Naavi.org

Functionality and Security are two dimensions of any software that needs to be balanced through regulation. Internet and E Mails were created with a purpose of effective communication and hence functionality was the prime concern in the design of protocols such as TCP-IP or SMTP.

With the growing use of Internet and E Mail for business, the need for Security in these protocols has become critical. Hence the current systems need augmentation for security considerations.

One of the problems which is confronting the internet society is the problem of “Phishing” where unauthorized and  impersonated e-mails are used for commission of frauds.  This must be addressed if we want to improve the trust in Internet communication.

Preventing misuse of E Mails requires two aspects namely authentication of the origin of the E Mail and prevention of modification of the E Mail content in transit.

These two security controls are addressed through “Digital Signature” and “Encryption”.

India has adopted a PKI based system based on a central regulatory authority namely the CCA (Controller of Certifying Authorities) granting licenses for Certifying Authorities who in turn control the Digital Certificate issue system.  The Digital Certificate issue/Signature  system consists of the use of accredited hashing algorithms and public-private encryption along with the creation of the key pairs, embedding them in tokens etc.

These Certifying authorities also provide the “revocation” and “Verification of Non-revocation” of digital certificates to ensure that the community can use the system with assurance.

The popular e-mail systems like G-Mail however are not designed for the use of the digital signature system and users need client side applications to use digital signatures for authentication or encryption.

When a single pair of public-private key is used both for authentication and encryption of content, a problem is likely to arise when crime investigators require access to encrypted content through the exercise of powers under Section 69 of ITA 2000. Sharing of the private key under this circumstance will need an issue of a new digital certificate for further use of the subscriber.

Presently the solution to this problem is to issue two key pairs with one set being used for authentication and another set used for encryption so that when required or as a certificate issue protocol, the private key for encryption can be escrowed with the regulatory authority.

While the digital certificate issuers have enabled such “Dual Key” system, the end user applications are still not fully equipped to use such dual key systems.

In the meantime, to overcome the shortfalls in the current e-mail communication where the content can be intercepted and altered  in transit through some forms of man-in-the-middle attack , an attempt is being made to create new Secure E Mail systems.

The undersigned came across one such system recently which is worth sharing here.

A Dubai based company with a development center in Bangalore has created an E Mail system which is considered as a “Blockchain” based application which can be used by enterprises for secure E-Mails within an enterprise eco-system.

The essence of the system is that the E Mail is encrypted with the public key of the recipients and hence remains encrypted in transit and storage. This requires the users to be on boarded on to the systems and issued digital certificates and the key pair of public and private keys.

If security in transit is the only concern the digital certificates can be issued by a system even if it is not belonging to the “Licensed Certifying Authorities”. If “Authentication” is also a requirement, it may be necessary for the enterprise to integrate this e-mail system with a local certification server as a sub agency of a licensed certifying authority.

One interesting feature of this system is that apart  from bringing all employees of an organization into the system so that e-mails between them can be encrypted, the organization can also on-board outsiders to the extent of their interaction with the enterprise just like the ‘Boxbe’ kind of systems which try to maintain an approved guest list for persons to receive the emails.

While it is difficult to impose the “Registration of Guest” before the email is allowed entry to the recipient’s inbox, in a personal communication, it may be possible in an enterprise communication particularly between Banks and its customers or E Commerce companies and its customers.

If all Banks start using such systems, then Bank frauds using “Phishing” can be eliminated since all Bank to customer e-mails will then be handled only through the dedicated e-mail system with encryption. This could mean that the Bank may have to create e-mail space for all its customers but the volume of data transmitted will be restricted only to the Bank-Customer communication and not others.

Presently Banks do provide for in-app communication either through the mobile app or after logging into the internet banking. But the use of the designated e-mail could be a more convenient option.

If “One Designated email for one customer ID” can be extended by every bank, then even the UPI IDs can perhaps be integrated with this special e-mail ID and there could be better security in the overall process.

The system can perhaps be used even by the Government so that communication between Government servants can be encrypted.

At present the system is good for enterprise e-mail systems and may be some integrator can create a “Regulated Anonymised E Mail System” where privacy is ensured subject to the law enforcement rights. Such a system could be a replacement of the “Proton Mail” which could be non compliant with the recent CERT-In guidelines and can only function as a “Not Legal” service.

“Regulated Anonymity” was a  system suggested more than a decade back by Naavi when the concept of BlockChain or even Privacy as we know today did not exist. Perhaps the system can be tweaked to meet the current requirements through this new system created by the Bangalore company.

I urge companies to explore this solution (request for contact if required) of “Secure Enterprise E Mail” that could be one of the use cases for Block Chain technology.

