key for encryption can be escrowed with the regulatory authority.

While the digital certificate issuers have enabled such “Dual Key” system, the end user applications are still not fully equipped to use such dual key systems.

In the meantime, to overcome the shortfalls in the current e-mail communication where the content can be intercepted and altered  in transit through some forms of man-in-the-middle attack , an attempt is being made to create new Secure E Mail systems.

The undersigned came across one such system recently which is worth sharing here.

A Dubai based company with a development center in Bangalore has created an E Mail system which is considered as a “Blockchain” based application which can be used by enterprises for secure E-Mails within an enterprise eco-system.

The essence of the system is that the E Mail is encrypted with the public key of the recipients and hence remains encrypted in transit and storage. This requires the users to be on boarded on to the systems and issued digital certificates and the key pair of public and private keys.

If security in transit is the only concern the digital certificates can be issued by a system even if it is not belonging to the “Licensed Certifying Authorities”. If “Authentication” is also a requirement, it may be necessary for the enterprise to integrate this e-mail system with a local certification server as a sub agency of a licensed certifying authority.

One interesting feature of this system is that apart  from bringing all employees of an organization into the system so that e-mails between them can be encrypted, the organization can also on-board outsiders to the extent of their interaction with the enterprise just like the ‘Boxbe’ kind of systems which try to maintain an approved guest list for persons to receive the emails.

While it is difficult to impose the “Registration of Guest” before the email is allowed entry to the recipient’s inbox, in a personal communication, it may be possible in an enterprise communication particularly between Banks and its customers or E Commerce companies and its customers.

If all Banks start using such systems, then Bank frauds using “Phishing” can be eliminated since all Bank to customer e-mails will then be handled only through the dedicated e-mail system with encryption. This could mean that the Bank may have to create e-mail space for all its customers but the volume of data transmitted will be restricted only to the Bank-Customer communication and not others.

Presently Banks do provide for in-app communication either through the mobile app or after logging into the internet banking. But the use of the designated e-mail could be a more convenient option.

If “One Designated email for one customer ID” can be extended by every bank, then even the UPI IDs can perhaps be integrated with this special e-mail ID and there could be better security in the overall process.

The system can perhaps be used even by the Government so that communication between Government servants can be encrypted.

At present the system is good for enterprise e-mail systems and may be some integrator can create a “Regulated Anonymised E Mail System” where privacy is ensured subject to the law enforcement rights. Such a system could be a replacement of the “Proton Mail” which could be non compliant with the recent CERT-In guidelines and can only function as a “Not Legal” service.

“Regulated Anonymity” was a  system suggested more than a decade back by Naavi when the concept of BlockChain or even Privacy as we know today did not exist. Perhaps the system can be tweaked to meet the current requirements through this new system created by the Bangalore company.

I urge companies to explore this solution (request for contact if required) of “Secure Enterprise E Mail” that could be one of the use cases for Block Chain technology.

(Comments welcome)

Naavi

FDPPI is conducting IDPS 2022 which is a flagship event of FDPPI and an apex national event. During the three day virtual event that is taking place this year between November 11-13, about 30-40 speakers would be taking part.

We are aware that there are many more experts in the domain not all of whom can be identified by us and invited for the program. In fact FDPPI has over 200 members each of whom are decorated professionals and could contribute to the society with their knowledge. But we cannot accommodate all of them as speakers in this prestigious event.

However, we now have an alternative. We would like to collect both text and video messages from experts around the world and publish it as pre-recorded videos or messages during the IDPS 2022.

We therefore invite experts to contribute text or video messages by email  if they have a view on Privacy and Data Protection or related areas.

IDPS 2022 is the flagship program of FDPPI and will focus on Privacy and Data Protection in India. This is the third year of the program and will be  conducted as a virtual conference on November 11, 12 and 13, 2022.

Details of the program will be available exclusively on www.idps2022.in

There are many sponsorship opportunities available during the conference for interested persons.

Those who are interested, may look through this flyer.

For more information contact naavi.

One of the features of this year’s IDPS  would be the awards  to be provided to different category of persons recognizing their contribution to the Privacy and Data Protection eco system in India.

(Download the flyer with all information on the awards)

Naavi