Naavi.org

On February 25, 2021, the Government of India notified the new rules for the Intermediaries under Section 79. The new intermediary guidelines were discussed in detail in this website . Naavi.org also suggested that a “Digital Media Compliance Guidance Center” would be activated to help the digital media comply with the requirements of the “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021” .

This notification had two parts. The first part was related to the due diligence to be practiced by intermediaries to be able to invoke the safe harbor provisions of Section 79 of ITA 2000. The second part consisted of the ethical guidelines that the digital media were expected to follow as a self regulation.

Non Compliance of the guidelines had the effect of disallowing the safe harbor provisions under Section 79 of ITA 2000 and make any digital publication liable for any offence committed with the use of a message posted in the platform.

A time has come now for the Government to show if the notification was only a paper tiger.

On the one hand, no digital media organization has come up with either a self regulatory guideline as suggested or created a self regulatory body at the industry level. The Meity/I & B ministry also has also not specifically  announced the formation of the Inter departmental committee or an “Authorized officer” for issuing the directions.

The industry has completely ignored the joint press meeting of Mr Ravi Shankar Prasad and Prakash Javdekar as if they are a no body.

Twitter has now gone a step further to declare that the tweets published by some BJP leaders are “Manipulated”. In other words, when there is an FIR registered for a similar charge, Twitter has come to a conclusion that the allegations made in the FIR are true.

It was therefore natural for the Police to summon Twitter and share with it the evidence that Twitter may have to come to a conclusion that the “Tool Kit” referred to by the tweets were “Manipulated news”. This actually is a charge of “Forgery” for which the verified tweeters can be prosecuted. 

When the Police issued the summons to Twitter, it appears that they have re-directed the Police to their US office and washed their hands off the responsibility to explain the process behind the tag “Manipulated” assigned to some of the tweets.

Twitter has also challenged the Government of India and has refused to follow the directions issued by the Government. They have not been in compliance with the February 25 guideline which require that there has to be a “Chief Compliance Officer”, “Grievance redressal officer” and a “Nodal officer ” all of whom have to be located in India. They should be able to redress the grievance within 15 days. These were expected to be done within a period of 3 months from the date of notification, which expires today. (Please refer para 4 in page 5 of the notification available here)

Since we donot see any announcement from Twitter which is classified as a “Significant Data Fiduciary”, Twitter is not in compliance of this guideline. 

Further, by resisting the notification of the Government to remove the “Manipulated” tag, Twitter has declared itself to be out of the safe harbor provision of Section 79 which states that the provisions that “intermediary shall not be liable for any third party information” in respect of any law applies only if 

 -the function of the intermediary is limited to providing access to a communication system over which information made available by third parties  is transmitted or temporarily stored;  and 

-the intermediary upon being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary expeditiously removes or disables access to that material on that resource without vitiating the evidence in any manner.

Twitter is placing its faith in the support of the opposition parties in India and trying to project itself as the “Champion of Freedom of Speech”. It fancies itself as a media that will bring about a regime change in India.

The Government on the other hand is behaving cowardly as if it has no powers under the  law of the land and trying to be sub servient to the corporate entity of Twitter which has proved to be a manipulator of political systems in different countries including USA itself.

In the given context the action of Delhi Police who were investigating the FIR against Mr Sambit Patra summoning Twitter to provide evidence in its hands was absolutely justified.

However, since Twitter is likely to manipulate any evidence which may be lying within the systems in its office in India including the personal laptops of the key officials, it is necessary for the police to seize all the computers used by the key persons in Twitter India responsible for deciding whether the “Toolkit Document” was forensically examined and found to be “Manipulated” and whether there was any other process involved in tagging the tool kit as “manipulated”.

It may be necessary to even temporarily close the Twitter office and bring in forensic investigators to do their investigations. Merely roaming around Twitter office and issuing a summons is not sufficient.

At the same time, since Twitter is not fulfilling the February 25 guidelines, it has no protection as an “Intermediary” and hence if there is any complaint from BJP that Twitter is indulging in a conspiracy to destabilize the political system in India, it has to be investigated under the appropriate sections of IPC. If there is any evidence of tampering of evidence, then they should also be charged under the relevant provisions of IPC. 

