India entered the era of Cyber Laws in 2000 with ITA 2000 and  made a soft entry to data protection law in 2009 with the notification of ITA 2008 and likely to enter the field of Data Protection law in 2022. During these 20 years, Jurisprudence in Cyber Laws is under development and has accelerated in the last few years. At present we are in the process of assimilating the concept of “Cyber Evidence” and moving ahead we are trying to understand the legal principles related to Artificial Intelligence, Big Data , IoT , Smart Cars, Crypto Assets, Meta Verse etc.

It would take a few more years to understand the  anatomy of these technological developments and arrive at a generally acceptable interpretation for judicial purpose. The jurisprudence regarding such techno legal issues has to be developed by Techno Legal experts which in due course will reflect in judgements.

In the meantime, a new branch of  human rights has emerged in the name of “Neuro Rights”. It has come as an of shoot of the “Privacy Rights” and hence needs to be addressed almost immediately after the Data protection law comes into existence.

Naavi.org will try to present different perspectives of Neuro Rights in preparation for a larger discussion in due course.

“Neuro Rights” is a branch of  human rights and for the sake of definition, we can define “Neuro Rights” as that body of law that addresses regulation of technological intrusions into the human’s mental faculty. It tends to protect the “Cognitive Liberty” of an individual which is the right of a person to independently and autonomously use his/her mind to engage in multiple modes of thought.

The technologies that tend to read, modify or block (similar to the Confidentiality, Integrity and Availability principles in Information Security)  the functioning of the human brain and connected nervous system are the “Neuro Technologies”, the use of which impairs the native ability of a subject to interpret the sensory perceptions.

For example, if a tiger is in front of me and my mind is made to think and see that it is a cat, then it is an intrusion into my mind for alteration of visual perception. Such illusions with “Deep mind stimulation” has been successfully experimented with rats by electrodes implanted inside the rat. It is a FDA approved procedure and soon may be allowed against the human beings.  The topic has been extensively discussed and reflected in many movies and not far from being realized in the actual world.

In the positive sense, such technologies can make a blind person see as if he has eyes, help in treatment of sleep disorders, motor coordination problems, epilepsy, depression etc.

Hypnotism is already being used for similar results though the technology of hypnotism and the technology of Neuro Modulation are different and we shall try to differentiate between the two in some future discussions.

We are already aware of “Cochlear Implants” which enable persons with inner ear problems leading to hearing loss to regain hearing . A Cochlear implant  is surgically implanted in the body and bypass the damaged portion of the inner ear to directly stimulate the auditory nerve.

Similarly there are prosthetic limbs which sense the twitching of muscles and convert them into movements of fingers.

What these devices indicate is that it is  technically possible to interact with the human nervous system and change the sensory perceptions through appropriate changes induced in the signals reaching the brain from the organs or vice versa.  Whether this can be done through a “Near Field Communication” device or through a surgically implanted chip only is a matter to be decided by the technological developments.

Is this “Ethical”?

Is this an intrusion of “Mental Privacy”?

Does this impair the “Choice” of the human subject and render our current Privacy law based on “Opt-in Consent” completely irrelevant?

…..are issues that arise in the light of these developments.

This developments in “Neuro Modulation/Modification Technologies” (NMTs), are not like the medical implants which regulate heart functions or blood sugar discharge etc., which are IoT devices which talk to external stimuli including wifi messages which pose many serious life threatening security risks.

Manipulation of the brain activity may actually change the person himself into a different person and  pose greater danger than the “Artificial intelligence”.

It is therefore necessary for us to think if we need to quickly bind the technology developers into some sort of discipline so that they donot create monsters and escape responsibility saying that it was just a bug in the software.

This branch of law that addresses this concern is the Neuro Rights Law. It is  new branch of study which is an extension of Privacy Rights.

In terms of development of legal jurisprudence, it has taken 20 years since India introduced Cyber Law but Cyber Jurisprudence is still under development.  We donot know how long it will take for Data Protection Jurisprudence to  reach some threshold level of acceptability. But we cannot ignore that now we are entering a new era of Neuro Rights and have to develop Jurisprudence for this branch of law also.

Naavi will try to place his thoughts little by little on this topic and hopefully Naavi.org will aggregate these thoughts into some useful body of knowledge.

Watch out for more articles on this topic in the days to come.

