Naavi.org

In computing the intrinsic value of data as an asset, cost based method is one of the choices that a Data Valuer needs to explore. Current market value if available could be the second option while Net Present Value of future earnings expected from the asset could be a third option.

In Cost based approach, it is necessary to make a distinction on “Cost of Collection of Data” and  “Cost of cleaning up data by removing unwanted collateral data”. After this “Data Preparation”, the data would e ready to be used for some purpose. The asset needs to be valued at this stage by computing the cost upto the preparation of data ready for exploitation.

One example is that a company X has a license from Twitter or Linked in to parse its data and extract useful data. In such cases, the cost of data is easily determined by the license fee paid to Twitter or Linked in. Once the gross data is so gathered, the company may use its own filters to reject some data and retain some. This retained data is the data that is useful as raw material for the company. The cost of filtering may be ascertained by the specific software used for the purpose and the manpower cost assigned to the activity.  Additionally a share of the fixed costs can also be allocated. This total cost would be the cost of data in this context.

Once data is kept in store for further use, some user department may recall the data and create value added products (eg: a saleable report based on the information). This would be cost of production of the given product.

If the raw data is collected from say the website of the company X where a service is offered and customers register for the service using a web form, the cost of collection would be the cost of hosting the web form and a share of the fixed cost attributable to the maintenance of the website.

In a practical situation, companies may not be able to clearly identify the source of data and cost of its acquisition. However, in the days of data protection, it has become necessary for companies to set up an appropriate organizational structure to identify the sources of collection of data and hence it may be possible to attribute direct cost of collection.

However, this exercise of ascertaining the cost of data belongs to the domain of Cost Accounting and it will be necessary for the company to have the Cost Accountant work closely with the technology department and the DPO to arrive at a reliable cost of data.

Naavi

(DVSI stands for Data Valuation Standard of India… Refer www.dvsi.in for more information)

Companies often face the dilemma on payment of ransom when their data is captured and held hostage by a ransomware attacker. The attacker fixes a certain price for the release of the decryption key and often places the data for sale in the dark web. Acer had a demand of $50 million, CNA Financial reportedly paid $40 million and Colonial Pipeline paid $4.4 million. In India itself we had a demand on Cognizant for $ 5 million and different smaller amounts in different companies.

It is clear that in these cases the hackers had a perception of the value of the data they had captured and the companies paid the ransom because they felt that there was an opportunity cost in refusing to pay.  Insurance companies have their own practices on dealing with such instances and some may cover the ransom as part of their policy.

Further, darkweb often quotes a price list for many kinds of data. One such laundry list is here.

When thieves set a value for the data they may target and steal, it is necessary for the organizations which have these assets to also know that they have assets which are vulnerable to be stolen.

Managements often express surprise when a ransom demand is made and wonder “Do we have that kind of data with us”?. The reason is that so far the CFOs and CEOs were never told that Data is an asset though on the balance sheet it does not show up.

Corporate Managements need to ask themselves, if they are not representing the true value of their assets in the financial statements which they certify “This is a fair and true representation of the company’s financial position”.

If the CEO/CFO knows that the company has a Rs 5000 crore of data asset, they would not crib to appoint a DPO or CISO at the kind of remuneration they deserve or to invest in security products or employee training or atleast to harden their operating systems which they keep postponing.

Let’s therefore look to the future with confidence by valuing our data assets and bringing them into our balance sheets. …

Let our shareholders know what we are worth.

Let our competitors know what it would cost to take over our company.

Asatoma sadgamaya…tamasoma Jyotirgamaya…Oh DVSI, Oh DVSI…

(meaning From Ignorance, lead me to truth, from darkness, lead me to light..Oh Data Valuation Standard of India)

Naavi

(With apologies to the Rishis who gave us the Upanishad Vaakya)

After the Delhi High Court and Orissa High Court indicating that Right to Forget can be extended to a right to remove reference to an accused in a Court Judgement, the Madras High Court has now rejected the “Right to Redact” the identity of an accused from the Judgement.

In a Judgement delivered on 3rd August 2021 by Justice N. Anand Venkatesh in the WP (MD) no 12015 of 2021, the Court rejected a request from a petitioner Mr Karhick Theodre who had been charged earlier for an offence and acquitted , that his name be redacted from the judgement records.

Similar consideration had come for discussion in two other cases one in Odisha High Court and another in Delhi High Court where the interim decisions were in favour of the accused and acquitted person to get his name removed from access through internet searches.

Naavi.org had observed that the decision was faulty since it interfered with a “Fact” and enabled suppression of the right to information.

The earlier Supreme Court decision regarding the victim of a rape or sexual abuse or in cases of Juveniles, to be conceded such a right does not apply to the case of an accused who may be acquitted for reasons other than being innocent.

This current judgement of the Madras High Court is well reasoned and refused such a request.