(Comments welcome)

Naavi

FDPPI is conducting IDPS 2022 which is a flagship event of FDPPI and an apex national event. During the three day virtual event that is taking place this year between November 11-13, about 30-40 speakers would be taking part.

We are aware that there are many more experts in the domain not all of whom can be identified by us and invited for the program. In fact FDPPI has over 200 members each of whom are decorated professionals and could contribute to the society with their knowledge. But we cannot accommodate all of them as speakers in this prestigious event.

However, we now have an alternative. We would like to collect both text and video messages from experts around the world and publish it as pre-recorded videos or messages during the IDPS 2022.

We therefore invite experts to contribute text or video messages by email  if they have a view on Privacy and Data Protection or related areas.

IDPS 2022 is the flagship program of FDPPI and will focus on Privacy and Data Protection in India. This is the third year of the program and will be  conducted as a virtual conference on November 11, 12 and 13, 2022.

Details of the program will be available exclusively on www.idps2022.in

There are many sponsorship opportunities available during the conference for interested persons.

Those who are interested, may look through this flyer.

For more information contact naavi.

One of the features of this year’s IDPS  would be the awards  to be provided to different category of persons recognizing their contribution to the Privacy and Data Protection eco system in India.

(Download the flyer with all information on the awards)

Naavi

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

Restrictions on Cross border transfer of data is one of the most controversial aspects of the data protection laws. Though the PDPB 2019 was criticized for its “Data Localization” aspects, it must be stated that PDPB 2019 was a gross dilution of the provisions of PDPB 2018 in respect of Data localization and even ignored the sectoral law of RBI. The media reports were motivated and was part of the conspiracy to dilute the restrictions.

For records, under PDPB 2019, non sensitive personal data could be freely transferred. Sensitive personal data could be transferred subject to a copy being held in India and explicit consent and Critical data alone was in the restricted category.

On the other hand GDPR imposes impossible conditions for transfer of personal data outside EU and is a draconian legislation in this respect forcing international data importers to contractually oppose the sovereign rights of their respective Governments. GDPR data transfer requirements to a non adequate country cannot be complied with except with an effective pseudonymization/de-identification plan.

However, the vested interests have painted as if PDPB 2019 was restrictive and this cannot be accepted.

As long as Data is considered an “Asset” and its value recognized, the Government has a duty to protect it’s plundering like what happened in the infamous CIBIL-TRANSUNION case.

Hence it is suggested that the New Data Protection Act of India reverts back to the PDPB 2018 version and impose the condition that

a) No Personal or Non Personal Data is transferred out of India except with the consent of the data principal or data owner and

b) A copy being held in data servers held in the geographical boundaries of India

c) Processing of Critical Data shall be undertaken and retained only within India

This does not adversely affect any ongoing data processing activity except that there could be additional storing cost.

Though this is an unpopular decision which would be opposed by Tech Companies and the US Government and was one reason for the withdrawal of the legislation and continues to be the Achilles heel for MeitY as regards Data Protection legislation, it is our sincere belief that India needs to put its foot down as a sovereign country and protect its interests.

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

“Consent” is an important aspect of establishing the “Lawful basis” in Data Protection Laws. PDPB 2019 suggested that “Consent” is “Mandatory” and should meet the requirements of the Section 14 of Indian Contract Act.

Section 14 of the Indian Contract Act requires consent to be “Free” which means that there should be no “Coercion”, “Undue Influence”, “Fraud”, “Misrepresentation” or “Mistake”.

The term “Informed Consent” should be interpreted as equivalent to “Free” consent and it has to be achieved through a properly designed “Notice”. The reason why we say that “Notice” has to be “Clear” and “Precise” and rendered in such a manner that the data subject “Understands” it is because it has to stand the test of “Free Consent”.

For the “Consent” to be legally admissible, it has to meet the requirement of law that applies to “Authentication” of Electronic Documents.”. In India the law applicable to authentication of electronic documents  is Section 3,3A of ITA 2000 and Section 65B of Indian Evidence Act.

While Section 3 and 3 A speak of Digital and Electronic Signatures that can be used by the Data Subject/Principal to authenticate the electronic notice, Section 65B renders a document admissible in a Court of Law if it is properly certified and hence serves the purpose of authentication through third party witnessing.

Where it is not feasible to obtain electronic or digital signature of the executant, the document can only be a “Deemed Consent”. “Deemed Consent” is supported by some electronic evidence which will be admissible provided it is Section 65 B(IEA) certified.

Hence a valid consent in Indian law in electronic form requires either an online electronic signature in the form of e-sign or collection of meta data about the transaction that can be Section 65B certified by an independent witness. The Supreme Court in its enthusiasm to uphold Privacy has stated that Aadhaar cannot be  used for authentication by private sector though there is a system of “Pseudonymised Aadhaar” (Virtual Aadhaar) that could be used for authentication without adversely affecting the privacy of the individuals. Unfortunately despite the authorization to use “Virtual Aaadhar ID”  for KYC purpose in the Aadhaar Amendment Act its use has not been universal.