(P.S: I am aware that I am only a student in this new domain of Neuro Rights and trying to marry the legal concepts with Neuro Science and Psychology in the process, both of which are specialized areas of medical science. Just as 20 years back I tried to develop the Techno Legal jurisprudence by bringing the law and technology concepts to support each other, and later tried to bring together the computer technology and physics concepts together, I am trying to bring together two dissimilar disciplines together by interpreting law to he way human nervous system operates. I hope the readers of this blog will appreciate the short comings in such a journey and help me take the discussions from the base level to a more sophisticated level in the next few months. )

Naavi

Previous Articles

The Age of Neuro Rights Dawns in India

New Dimensions of Privacy-Mental Privacy and Neuro Privacy Rights

India entered the domain of Cyber Laws on 17^th October 2000 with the notification of the Information Technology act 2000 (ITA 2000). Several amendments were passed on this act in 2008 effective from 27^th October 2009. These amendments gave a strong “Information Security and Data Security” posture to ITA 2000. Concepts of “Reasonable Security” and “Due Diligence” became part of the law and gave a compliance direction to the law.

With the concept of “Due Diligence”, the compliance goal post became a moving target with every advancement in technology and global laws. It was therefore possible for Courts to start picking ideas from PDPB 2019, a bill pending in the Parliament and discuss the “Right to forget” in some judgements. For the same reason, even though DPA 2021 is still a bill to be passed, it is considered as a due diligence guideline to be incorporated in the compliance framework for a company.

Despite this flexibility with which we can interpret ITA 2000 for new scenarios arising out of technological advancement, there is always a demand for law to be more specific. Hence there is a need to replace Section 43A and its notification with a whole new act-DPA 2021. There is also a demand now for a major amendment to the ITA 2000 itself to accommodate issues arising out of AI, Crypto assets etc.

While we can interpret several aspects of AI or Crypto Assets or any other technological developments including cyber crimes such as ransomware by suitable interpretation of the current laws itself, there is always a preference in judicial circles to bring a specific legal provision to bring in more uniformity of interpretations.

In this context, we can deliberate if India needs to think on “Neuro Rights Law” as a separate law or work with interpretations of ITA 2000 and DPA 2021 to meet some of the requirements related to the same.

In the DPA 2021, “psychological manipulation which impairs the autonomy of the individual” has been defined as a “Harm” and therefore the entire Act applies to any activity that could cause such a “Psychological Manipulation”. It would be interesting to see if this concept of “Psychological Manipulation” can be extended to the concept of “Neuro Rights” which primarily address manipulation of the functioning of human brains with electronic impulses.

Chile is credited to be the first Country in the world to pass a law on “Neuro Rights” in September 2021 to protect the “Mental Privacy”, free will and non-discrimination in citizens’ access to neurotechnology. The stated aim is to give personal brain data the same status as an organ, so that it cannot be bought or sold, trafficked or manipulated.

There is one view that the development of such law is a little premature since the “Neuro Manipulation Technology” (NMT) is still in its infancy.

There is no doubt that NMT has many positive applications related to medical science for treatment of Alzeimer’s decease or even impairments of hearing or vison. But the possibilities of the technology becoming another “Bhasmasura” cannot be ruled out. Today the technology of Crypto Currencies is threatening to destroy our economy. AI and Humanoids may turn into rogue applications and devices like of which are seen in today’s movies. Similarly NMT has the potential to transform the human race into a hybrid entity which is ethically and morally questionable.

So far “Manipulation” which is recognized as Cyber Crimes relate to data residing inside a computer which has a recognized owner. When data is changed without the permission of the owner, it is recognized as a “Cyber Crime”. Even our Privacy law is built on “Right of Choice” where a person opts-in or opts-out of a data collection and processing environment out of his own free will.

The thought of adding “Psychological Manipulation” as a part of “Harm” was perhaps driven by the Cambridge Analytica experience where  a powerful coordinated messaging campaign could brainwash the audience into a chosen behaviour. Inducing a hypnotic state of mind through audio suggestions and visual imagery has been effectively tried in some games such as the “Blue Whale”. The new immersive technologies like the Meta Verse have made this hypnotization techniques more sophisticated.