We appreciate the decision of the Court which was assisted by the Amicus Curie Mr Arun Anbumani. It is also notable that the hearing was conducted virtually and concluded in quick time.

Naavi

The current controversy on Pegasus in India arises from  the petitions filed by various persons who all have one thing in common that they are known to be opponents of the current Government.

Just because all the petitioners are Anti Government, we cannot presume that Government of India used Pegasus to target all its opponents.

End of the day, Pegasus is a spyware and was commercially produced and sold by a company like many other encryption, decryption software or other security software. It was designed for use by security agencies to infect mobiles and conduct surveillance of various kinds.

It is feasible that many Governments across the globe could have bought this software for legitimate intelligence use. “Intelligence” is a necessary activity of a Government and cannot be wished away. Whether it is ISI or RAW, FBI or CBI, MI6 or KGB, or snooping on crime suspects is a reality. Considering the proliferation of terrorism in the world, such intelligence activity is the duty of a Government.

Whenever a terrorist activity is reported, the first thing every opposition party asks is why there is an “Intelligence Failure”. But when it comes to Pegasus, the same opposition asks “Why there is Intelligence”?.

The petition in the Supreme Court is built on a weak premise that

a) there is a possibility that the Indian Government could have officially bought Pegasus,

b) there are a few mobiles in India which have Pegasus infection and

c) few of those persons whose phones are affected are political opponents of the Government and

therefore the Indian Government is guilty of illegal surveillance… Q. E. D.

On the other hand, it is observed that

a) Petition is filed by known political opponents

b) Petitioners have a motive to run a smear campaign on the Government

c) There are many previous occasions when the same petitioners have filed irrelevant and false petitions for political gains

d) There is no evidence backing the allegation

e) Demand for investigation is based on journals which are known to be anti-India campaigners

e) The petition has come 2 years after they first surfaced and just a day before the Parliament session and was used primarily to disrupt the Parliament session.

Hence it is a fact that the petitioners have knocked at the doors of Supreme Court with unclean hands and the demand is that a fishing enquiry be ordered at the expense of the exchequer to satisfy the political opponents.

Pegasus Infection

I would like to draw the attention of the honourable Supreme Court that Pegasus is a malware. While the company which is selling the software claims that it sells it only to authorized Government agencies, there is no guarantee that any of these Government agencies may use it to spy on foreigners.

I.O.W. a foreign Government can snoop on Indian Journalists. We are aware that there are foreign news agencies like NewYork Times which are reported to be scouting to recruit journalists who can run smear campaigns against the Government of India. There is a possibility that such anti-India business interests may also want to spy on Indians both journalists or activists.

Further any State Government including the West Bengal Government or Kerala Government could have used the spyware for its own use. Political pundits like Mr Prashant Kishore could have advised parties like Congress which have earlier used Cambridge Analytica to use Pegasus .

A few years back there was a malware called Stuxnet produced again by an Israeli agency to target Iran nuclear facilities. This malware was supposed to spread only though a USB drive since the targeted Iranian facility was an air-gapped system and not connected to Internet. However, Stuxnet was found to have infected many systems world over and reported to have even affected Rare Earth Minerals near Mysore.

Malwares are often developed for a certain purpose but gets out of control and spreads like the Corona virus which could have escaped from the laboratory where it was developed as a research product. The world is struggling to hold Chinese Government or the agencies funding the Wuhan Laboratory responsible for the Corona Virus if not for malicious intentions, for at least negligence. But the Indian politicians are more concerned about Pegasus indicating that their intentions are not clean.

It is told that Pegasus is a “No Click infection”  and in case a person receives an incoming Whats App Call which he does not pick up the instrument may get infected.

The Supreme Court should ask the citizens of India, how many of them have in the past few years received WhatsApp calls which either they have not picked up or when they pick up does not receive any response from the other end.  All these phones might have been infected with Pegasus. Does it mean that all these phones were targeted by the Indian Government and are being surveilled?. If so then my phone should also come into this category.

Anti Virus companies are unable to confirm if they have a detection tool to find out whether a given phone is infected or not. Hence the Supreme Court should consider any person who has ever received a silent WhatsApp call from an unknown person is a potential target of the Indian Government using Pegasus.

Hence Pegasus infection may be found anywhere and if all the mobiles in India are checked (If there was a method of detection), then perhaps we would know that crores of mobiles may carry the infection.

If it is not the 20 odd persons who have filed the petition, not the 1400 persons in India who might have been affected as per some reports but hundreds of thousands of persons in India many of whom are pro-Government, then where is the presumption that the Government of India targeted only political opponents?

The very presence of a large number of pro-Government or neutral persons who could have been infected by Pegasus against a relatively fewer anti Government persons who have approached the Government, makes this petition a purely speculative judicial exercise even to issue a notice.

It is incumbent on the petitioners to find some evidence that a given infection in one of the phones was actually done at the instance of the Government and the snooped data was being received and analyzed by a Government agency.