In this “Conspiracy”, the earlier tweets of “Greta Thunberg” to fuel the farmer’s unrest should also be investigated.

There is no doubt that by the time you read this article, you may find that our honourable Supreme Court might have been moved and a stay might have been obtained by Twitter for any further enquiry by the Delhi Police. Hence the issue of whether Twitter is behaving like an extra judicial authority more powerful than a Government body will be decided by the Court. Given the TRP value of this case, the Judiciary is likely to be soft on Twitter and the Government of India does not have a reasonable chance of a fair trial.

Hence Government should also think of other measures to discipline Twitter and establish the “Rule of Law” in India.

This requires that all Government agencies including Mr Modi , the PMO and ministries and ministers should immediately delete their accounts and also ask for “Porting of the data” back to them. The Government/Police have every right to ask the registration details of all relevant Twitter accounts which have posted messages in support of the “Manipulated” tag as they could be fake accounts.

If the Indian Data Protection Act was in place, Government could have asked for exercising the “Right to Forget” for all tweets of individuals connected with the Government and imposed a fine upto 4% of global turnover if they had failed to do so.

If the Government of India and its ministers etc take a stand to withdraw from Twitter, even the millions of fake accounts of the trolls of the opposition also have to withdraw since there will be no audience for their trolls.  This should be a significant enough blow to Twitter.

But it does not appear that the Government has the courage to go anywhere beyond issuing a summon. Probably they will be too happy if the Supreme Court obliges Twitter by issuing a stay on the proceedings since there will be an excuse for inaction. 

We the people of India are used to colonial powers calling shots on our lives and therefore are not uncomfortable with Twitter branding supporters of our Government as “Manipulators” and placing faith on the views of opposition members. We will therefore be comfortable to absorb this insult and our Courts would also be too happy to tag themselves “Champions of Freedom of Expression” and let Twitter kind of organizations dictate the law enforcement in India.

The question therefore is “Was the February 25 notification meant to be only a paper tiger? or was the Government serious?”. Let us hope we will get an answer today. 

Naavi

Also refer:

Should we revisit  Safe harbor principle?..rssr.in

Facebook, Twitter to be blocked in India?… Deccan Herald

We all use the term “Data is an Asset” and many companies have structured their business around data analytics. But very few companies have developed a method with which we can value the data and represent it in our disclosed financial accounts.

Whenever a data breach is reported, we speak in terms of the number of data sets lost and the nature of data lost such as whether they contain financial data, health data, credit card information, biometrics, or e-mail address or mobile number etc. But we often forget to say the financial value of data that was compromised. Also we donot know how to calculate the depreciation in the value of the data asset on account of its compromise of confidentiality or exfiltration and re-sale to another competitor.

In ransomware cases, we have a “Ransom demand” which is an indication of how much a thief is expecting as the value of the data he has stolen. When the same data is made available on the dark web, we get another value perception the data set.

When confronted with a ransom demand, many members of the Board of Directors may be surprised to know that there was actually so much of valuable data within their organization worth stealing and being bought and sold in the dark web.

For example, in the recent Air India-SITA PSS data breach, 45 lakh full data sets that contained the Name, Date of birth, Contact Information, Passport information, ticket information, frequent flyer data and credit card data (without CVV) were supposed to have been lost or compromised.

In the Jubilant Foods (Domino’s Pizza), 18 crore order information and 1 crore credit card data consisting of information such as Name, Mobile Number, E Mail address, location, payment data etc were supposed to have been lost. In the dark web these were offered for sale for Rs 4.5 crore.

According to this Forbes Article PrivacyAffairs.com created an index of the averge prices for a range of specific products in the Digital Chor bazaar called Dark Web. According to this report, a full set of data was valued at $1010, online banking log ins cost an average of $40, credit card data about $14 to 30. There was also a difference in the value of credit cards of different countries. For example US credit card data was valued at $17 while Israeli credit card data was valued at $65.

There are many data breach statistical surveys where data breaches have been valued from the perception of the loss suffered by an organization on account of the data breach. According to a detailed survey of dataprivacymanager.net,and the Ponemon data breach report the average cost per data lost was $150/-

Does this mean that the cost of 45 lakh data lost by Air India-SITA PSS was around Rs 4725 crores as per Ponemon study or around Rs 33000 crores as per Forbes report?.