We have also developed and accepted technologies of “Implants” within the body which can regulate heart beatings or blood sugar. Essentially we are already intruding into the human body to interpret the electro chemical changes happening in our organs and convert them into some action. The artificial limbs technology have gone beyond attaching an extendable arm or leg to responsive hand where artificial fingers can be managed with twitches in the arm. In a way these technologies already convert muscular impulses into guiding the fingers to grab or hold an object  and otherwise substitute the normal movements of the human fingers.

The new technologies that are triggering the concern for a new law on Neuro Rights is the development of “Chips” which can be implanted on a human which will directly interact with the brain and create sensory perceptions within the brain. These sensory perceptions may be gathered from the sensory devices or otherwise.

To understand the nature of this new technology, we can look at the following example.

Let us assume that there is a computer application that requires a password for access.  In the simplest case, the password is entered into the computer in plain text and it may go to the secured application which already has a copy of the password and matches the two to open the access gates.

In a more secured method, the secure application may not store the password in plain text. The plain text password may be converted into a hash at the user’s end and the hash is presented to the application which matches it with the hash already in its store and grants access.

In such a hash based authentication system, knowing the hash of a password is sufficient to access the server since the server responds when the right hash is provided. The application may not be able to distinguish if the hash was calculated in real time after the user entered the plain text password in his computer or was replayed from a hash store. Such stored password attacks have been successfully carried out even when biometric was used though technology has now been updated to check if the finger print recognizes an underlying living hand or not etc.

The fact is that access to the secured application can be gained through the input device or directly at the entrance of the secure application.

The “Chip” method of access to the human brain involves an electro magnetic link with which the Chip may be able to communicate with the neurons of the human brain and make the brain think it is seeing some thing or hearing some thing which is not there in the physical world.

This sort of “Brain Signal Manipulation” impairs the functioning of the human brain to see things or hear things which are not real. This is a manipulation of the free will of a person and makes the discussion of “Right of Choice”  etc completely meaningless.

The legal issues that are being raised by the NMT is different from the issues arising on the Metaverse, where a person has accused another of inappropriate touch of an avatar causing mental trauma equivalent to rape in the physical society. Here the interaction is between two digital avatars in a digital platform and its equivalence to a physical society action is being debated. But here the perception of the victim is an induced feeling of the pain of the digital avatar as imagined by the victim.  It is more in the mind of the victim than otherwise but the perception of shame felt by the victim in a virtual rape of her digital avatar may be as real as the experience of the Blue Whale game player.

Philosophers may however ask what is the difference if you can see things which are not real? As long as the perception is real, it is an experience. For example if you are in the  3D Trick Art Museum in Dubai or the 7D hologram show, the perceptional experience may be as real as it can get. A person may get frightened enough to have a heart attack though the snake he sees may only be an image.

The NMT with embedded chips is much more than the current technologies such as the 7D hologram show since in these technologies, the perception is captured by the normal human eye or ear and transmitted to the brain. In the NMT embedded chip technology, the perception is created directly in the brain and hence it is indistinguishable from real experience.

Once the embedded chips can respond to WiFi signals or the technology advances to the extent that brain manipulating waves can be transmitted through air, brain hacking becomes easier and can be achieved without the need for an embedded chip and a wiring between the chip and the neuro channels within the body.

In the Indian law, under ITA 2000 there is a provision under Section 11 that any electronic record shall be attributed to the person who programs a system to behave in a specific manner. Hence the “Induced Experience” can be attributed to the person who caused the Chip to send the specific signal which induced the experience.

By combining the provisions of ITA 2000 as well as the concept of “harm” under DPA 2021 it is therefore possible to consider that “Inducing mental experiences” is nothing different from introducing a “Computer contaminant” into a computer system. Hence hacking of human brain may be equivalent to hacking of a computer.

The analogy of human brain being considered as a computer is also corroborated by the neuro science. According o neuro science, sensory perceptions travel as electrical impulses and gets transmitted from the nerve edges through the nerves to the receptors in the brain. There after the brain interprets the impulse based on its memory where similar impulses are stored earlier. The Eyes, ears, nose tongue or skin or are like input devices and the mouth may be an output device. The processing in the spinal cord may be similar to the RAM response. The arms, legs and other muscles are like various mechanical devices that may be taking the output from the brain and converting into physical actions.

In view of the above, the “Neuro Rights” in India may be exercisable even under the current laws. However, a thought process has been sown where by a debate on whether a separate Neuro rights law is required in India.