Alternatively, authentication can be obtained through collection of meta data of the consent transaction and archiving it with Section 65B certification as may be necessary.

At present “Online Consents” are obtained as “Click Wrap Contracts” where the data subject clicks on a button to “Agree” a document which is more a “Standard form of contract”. This form of contract does not have validity in India as a “Documentary Contract” and the industry is getting mislead by considering that such online acceptance is legally valid.

At the same time, industry has not been using “Section 65B certified Archiving” to supplement its documentation of consent which is the responsibility of the Data Fiduciary/Controller.

In this context, it is necessary for the New Data Protection Act of India to provide appropriate clarity on whether online click wrap contracts are acceptable and if so under what conditions.

Additionally, “Consent” even if authenticated can only apply to the information that the data subject provides during the collection process.

“Consent” for some information which a person is not aware of fails the test of “Meeting of Minds” which is essential for a valid contract since what the data subject thinks he is agreeing to and what the data controller thinks he is getting the consent to may be different. A Data Analytics company may be using the collected personal data and may be able to create useful “Profiles” which are “Discovered Uses” of supplied data. While we may prescribe that consent should be obtained after discovery and before the first use of the discovered personal data, the “Discovery Process” itself may be construed as “Processing for a purpose not authorized in the initial consent”.

Hence we need to distinguish “Consent” for personal data about which the data subject is aware of and provides for a stated purpose (Shared Data Consent) is different from “Consent for Discovery of Personal Data”. This situation is analogous to the sale/lease of land with a consent for mining and discovery of minerals about which neither party is aware of at the time of sale/lease of land.

We therefore suggest  that “Discovery Consent” has to be defined in the new law.

We have already discussed the need of “Witnessed Consent” while discussing the coverage of “Neuro Rights” and this will be another form of consent to be defined in the law.

We have also discussed the need to consider different kinds of profiles such as “Health Profile”, “Financial Profile” or “Advertising Profile” as “Sensitive personal data” and correspondingly the need to get “Explicit/Special consent” in such cases.

We have also discussed “Monetization” as a concept in law for which also a special “Monetization Consent” can be defined.

Hence we suggest that the NDPAI (New Data Protection Act of India) can define following different types of consent as explanations under Section 11 of PDPB 2019 or elsewhere in the definition section.

Additionally in view of the concept of “Consent Managers” as envisaged in the PDPB 2019, there will be a need to define “Consent for giving Consent” or “Authorizing another person to provide consent on behalf of the data principal. This will also be relevant when the data principal is in a state where his contractual capacity is suspended as in the case of Minors, Insolvent persons, or mentally incapacitated persons or persons in inebriated conditions or even those who are physically challenged.

1. Authorization Consent (Consent to appoint an agent for disclosure of personal data which may apply to Consent Managers and Heads of families)
2. Shared Data Consent (Similar to current practice of Free/Informed Consent applicable for data about the data subject collected directly or through an authorized third party)
3. Profiling Consent (New thought)
4. Monetization Consent (New thought)
5. Witnessed Consent (New thought)
6. Discovery Consent (New thought)

An attempt is made in the following paragraphs to define these types of consent. It may be refined suitably through further discussions.

Authorization Consent

Authorization Consent means consent provided by a data principal to an authorized agent to disclose, share, and consent to further processing of the personal data of the data principal.

Shared Data Consent

Shared Data Consent means consent provided by a data principal or his authorized agent to a Data Manager for personal data which the data provider is aware of and for the legitimate purpose of processing and disclosed uses of data that he has been made aware of by the Data manager and he has agreed to.

Profiling Consent

Profiling consent means consent provided by the Data Principal or his authorized agent to the Data manager for use the data about the data principal whether collected directly or otherwise for profiling of the data principal and conditions if any of the use, disposal and portability of such profiles.

Monetization Consent

Monetization consent means consent provided by the data principal or his authorized agent to the Data manager for use of personal data or profile created out of the personal data of the data principal for generating revenue with or without consideration being paid to the data principal.

Witnessed Consent

Witnessed Consent means consent provided by a data principal which is witnessed by independent third parties who donot have conflicting interest in the processing of the personal data under circumstances that the data principal may not be reasonably expected to provide a free consent, and includes sharing of neuro data or sharing of personal data when the data principal is not in a medical condition to provide informed consent.

Discovery Consent

Discovery Consent means consent provided by the data principal or his authorized agent for a purpose of processing which is speculative in nature and could discover personally identifiable data or new uses not otherwise envisaged in the consent.