We are aware that in Delhi several operators were selling “Off the air” mobile signal catchers which was also used by private detective agencies. The petitioners need to prove that Pegasus has not been accessed by such private operators either in India or elsewhere. If Off-the air mobile signal catchers costing Rs 1 core plus were in the market in India a few years back, a more powerful Pegasus could be acquired by private detective agencies for several crores more since it could be marketed to the opposition political parties themselves to spy on Government supporters.

The Supreme Court therefore has to look at the pros and cons of extending this investigation. Even assuming that some evidence is presented by the petitioners and an accusing finger may be pointed at the Government, it is impossible to find clinching evidence. Even if any clinching evidence is found,, it is not possible for the Court to issue an order “Prohibiting surveillance”. At best Court may question the process of authorization of such surveillance.

Hence this entire exercise is futile, unproductive and is a waste of time for the Court. It is just to satisfy ourselves that we value Privacy of citizens and go to any extent to fight for the right. All of us know this is not true and our politicians and businessmen are not interested in passing the Privacy law because we donot consider it a priority.

I hope the Supreme Court will also not fall prey to this political game and dismiss the petitions without wasting too much of its energies.

Naavi

Also refer: NDTV.COM

Data has a value as everybody understands. But we need to go further in our discussion on what is the value of data, how it can be computed and how it can be brought into the balance sheet etc.

The latest issue of Data Protection Journal of India discusses these concepts along with the handling of the personal data of the deceased persons.

The journal is available free at www.dpji.in

Luxembourg Data Protection Authority (CNPD) has done great disservice to the Privacy Community by administering a fine of $887 million(Rs 6582 crores) on Amazon for using customer data for advertising purpose. The fine has been revealed by Amazon in its SEC filing and requires public confirmation from CNPD. It is possible that CNPD may revise its decision since it is blatantly unrealistic and will create a huge backlash from the business to the sanctity of the administrative fine system.

Details available here

The ruling appears to have been a result of a complaint filed in 2018 by a French privacy rights group La Quadrature du Net representing the interests of 10065 persons. The complaint states that “Amazon is  carrying out certain personal data concerning the persons on whose behalf the this complaint is lodged (2.2) without, however, establishing these treatments on one of the legal bases required by law (2.1), making therefore, they are unlawful (2.3).”

Amazon has rightly pointed out that there is no “Data Breach” and the fine is disproportionate to the alleged violation.

It is important to observe that while CNPD can take pride in claiming that this is a “Record” fine based on the “4% Global Turnover window” provided in the GDPR, the level of fine is unlikely to be accepted by any sane Court.

The prayer in the complaint was

“request that the following measures be imposed on the from Amazon:
• the prohibition of behavioral analysis and targeting treatments advertising described above, pursuant to Article 58,§2(f) GDPR;
• an administrative fine which, because of the massive, lasting nature and manifestly deliberate of the breach found, must be the highest possible, pursuant to Article 83(2) and (5) of the GDPR.”

It is interesting to note that Luxembourg is one of the smallest sovereign states in Europe with a population 6,26,108 and an area of 2585  square Kilometers. It is a rich country but too insignificant because it is  an entity smaller than the State of Goa and a population of some small town in India. The fine will enrich the country by about Rs 1 lakh per citizen.

It is possible that the CNPD thinks that it is upholding the privacy rights of the entire EU population and it is the torchbearer of privacy protection for the entire democratic world.

It is however necessary for such regulators to remember that “Advertising” is an essential ingredient of marketing and cannot be completely eliminated. In the course of developing a targeted advertising of a commercial product, Amazon is being accused of not having a proper consent. The accusation may be partially true. But the punishment envisaged must be reformative and reasonable. The current level of fine will be considered as unreasonable and will actually  create a sympathy for Amazon.

I hope the Indian regulatory authority when it comes into existence would be more reasonable.

It is possible that the report as it happens in most media reports is itself not completely true. It is possible that CNPD might have raised a show cause notice on Amazon on why it cannot be fined Euro 447 million and Amazon might have disclosed it as a “Risk” in its disclosure documents to SEC. In the process, Amazon could have also exaggerated the possible fine without appropriate basis.

Based on the response from Amazon, CNPD may revise the fine downwards to more reasonable levels or a Court may actually squash the order. Hence the criticism may be premature.

However the incident does raise a question on how Privacy has to look at targeted advertising as a commercial marketing tool and whether it needs to be banned completely or regulated to the extent that it is used only for positive uses for the society.

Imagine a situation where all advertising on internet is banned. Then the entire internet industry would become so expensive that people will stop using it and technological development will be seriously affected.

This was not the intention behind GDPR and we should not allow the individual regulatory authorities to redefine the objective of GDPR and convert it into a revenue generating tool for themselves at the cost of business.

Naavi