Naavi would invite thought leaders in this domain to contribute to the development of Neuro Rights Jurisprudence in India so that Judiciary can be provided with necessary guidance when required.

Naavi

Reference Article

We need to regulate mind-reading tech before it exists

A Critical perspective on Neuro Rights: Comments  regarding Ethics and law

Mind the Gap: Lessons Learned from Neurorights

New Dimensions of Privacy… Mental Privacy or Neuro Privacy Rights

The JPC for PDPB decided to include parts of Non Personal Data regulation within the provisions of the DPA 2021. In the process a situation of overlapping jurisdiction was created between the ITA 2000 and DPA 2021. Earlier with Section 43A of ITA 2000 being replaced by PDPB2019 gave a clear distinction between “Personal Data Regulation” under PDPB 2019 and “Non Personal Data Protection” under ITA 2000 with the possible “Non Personal Data Governance” under a new act as suggested by Kris Gopalakrishna report.

In a bid to avoid creating a  Non Personal Data Governance Authority of India, the JPC decided to make the DPAI also responsible for Non Personal Data to the extent of Breach notification. This left the door for future regulation on “Non Personal Data Governance” also with the DPAI.

Without going into the merits of whether an authority which is “Privacy Protection Oriented” would be the right authority for “Monetization of Data” which would be the essential part of the Non Personal Data Governance Act, we can note that the decision of the JPC has created overlapping of DPA 2021 with ITA 2000.

ITA 2000 essentially applies to data of all kinds and hence it applies both to personal data and non personal data. To the extent DPA 2021 deals with “Reasonable Security Practice” which was earlier under Section 43A, there is no overlapping of provisions. DPA 2021 also does not cover criminal offences which are covered under Chapter XI of ITA 2000/8. The only offensive section under DPA 2021 could have been covered under ITA 2000 itself. This  section (Section 83) under DPA 2021 relates to “Unauthorized modification of de-identified data back to identified data and thereby diminishing the value of de-identified data” and can be covered under ITA 2000 under Section 43(i) read with Section 66.

If this section 83 DPA 2021 had been removed, DPA 2021 could have remained entirely a “Section 43A supporting compliance legislation”.  This would have maintained the two legislations distinct.

Now that JPC did not factor the existence of a statutory body called CERT-IN, it appears that CERT-IN has decided that it would announce its statutory status and published the latest data breach notification directive of April 28, 2022.

The industry representatives have already got perturbed and ran to the Minister to complain that this would affect the Privacy which he has correctly defended. (Refer indianexpress here)

The recent directive has asserted the power of CERT-IN and hence it cannot be challenged even after DPA 2021 is enacted.

However, a potential conflict situation between DPAI and Director General CERT-IN may arise and both need to show statesmanship in collaborating with each other. Though the CERT-IN and DPAI may resolve their differences, it is likely that the industry will play one against the other for their own advantage and project CERT-IN as an “Official of MeitY” and not to be respected like a DPAI which has 7 august members with expertise in different areas such as Law, Technology, Data Science etc.

In order to prevent the weakening of the perceived role of CERT IN, it is necessary for the Meity and CERT-In to strengthen its perceived position. One suggestion in this regard is given below.

1. An Advisory Committee should be established by a gazette notification under the chairmanship of Director General, CERT-IN.
2. The committee shall have at least Six members consisting of experts in the area of Cyber Law, Technology Data Science, Data Security, National Security, grievance redressal experience (Example Arbitration, etc, or a lawyer who is eligible for being appointed as a Judge of a High Court).
3. The Committee shall meet as often as necessary either through virtual meetings or physical meetings and provide its views on various issues on which the CERT-IN needs to take decisions, in particular when action is to be initiated against an entity under Section 70B(7)
4. The committee shall also recommend to the CERT-IN to initiate a complaint with a relevant Adjudicator (Under section 46 of ITA 2000) to undertake an inquiry as per the Information Technology (Qualification and Experience of Adjudicating officers and manner of holding enquiry) rules 2003.

Under the above suggestion the CERT-IN and his advisory committee will match the expertise of the DPAI in terms of experience and skills so that any interaction between the CERT-IN and DPAI shall take place with two nearly equally empowered regulatory authorities.

