Naavi.org

Anonymization is an important aspect of  Data Protection in India. It segregates Data into two categories namely Personal Data for which the proposed PDPA-India will be applicable as per PDPB 2019 and Non Personal Data which is outside this regulation. According to PDPB 2019 the DPA (Data Protection Authority) when formed will issue the guideline for a standard of anonymization that would be acceptable under law.

It is understood that no technology is perfect and even the strongest of anonymization can be broken by hackers just as Encryption can be broken. Hacking of such nature can be made punishable but as long as hackers exist, it cannot be prevented.

Some hackers would not like themselves to be called hackers and they call themselves as “Security Researchers”. As long as their intention is to find out security vulnerabilities and they  work for an organization under authority to find bugs in its processes they deserve to be called security researchers or white hackers. But the moment they turnover their findings to the dark web or use it for extortion, they become black hackers.

The standard prescribed by law can only introduce a reasonable limit for an organization to render an identified personal data to anonymized personal data. If the standard is set too high, it will be disproportional to the business needs. If it is set too low, it would not suffice.

Hence the DPA will have a task to ensure that a right level of difficulty is set for hackers to determine what level of technology is sufficient to call a personal data as anonymized.

ICO-UK has now come up with a guidance note on this topic which is a good starting point to understand how anonymization is interpreted in UK and how it is distinguished from De-Identification and Pseudnymization.

A copy of the guidance note is available here

Some key points in the guideline are as follows:

Anonymisation is the process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.

Data protection law does not apply to truly anonymous information.

Pseudonymisation is a type of processing designed to reduce data protection risk, but not eliminate it. You should think of it as a security and risk mitigation measure, not as an anonymisation technique by itself.

It must be noted that

Anonymisation is the process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.

Data protection law does not apply to truly anonymous information.

Pseudonymisation is a type of processing designed to reduce data protection risk, but not eliminate it. You should think of it as a security and risk mitigation measure, not as an anonymisation technique by itself.

It must be noted that  Pseudonymization is similar to De-Identification in effect. In de identification, all identifiers are removed as a set and substituted with one proxy ID. In Pseudonymization, each identifier is replaced with a pseudo identifier.

Both de-identified and pseudonymized personal data may be re-identified by some body who has the mapping information. In anonymization, the mapping information is irretrievably destroyed so that even the person who anonymized it in the first place is not capable of identifying it without resorting to efforts which are not considered normal.

Unauthorized re-identification of de-identified/pseudonymized information as well as anonymized information is a punishable office under UK-GDPR as much as it is so in Indian PDPA.(proposed).

It is recognized that in some instances effective anonymization may not be possible due to the nature or context of the data, or the purpose(s) for which it is collected or used.

More guidelines are expected to be announced by ICO in due course as additional chapters to this guideline and may be a good document to keep track.

Naavi

In a commendable move, Karnataka Police has set up a special help desk to attend to Cyber Crimes involving financial crimes.

See Report here

The  Cybercrime Incident Report system, with a call center responding to calls at 112, will  be  an information-based Business Process Outsourcing (BPO) mechanism.

The system will alert banks and internet services within around two hours, the golden period, to block a transaction or a social media account reported to be linked to a cyber offence.

According to the Bangalore Commissioner, Mr Kamal Pant, the system will alert banks and internet services within around two hours, the golden period, to block a transaction or a social media account reported to be linked to a cyber offence.

The control room officials will soon alert the nodal officers of concerned banks and service providers. The basic purpose would be to stop further transactions because we have a two hour period to block and reverse transactions with banks. This is the basic objective.

Mr Pant has stated that this is like filing an FIR and “What we are proposing is that wherever a person is located and gets an intimation of an illegal financial transaction, then he can intimate us in real-time,.”.

This was a long felt need since Banks were not addressing the reported frauds properly and were driving away the customers who were made to shunt between multiple Police Stations. Banks have not been alert in immediately stopping the payment at the other end of the fraudulent fund transfer and this system will now bring pressure on them to act.

Most Cyber Crimes can be frustrated if the criminal is not allowed to withdraw the money at the receiving end.

Though Police is talking of a “Golden Hour”, with 24 hour ATM network, criminals can withdraw cash transferred in a fraud within a very short time. Often such frauds occur in the middle of the night and hopefully this call center will work round the clock.

RBI also has to ensure that night withdrawals  (Say 10.00 pm to 6.00 am) are made subject to additional verification such as a second factor authentication. RBI should also classify ATMs based on their location and identify priority ATMs such as those within Airports which may be given some exemptions for night operation. Since entry to airports is subject to some verification, the risks are less.

What is not clear but could have been already introduced is that the incident report may be converted into an FIR with least formalities so that the complainant does not encounter any harassment.

Recently cyber crimes are on the increase in E Commerce platforms like OLX. Both Banks and such platforms need to ensure that there are security controls to verify buyers and sellers so that frauds can be traced efficiently.