There are also studies which look at the total data sets owned by companies like Facebook or Google and compare it with the market capitalization and try to arrive at a valuation of data elements owned by them.

While we may not come to an agreement on the amount over this wide range, all of us agree that there has been a loss which could be substantial.

It is time for us to therefore think of some method through which we can bring a value of data to the balance sheet of a company so that there is “Visibility” to the value of the data owned.

In every balance sheet view, the directors should recognize that there is data asset in the company worth a few thousand crores and they need to keep asking questions of the operating executives how is this asset protected and beneficially used.

Coming from the Banking background, the undersigned is used to seeing “Contra” entries in the balance sheet of Banks where “Contingent Liabilities” are represented both on the asset side and the liabilities side. In such representation we have no impact on the profit of the organization but there is a value in the balance sheet as an asset or liability that everyone can see. If a Bank has signed guarantees worth say Rs 100 crores, it is a liability that may arise at some point of time in future and hence has to be represented as a liability. But it may also never arise because the contingency may not fructify or is recoverable from the client. So a contra entry is shown as an asset.

I had once worked out an entire Broking Software architecture based on the financial principle of double entry book keeping with each stage of processing such as order booking, order execution, delivery of security etc in terms of liability and asset transactions so that the liability in progress gets reflected in the books of account.

Presently therefore I have tried to develop a methodology for valuation of data and bringing it to the books of account. The methodology tentatively called “Naavi’s Data Valuation Model” tries to suggest a method for valuing Personal data for the purpose of bringing it to the balance sheet.

Some time back the undersigned discussed the “Theory of Data” in which the difficulty of assigning ownership for “Value Addition” to data during the life cycle of its processing was discussed as “Additive value hypothesis” .  On a similar consideration the Naavi’s Data Valuation method contains some suggestions on how personal data can be valued. It is a paper under development and the first version of the same is available here.

FDPPI has constituted a Special Working Group to discuss the suggestions and the PDP Codes Committee of FDPPI will develop a code of practice that will guide organizations on a method of valuation. It may be recalled that PDPSI framework for audit of PDP-CMS  (Personal Data Protection Standard of India framework for audit of  Personal Data Protection Compliance Management System) adopts a model implementation specification that requires provision of visibility to the value of data held by an organization.

When the report is finalized it will be released for comments from the public. In the meantime, comments based on the Naavi’s initial suggestions are welcome.

While an acceptable method of absolute valuation has to come from an organization such as the ICAI, individual organizations can take their decisions on bringing out approximate representations either as contra entries in the balance sheet or as accountant’s foot note to the audit report or at least as a part of the Director’s report. PDPSI tries to drive companies towards this.

In particular, we invite the views of the Chartered Accountants and the office bearers of ICAI in this regard.

Naavi

Reference Articles:

Darkweb Price Index 2021 from PrivacyAffairs.com

Darkweb Price Index 2020 from privacyaffairs.com

What your personal identity and data are worth on the darkweb-Techrepublic.com

Best Identity Theft Protection Services of 2021 -reviews.org

You are worth $1010 on the Darkweb… prsnewswire.com.

About a month back, it was reported that Dominos India had suffered a data breach. The data appears to have now been available on dark web.

In the context of this breach we the professionals need to discuss

a) The extent of harm caused

b) The cause of data breach

c) Remedies to mitigate the damage

d) Preventive measures

The above article in livemint.com provides some details about the incident. There are many other articles in the media giving similar information.

Let’s place some brief thoughts for further discussion based on the information presently available in the media.

Data Compromised

1.Number of Data Sets compromised :

18 crore orders, 1 crore credit cards

2.Total value as sold in the Dark Web :

Rs 4.5 crore (10 bitcoin)

3.Type of data:

Full data set consisting of Name, Address, Mobile number, E Mail address, Geo location at the time of order as well as payment related data which may include credit card data. Whether the credit card data was masked and whether CVV data was also compromised is not yet known.