Also under Section 70B(7) action may be initiated by the CERT-IN against any entity that contravenes the directions of the CERT-IN or otherwise fails to report a data breach, by recommending prosecution for a punishment of imprisonment upto 1 year and a fine of Rs one lakh.

Under Section 70B, it may be difficult to impose any penalty on any entity as a deterrent. Such power under ITA 2000 vests only with the adjudicator who can take either a “Suo Moto” cognizance of a contravention of ITA 2000 or act under a complaint which can be filed by any person who can claim compensation for a loss suffered.

If there is a data breach, there would be some affected person who may or may not come forward to file a complaint with the Adjudicating officer. But the Adjudicating officer coming to know of a contravention (which may be through a report submitted by the CERT-IN) can initiate an inquiry. If the inquiry finds that there has been a contravention and there has been a wrongful loss to some body and wrongful gain to some body else, he can order collection of penalty from the person responsible for the loss and hold it in trust for the claims that may arise from any affected victim.

Since the notification of ITA 2000 on 17th October 2000 and the creation of Adjudicating officers through notification of 25th march 2003, there have not been any published reorts of Adjudicating officers imposing fines except on specific complaints preferred by some complainants.

There could be some cases where the Police have sought  the assistance of the Adjudicating officer (eg: Karnataka) where fines have been imposed on Cyber Cafes under Section 45 of ITA 2000 (Residual penalty) which must have been appropriated by the Government as if it is a penalty imposed for a criminal offence. Such cases have not been widely reported.

Now CERT-IN needs to take the responsibility to advise the relevant Adjudicating officer (the IT Secretary of the State where the victim of a contravention resides) that there has been a data breach in his jurisdiction and it warrants a suo moto inquiry and deterrent action.

It is noted that the Minister of IT, Sri Rajeev Chandrashekar has reported today that there is also an attempt to amend the ITA 2000/8 and a draft would be presented for public comments within a month. If required, some of the changes suggested above of creating an Advisory body for the Director General CERT-IN can be formally introduced into the Act.

It may also be noted that ITA 200o envisaged a committee called “Cyber Advisory Committee” which has to endorse any amendment to the Act as per section 88 of ITA 2000. It can also be recalled that the Controller of Certifying Authorities had created one such advisory committee in the year 2000 of which the undersigned was also a part. There was also an Inter-Ministerial working group of which also the undersigned was a part. These committees had limited existence and subsequently most decisions are being taken by the executives in MeitY. Many of these decisions including the Intermediary Guidelines of 25th February 2021 have been systematically challenged in the Supreme Court and inefficient handling of the Shreya Singhal petition lead to Section 66A being scrapped by the Supreme Court without a proper replacement of the provisions as was promised by the then IT Minister.

The creation of the CERT-IN Advisory board will therefore provide a legal strength to the decisions given out  by the Director General of CERT-IN. It could become a “Shadow DPAI” so that any data breach related directions for non personal data under section 25 of the proposed data protection act (DPA 2021) can be issued by CERT-IN instead of by the DPAI.

Naavi

Also refer: 

CERT-In Re-issues its order of 4th January 2017

On 4th January 2017, CERT IN had issued an order regarding reporting of incidents to CERT IN.

The order has now been re-issued along with detailed instructions on other security measures which will be applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. These directions will be effective from 60 days from the date of issue of this notification (28th April 2022). Refer here

Some of the requirements are as follows.

1. Shall connect to the Network Time Protocol (NTP) server of NIC or NPL or with NTP servers traceable to these NTP servers for synchronization of clocks.
2. Mandatorily report cyber incidents within 6 hours and follow the instructions provided if any.
3. Shall provide a point of contact.
4. Enable logs of all their ICT systems and maintain them for a rolling period of 180 days and shall be maintained within the Indian jurisdiction.
5. Shall maintain information of subscribers and customers hiring services for a period of 5 years, including IP s allotted to members, E Mail address, time stamp at the time of on boarding.
6. Virtual asset service providers shall maintain KYC of its users as per RBI/SEBI norms.
7. Accurate transaction records shall be maintained.