Naavi

P.S: Outside Bangalore, the MHA has set up a call center number 155260 for a similar purpose.

Naavi.org has been flagging the Twitter Controversy as a “War Against India”.  Twitter is confirming this more and more by their actions. Recently removing the verifiability tick of Vice President of India as also many functionaries of RSS is a needless provocation they have engaged themselves in. It is the personal experience of Naavi that Twitter has not provided the Verification despite many requests after which I have realised that the blue tick has a political reason and I don’t qualify.

It appears Twitter is emboldened because India is behaving like how the 1962 Nehruvian Government behaved against China. It is provoking the Government so that the politicians and those who oppose the current Government can take any counter action taken by the Government as a curb against “Freedom of Speech” so that they can mobilize public opinion in India and abroad to bring about a regime change. There will also be a case filed with the Supreme Court  to get the orders passed if any against Twitter struck down.

But how long will the Government remain in such a compromising mood or  like Lord Srikrishna waiting for Shishupala to complete 100 abuses before releasing the Sudarshana Chakra, is the Government also waiting for the Twitter’s pot of sins to be full before taking action?.. is a moot question.

In fact according to the Intermediary guidelines of 25th February 2021, rule 4(7) Twitter is required to follow the following guideline.

“The significant social media intermediary shall enable users who register for their services from India, or use their services in India, to voluntarily verify their accounts by using any appropriate mechanism, including the active Indian mobile number of such users, and where any user voluntarily verifies their account, such user shall be provided with a demonstrable and visible mark of verification, which shall be visible to all users of the service: Provided that the information received for the purpose of verification under this sub-rule shall not be used for any other purpose, unless the user expressly consents to such use.”

Twitter has not introduced any measures as required above and instead trying to project its present “Blue Tick” verification as a verification measure that it can arbitrarily impose even if it is against the law of the land. This is clearly a confrontation that cannot be missed.

The fact that they have also ignored other aspects such as appoininting of a compliance officer etc only corroborates that Twitter wants to tease the Government of India the way Shishupala was doing in Lord Krishna’s courtyard.

The time has now come for Indian Government to draw its Sudarshana Chakra and  close the Twitter chapter in India.

Before Mr Modi started popularizing Twitter interaction, Twitter had no fan following in India. Now if Mr Modi exits Twitter, 68 million of his followers will also exit. This should be the first act of the Government of India which has no legal issue of any kind.

Secondly, the Government should use any of the sections of ITA 2000 or IPC and challenge Twitter for having assisted the commission of any offence such as “Spreading disharmony, hatred, etc” and since it does not have the defence under Section 79, block Twitter under Section 69 of ITA 2000 to prevent continuation of the offence.

Twitter can then go the Supreme Court where we can discuss whether the action was necessary and expedient or not.

Whatever the Court can decide, it cannot force Indians to continue to use Twitter and Government should give an administrative guideline to all Government agencies including the Courts to exit from Twitter.

Let Twitter thrive on opposition member’s support if they so want. Government should not even respond to any comment on Twitter nor post even after a delay etc. They should switch all their G2C communication to Koo and/or Tooter. In about an year’s time Koo will be good enough to be a messenger between the Government and the citizens. Twitter will fade away.

Hope our Government musters enough courage for such an action, some time today itself. We should not relent even if Twitter appears to make a tactical retreat. They will come back to hit us again in another weaker moment. We should adopt Chanakya Neeti to ensure that Twitter should be removed from its roots, from India.

Naavi

Cricket followers have long debated who is greater between Sir Don Bradman and Sir Gary Sobers. As a Batsman, Don Bradman was incomparable in the value he brought to his team. But a person like Gary Sobers with his all-round skills as a Batsman and a bowler who could bowl both fast and spin exhibited an amazing skill which made him a person of high utility to any team. Cricket is a team game which can accommodate both Bradman and Sobers in one team and the team will be richer with the contribution of both.

The corporate scenario which we now observe with the advent of the position of a DPO (Data Protection Officer) in to the  corporate CxO team  that consists of the CISO, CTO, CCO and the CRO besides  the CEO will now sport a similar debate. Some companies may try to create the position as a CPO instead of a DPO or perhaps a CDPO with DPOs for different divisions which will ease the problem of bringing in harmony between the two key players.

With the DPO being seen as the protector of the 4% penalty (calculated on global turnover)  that most Data Protection Laws seem to fancy, the management would like the DPO to be involved in more top management decisions than what they would expect from the CISO.

While the CISO is presently taking responsibility for securing both the personal data and the non personal data in the current day scenario, the DPO is snatching away the responsibility for the protection of the Personal Data. Though the volume of personal data in an organization is always less than the total data that the CISO was hitherto managing, the role of a DPO is more complex and challenging.

A DPO has to not only manage the legal issues but should also be on top of the technology. He has to be a true allrounder and be able to manage both internal responsibilities as well as the external relationships with the regulator and the data principals.