4. Possible Harm

Th email address and Spam can be used for spamming, further phishing, resetting of passwords in Bank accounts etc. Credit card information may be used for cloning of cards. Geo location can be used for further spying. The identity theft may be used for many other offences also. In case CVV has been stored and also compromised there is a need for all users to replace their cards.

The potential harm is of financial loss, reputation loss, harassment, stalking, bullying etc.

It appears that the data breach was discovered in April when perhaps the hackers demanded the ransom. It is not known whether the ransom was paid or rejected. But now the data appears to have been put up for sale for a price of 10 bitcoins.

There is no information on reporting of the data breach either to CERT-In or to the data subjects.

The organization admits the data breach but says that the customer’s financial data is safe.

As per one report  ,the data was taken from the internal files of the company between 2015 and 2021. If so, it could be an employee hack which went undetected for a long time due to the gross negligence of the security system. Jubilant Food works which is the Indian listed company responsible for the security of this data has not yet disclosed the breach information on its website.

JFL website also reports that it won a Golden Peacock award in FY 16 which included “Risk Management”. Probably the “Risk” here referred to food related risks. It would be interesting to see if the award providing agency provides any clarifications.

The independent directors of the Company need to also come out with their view on the cause of the data breach, its impact, the remedial measures to be taken etc.

The company needs to now budget the cost of providing a “Identity theft Protection” to the 18 crore affected data principals. They can thank their stars that there is no DPA to breath down their neck. The CERT In is a more accommodating regulator and could be satisfied with the press statements that “No adverse impact has been there on the customers”.

Surprisingly the stock market has not reacted to the possible consequences of the breach in financial terms. The company has to come out with its annual report and being a listed company the listing requirements mandate that the CFO and the CEO disclose the financial impact of the breach in the balance sheet.  The Stock markets also should expect a report.

In the event Jubilant has paid ransom in the form of Bitcoins, it would be necessary to account the source of the payment made for the purchase of Bitcoins and since the Bitcoin transfer would have happened through one of the Indian Bitcoin exchanges , the top Bitcoin Exchange companies in India need to be subjected to transaction audit to identify the destination of the bitcoin payments.

Since most of the Bitcoin lobbyists claim that they are law abiding and Bitcoin is not a currency of criminals, they should be cooperating the Police in investigating if any ransom was paid and if so how.

It is also time for Cyber Insurance companies such as Tata AIG to structure a policy for “Protection of Identity theft consequences of customers of a Company which suffers a data breach”.

Naavi’s Ujvala Consultants has a policy incorporated in its model data breach management policy that “The possibility of obtaining a cyber insurance to cover the risks of the affected data principals shall be explored”.

I urge organizations like FDPPI to develop in their code of practice for handling data breach incidents which includes purchase of a Cyber Insurance policy to protect the affected customers.

Let’s watch further developments.

Naavi

Air India has made an announcement that it’s Passenger Service System was attacked and personal data of about 45 lakh data subjects have been compromised. The leaked data elements include Name, Data of Birth, Contact Information, Passport information, ticket information, frequent flyer data and also some credit card data (without CVV).

There is no doubt that the leaked data contains sensitive personal information (Section 43A of ITA 2000) and could cause significant harm to the individuals.

It is not clear what has happened to the leaked data. There is no information on any ransom demand. We may however  presume that it is available on the dark web.

The data breach might have occurred in the systems of the “Data Processor” which is SITA PSS and Air India is the Data Fiduciary for the data.

More details

Indian Express  :: NDTV

Is it an attack to Scuttle Disinvestment?

There is an observation by some professionals that this could be a sabotage connected with scuttling the disinvestment plan. The fact that hackers did not resort to extortion but simply leaked the information gives credence to this conspiracy theory.

Going by the recent developments related to  “Tool kit politics” of the political parties  it is possible that such political forces may be behind the attack. The motive here is to bring disrepute to anything the Government proposes to do irrespective of whether it is beneficial to the country or not.

China which is suspected to be behind a Bio-Warfare causing the Covid crisis in India  is also a suspect since China is an eternal enemy state for India.

Additionally, all those parties who had a stake in scuttling the disinvestment plan should be considered as potential suspects.

The Air India breach should therefore be investigated by CBI to check if there is any involvement of the Toolkit gang or others.

Has it been a blessing in disguise?