The type of incidents that need to be reported has also been expanded to include the following.

i. Targeted scanning/probing of critical networks/systems
ii. Compromise of critical systems/information
iii. Unauthorised access of IT systems/data
iv. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
v. Malicious code attacks such as spreading of virus/worm/ Trojan/Bots/ Spyware/ Ransomware/ Cryptominers

vi. Attack on servers such as Database, Mail and DNS and network devices such as Routers
vii. Identity Theft, spoofing and phishing attacks
viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
ix. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
x. Attacks on Application such as E-Governance, E-Commerce etc.
xi. Data Breach
xii. Data Leak
xiii. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
xiv. Attacks or incident affecting Digital Payment systems
xv. Attacks through Malicious mobile Apps
xvi. Fake mobile Apps
xvii. Unauthorised access to social media accounts
xviii. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
xix. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
xx. Attacks or malicious/ suspicious activities affecting systems/ servers/ software/ applications related to Artificial Intelligence and Machine Learning

The incidents can be reported to CERT-In via email (incident@cert-in.org.in), Phone (1800-11-4949) and Fax (1800-11-6969).

Given the  reluctance of the companies to resist any security measures of the Government of India, we can expect a media campaign to oppose the directions.

However, it is good to know that CERT-IN has woken up from its slumber and has considered issuing this order. We have to wait and see how seriously the order would be implemented.

From the compliance point of view the CISOs need to take immediate action as the CERT IN also has quasi judicial powers and  can take action including initiating prosecution for criminal punishments if the order is ignored.

It may be noted that the data breaches of Non personal data and personal data are to be reported to CERT IN and also to the Data Protection Authority to be set up under DPA 2021. Hopefully CERT IN will focus on post incident action in respect of security while Data Protection Authority will focus on punitive action on Data Fiduciaries related to  personal data. Timely waking up of CERT In is therefore significant. The silence of CERT In for several years had rendered the office as a mere advisory issuing back office. This perception has to change and probably this notification signals to such a welcome change.

Naavi

Copy of PIB press release

It is well recognized that behind many of the successful ransomware attacks in an organization, there is a simple security failure of an employee clicking an e-mail attachment containing a malicious code. Prevention of E Mail based attacks is therefore one of the important security measures to be taken by any enterprise. Statistics indicate that more than 70% of malicious email attachments are delivered through attachments in PDF and Ms Office Documents.

The anti virus software normally works on the principle of scanning a document to identify a known virus signature. This could work for known viruses but cannot protect against zero day attacks. Also non updation of anti virus also could defeat the security and allow intrusion of the malicious code.

The Sandbox method where the files are allowed to be processed in a controlled environment until they are cleared for security may delay the delivery of the incoming files for further processing.

Considering the unacceptable level of risk that arises in a ransomware attack, there is a need to fortify the security of emails to ensure that malicious codes in incoming data is identified at source and stopped at the gateway.

The CDR (Code Disarming and Reconstruction) technology (also referred to as Threat Extraction or data sanitization) is a technology where a file is deconstructed into separate components such as image, text etc using the vendor specified specifications for the document type. They are then reconstructed leaving out any malicious (non conforming) content so that the file is cleaned of any unwanted components that may be the potential source of a malicious code. In the process, any executable content in the document also gets removed. The safe content after removal of the undesirable content is forwarded to the user and the original file is held in safe storage to be accessed only if required and confirmed that it is benign say after a sandbox inspection.

It is expected that the CDR technology could introduce certain delays in releasing the file for operation based on the signature based identification since it works on “Zero Trust” and inspects every file by deconstruction and reconstruction. But considering the risks associated with ransomware in large corporations, enterprises should be tolerant of some delays in the interest of security.

While the CDR technology is expected to provide 99.9% reliability for removal of malware, there could be some operational issues to be contended with when the usability of the incoming file could be curtailed. The “Policy Setting” therefore becomes important to ensure that the system is useful.

In the market there appears to be many solutions available on CDR technology. While there could be solutions like Checkpoint-Harmony that integrates CDR technology to the legacy malware security systems, specialized CDR based malware security providers such as Odix, Glasswall Solutions, Fortinet OPSWAT, Sasa software etc are also trying to capture the markets.

Some of the service providers may provide “CDR as a Service” and cost effective solutions for SMEs. Odi-x from Israel is reported to be one of the solutions that SMBs may be able to afford particularly if they are working on the Microsoft environment.

It would be good if in future CDR technology becomes affordable to even individuals.

Naavi

P.S: Comments and additional information and user experiences are invited