In view of the complexities involved in the work of a DPO, a versatile player like Sobers will have to be treated with equal respect even though he may be a new entrant into a team which already has Don Bradman in it. For the CEO, having both in the team is great as long as he is able to keep both motivated enough.

For those who are today neither a Bradman or  a Sobers, but are still recognized as a leading player, the role model to follow is clear…

To be a Bradman and open the innings and come back to contribute only in the next innings or To be a Sobers and come down the order and continue to contribute as a bowler even when the opposition is batting. A Sobers will be relevant in all the 4 innings of a test match while Bradman will be relevant in only two.

I suppose the argument of who you would like to be is clear…. the DPO is the preferred destination for every Information security professional or a Legal professional.

An opportunity to move in this direction strikes you now with the upcoming DPO training being offered by FDPPI… A 36 hour online training to accredit “Certified PDP-CMS Auditor” with the knowledge of Indian laws, foreign laws and Audit skills. .. Time to join without delay. (Registration closes on June 10, 2021)

Naavi

(P.S: Using the analogy to pay  tributes to the two legends of the game of cricket which has given endless hours of enjoyment to our life….Naavi)

To

All Chairpersons
Banks in India

Dear Sirs

It has been reported in the media as if RBI has granted a new relief to the Bitcoin community by stating that  “Banks should not quote the 2018 circular” for not allowing Banking transactions to Bitcoin exchanges.

The Bitcoin community is spreading the fake news that the Government is diluting its policy on Bitcoin.

To an independent observer RBI appears to have only warned the Banks that if they want to take any action in this regard, they should not quote the said circular since the Supreme Court in its wisdom held that the circular was not properly worded and had to be treated as withdrawn.

What this means is that the Banks are left to take their decision but as their own decision. They cannot either ban or  allow Crypto transactions taking  shelter under RBI regulations. They will have to stand on their own legs and have to face the consequences.

We are aware that the Bitcoin community has corrupted the thinking of many and only well informed Bankers can understand that allowing a private crypto currency to function is killing the currency system in India and causing chaos in the Indian economy.

RBI is under pressure from the lobby to give as much long rope as possible so that exchanges can do some business before the doors are shut. The Supreme Court through some strange logic struck down the circular though it did not declare Bitcoin as legal otherwise. Finance Ministry also wants to give as much time as possible to all the Bitcoin exchanges to push through as many transactions as possible.

All this will not alter the situation that Bitcoin along with all the private Crypto currencies represent digital black wealth and the main currency of Cyber Criminals, Cyber terrorists and enemies of the sovereign Government of India who want to undermine our currency system.

In the event any Banks fall for the propaganda of the Bitcoin lobby and considers that RBI clarification is a license for them to allow digital black money transactions through their Banks, they will be providing assistance for money laundering since substantial part of the trading of Bitcoins and other cryptos have once gone through an illegal drug trade or arms trade or a crime and as an asset which is not a negotiable instrument, will carry the tainted past with every further transfer. (There are no holder in due course for such assets).

Hence Banks which will allow transactions of Cryptos will be committing offence under AML regulations.

As an ex Banker, I request all the Bank Chair persons to instruct their branch managers to keep their distance from Bitcoins and other cryptos.

Regards

Naavi

Indian PDPB2019 has made “Consent” as a mandatory requirement unless it is exempted. On the other hand GDPR considers Consent as only one of the legal basis under which personal data may be processed. The six different recognized ways by which personal data can be processed under GDPR are,

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

On the other hand, at first glance it appears as if Indian PDPB has tied itself up by the “Non Scalable Consent” as a mandatory basis by stating under Section 11(1)

“The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.”

However, Indian PDPB has considered a broad set of cases in which consent may be exempted.

For example the exemptions can be available

a) Performance of the functions of the State

b) for enforcing judicial orders

c) medical emergency and medical treatment (like Vital interest in GDPR)

d) for Disaster management

e) Related to employment for recruitment, termination, assessment etc (only non sensitive personal information)

f) Reasonable purposes (for non sensitive personal data) in respect of legitimate interest, public interest, detection of unlawful activity, information security, whistle blowing, mergers and acquisitions, recovery of debt, Credit scoring, search engine operations etc.

From the above, it is clear that Indian PDPB 2019 has thought more in depth to provide essential exemptions which GDPR has forced Data Controllers to interpret under the “Legitimate Interest” argument.

However, apart from these exemptions which dilute the argument that “Consent Dependency” may make it “Unscalable”, Indian PDPB 2019 has provided for “Consent Manager”  and “Sand Box” arrangements which can be used in appropriate occasions and also made the Data Controller a “Fiduciary” so that he has a duty to care and not merely go blindly by the consent which might have been obtained by clever misrepresentations.

Thus though India depends on consent and rigidity in consent could cause some issues for the processors, PDPB 2019 has addressed the issue through alternate means. This is a welcome feature of the Indian law and makes it better than GDPR.

Naavi