It may be the expectation of the attackers that the reputation loss caused by this data breach may significantly reduce the value of the enterprise.

But it is obvious that during the valuation of the organization for the purpose of disinvestment, normally the accountants take the value of land, building, aircrafts and other equipment as the main assets. Probably they could take the net present value of future estimated profits, less accumulated losses etc.

However, it is highly unlikely that the valuers considered the availability of personal data asset including the 45 lakh data sets now revealed. Probably Air India must be having more than 45 lakh data sets in its custody.  This had been valued at Zero value so far.

But now suddenly it is a discovery that the company has 45 lakh data sets and there is a huge value attached to it.

What is the value of Data that has been breached?

It is interesting to observe that the PDPSI (Personal Data Protection Standard of India) adopted by FDPPI for PDP-CMS audits includes an implementation specification (IS 6) which states as follows.

6.Data Valuation and Accounting

The organization shall adopt a policy of assigning a financial value to the inventory of data and provide visibility to the data asset in the books of account.

The value of data may be brought into the books based on a scientific valuation method or on a provisional basis and reported as a special reserve or as a Contra entry (both an asset and liability separately)

The Visibility of the valuation of data as an asset shall be extended to both personal and non-personal data.

At present no organization provides for such valuation but it is time professionals start thinking in this direction.

The Institute of Chartered Accountants need to develop an appropriate valuation methodology for the purpose, though the PDPSI requirement would be satisfied by a contra entry and not dependent on specific valuation methodology.

The advantage of bringing the value of personal data to the books of account is to provide the visibility. Had Air India  adopted this process, then the management would have realized that they are sitting on a “Data Gold Mine” which could have increased the valuation of the organization.

Even now, there is  time for Air India to assign a value to the data which is in its possession which can be updated, and though it no longer remains confidential, it is worth at least its shared value.

The valuation may have to take into account

a) Number of data sets

b) Sensitivity of the data

c) Net Present Value of the data adjusted for time based erosion

d) Real or Opportunity cost of acquisition

Since each of the 45 lakh data sets which have been leaked (and discovered)  contains some credit card data also, the value of each data set in the dark web may be estimated to be around $ 1000 each.(Refer Forbes Article)

This means that the value of the 45 lakh data sets is around Rs 31500 crores.

This valuation is a rough indication based on the following article in Forbes. We may debate how much of this data value is diluted since it is available to the hackers either in full or in part. But still the disinvestment value of Air India appears to have increased with this revelation.

But thanks to the discovery, Air India can now modify its valuation upwards.

Simultaneously, it may evaluate the cost of mitigation of the data breach risk and deduct it from its current profit.

Mitigation of the Data Breach Risk

In the meantime professionals can look at other aspects of how a “Data Breach Report” should be prepared by Air India, whether the individuals should be notified etc.

One point of  suggestion  towards mitigation is that  Air India should take a “Group Cyber Insurance Policy” covering liabilities that may arise from ” any loss that may occur to the affected data principals attributable to this leak for a period of say one year”. The cost of such a policy has to be separately negotiated and Air India can call for a tender from the Cyber Insurance agencies. These agencies may make their own assessment of the risk of claims arising in the next one year attributable to this particular data breach and underwrite the risk.

Speaking of the data leak itself, it is possible that  the data was unencrypted in storage or there was an insider assistance in the hack. If it is encrypted and the decryption key was not available to the hackers, the loss is not significant.

The data is supposed to have been collected over a period of around 10 years and many of the credit cards would have expired.

This would affect both the valuation of data, the valuation of the risk and the Cyber Insurance Premium.

I invite PDPSI professionals to come up with their views on this breach, the valuation of data and the impact on the disinvestment.

Naavi

Indian Constitution was framed with a purpose of guiding the legislature on how to Govern this country under certain principles. During the years of Congress rule especially under Mrs India Gandhi, constitution was toyed around with amendments many of them changing the basic structure of the constitution.

Today Indian Constitution does not place “Equality” as the cardinal principle. There is the concept of “Privileges” for one reason or the other, some times in the guise of correcting the long time discrimination, real or imaginary. Many of these privileges outlived their necessity and became the tools of “Voter appeasement”. Even the basic of the basic structure was changed with the introduction of the “Secular” concept which was not in the Constitution earlier.

The reservations and religious appeasements were born out of this disrespect to the cardinal principles of our constitution.

After the famous Kesavananda Bharti case, a principle was introduced that the Parliament can make any amendment but not change the basic structure of the constitution. But the interpretation of whether some thing affects the basic structure or not remained with the Supreme Court. In other words, the wisdom of the constitutional bench of the Supreme Court was more powerful than the Constitution.

For some time people thought that Indian democracy had legislature as one part and Judiciary as another part. The Executive and Press were considered other pillars of democracy.

However, at present, Supreme Court has become the ultimate interpreter of the constitution and even of 75% of the elected parliamentarians decide on a change, the Supreme Court can shoot it down. The elected representatives themselves can get into the legislature because they would have a consolidated voter base of one religion or caste.

The Press has long abdicated its role as a pillar of democracy. Executive is more comfortable with a corrupt political system since they can wield reflected power and enrich themselves.

Indian Democracy today runs on just one pillar and that is Supreme Court. The cabinet, the Ministries or the Loksabha or the Rajyasabha are only subordinate institutions who can propose but it is only the Supreme Court which disposes. This is not a healthy situation for any democracy as it upsets the delicate balance that needs to be maintained.

Quite often we feel that Supreme Court itself is over reaching itself with the executive decisions and has been swayed by political and financial corruption.

A time has therefore come to review the way Supreme Court interacts with the Executive and the Legislature.

Advocate Mathew Nedumpara has been the only person in the country who has the courage and the conviction as well as the expertise to question the Judiciary and make them think in the right direction.

Though the Judiciary has treated him with disdain, he has gone about his duty to the nation with undiminished commitment.

Presently the National Lawyer’s Campaign for Judicial transparency and Reforms, which is led by him has filed a petition at the High Court of Bombay questioning several practices that the Courts have adopted in the yester years particularly with respect to the selection of Judges.

(Copy of the draft petition is available here)

Today there is a petition with the Supreme Court questioning the constitution of the Election Commission. There are State Governments where Chief Ministers do a Dharna in front of the Governor’s office or CBI. The law and order has been broken by people holding the office of the Chief Minister despite having been defeated in the elections. But all this seems to be within the constitution of India.

“We the People” cannot understand how a State CM who is challenging the Union Government’s law enforcement authority or the main opposition which is instigating international conspiracy to defame India, cannot be booked for anti national activities.

The Constitution that does not prevent an irrational anti national activity of a political party is not a robust constitution. The PILs that question every executive action and the alacrity with which the Supreme Court jumps in to admit any petition against the Government weaken the constitution further.

It may be observed that during the Privacy Judgement, Justice Chelmeshwar made a statement to the following effect as part of his judgement.

“To sanctify an argument that whatever is not found in the text of the Constitution cannot become a part of the Constitution would be too primitive an understanding of the Constitution and contrary to settled cannons of constitutional interpretation.”

What this meant was that the Supreme Court had the powers not only to interpret what is written in the constitution but also imply what is not found in the text of the constitution.

With this view he justified the right of the Supreme Court to re-write the constitution and interpret it in any manner it prefers.

 I wish that the current petition of Mr Nedumpara’s team would make the Supreme Court impose some restrictions on itself . Otherwise there will be no difference between a dictator politician and a dictator Supreme Court.

Supreme Court has the powers of Contempt but even this is exercised with an interpretation full of hypocrisy. An advocate who tears of an evidentiary document in the Court or shouts “Shame” when a judgement is pronounced is not booked for contempt, but a person who files a PIL which the Judge does not like gets fined. There is no consistency in the judicial pronouncements and public are aware of such inefficiencies in the system

The demand for open broadcast of the court proceedings have been resisted for too long a time because parts of the Judiciary were not confident of making themselves available for public scrutiny despite the powers of the Contempt being available to him.

If the current CJI breaks this self protective measure of the Court, it will bring a revolutionary change to the quality of our Judicial systems.

If at the same time, Mumbai High Court and there after the Supreme Court also ensures that Executive and  Legislature can function with reasonable freedom, then democracy in India will be on the right tracks.

Naavi