Naavi.org

FDPPI is an organization which represents the effort of the Data Protection Community to create a “Privacy and Data Protection Culture in India”.

In this endeavor to create the Data Protection Culture in India, PDPSI works on the three dimensions namely

1. 1. The Data Protection Regulations
   2. The Data Protection Professionals
   3. The Data Processing organizations.

FDPPI is closely following the Privacy and Data Protection regulatory regime in the country and engaging itself with the Policy makers to contribute towards framing of a  balanced  legislation which achieves the objectives of protecting the Privacy of Indian Citizens as a fundamental right under our constitution without ignoring the requirements of the Government which has the duty to protect the Citizens of the country and the requirements of Data Processing business which cannot be killed in pursuance of Privacy.

FDPPI also is taking steps to empower the professionals who need to comply with the law in the Data Protection scenario and implement the vision of “Protecting the Privacy through Personal Data Protection” and providing a “right of self determination to the Data Principals on how the personal data about them can be collected, used and disclosed.” Towards this end, FDPPI has created and executed “Certification Programs” and created an army of “Certified Data Protection Professionals”  who have attended at least 12 hours of training on the current Indian Privacy Laws including the proposed law represented by PDPB 2019, followed by an evaluation through an online examination. Many of the professionals have been further empowered with at least another 16 hours of training on Global Privacy laws and a further 12 plus hours on Data Audit skills making them one of the best trained professionals globally. They are developing like the “Navy Seals” or NSG Commandos” as we have heard in the security scenario.

Additionally, FDPPI has adopted the “Personal Data Protection Standard of India” or PDPSI  as a “Unified” framework for compliance of multiple Personal Data Protection laws by an organization. The PDPSI consists of 12 standards and 50 implementation specifications that cover the entire gamut of PIMS as envisaged by other frameworks and goes further to address the needs of the need to be simultaneously in compliance of multiple global laws incorporating many futuristic thoughts on “Data Business”.

This PDPSI framework is not only a “Certifiable Audit Framework” like the ISO 27701 but also an Assessment framework for the Data Trust Score (DTS) system which is a representation of the Personal Data Protection maturity of an organization as assessed by an auditor using the 50 implementation specifications of the PDPSI framework.

PDPSI is also a framework which is available for organizations for self implementation as an instrument of internal audit.

FDPPI is also creating a set of professionals who are conversant with Indian Privacy Laws, Global Privacy Laws and a certain minimal Data Audit skills through 3 certification exams which over over 55 hours of online training, over 1000 pages of study material and 270 minutes of online examination.

We are humble enough to admit that FDPPI can only provide an opportunity for professionals to develop their knowledge and skills and ultimately it is the capacity of individual professionals to absorb the skills and apply it in the practical scenario.

However the symbol shown along side is emerging as the symbol of Personal Data Protection and is the goal of every Data Fiduciary and Data Processor.

This is a symbol of protection for the Data Principal in the context of protection of his Privacy.

It also represents a framework for enabling Privacy Protection through Data Protection.

The accompanying symbol in future will represent an organization which has undergone an assessment of its DTS by a PDPSI accredited auditor.

This could be disclosed by organizations as required under the Indian laws.

The auditors and consultants who have undergone the rigorous training and passed through the Certification exams have been certified by FDPPI and certificates like the following have been issued to them.

These are sample certificates that only the privileged professionals who have gone through the rigorous evaluation process have been issued.

The “Certified Global Privacy & Data Protection Consultant” is  a person with a reasonable knowledge of the Privacy laws and a reasonable skill to conduct data protection audits and provide consultancy to organizations in their Privacy Compliance program.

The “Certified Global Privacy & Data Protection Auditor” is a person with an accreditation for conducting Audits and DTS assessment which will be registered with FDPPI and issue necessary “Certificate of Privacy and Data Protection Compliance” under the PDPSI framework.

FDPPI  congratulates the 21 professionals who have achieved this recognition in the first batch and hope that in future, we will have many more such professionals.

Naavi

According to the news reports that are circulating, it is reported that the Chief Election Commissioner Mr Sunil Arora in an interaction with the IPS probationers at the SVP National Police Academy, Hyderabad has stated that 

“Election Commission is working with IIT-Madras on using Blockchain Technology for remote voting”.

This statement raises doubts on what exactly is in the minds of the EC and how IIT-Madras scientists are suggesting Block Chain technology for this purpose.

Block Chain technology per-se is a technology of “Authentication” of a transaction which is published to a large number of authentication agents, and the majority acknowledgement of the transaction is taken as a “Deemed Authentication”.

We donot know if the EC is referring to Block Chain technology in this sense or just referring to a “Secure Network” based transaction and wrongly labeling it as Block Chain technology.

In a connected statement, Mr Sandeep Saxena, Deputy Election Commissioner has stated that they will be using a “Controlled Environment”, “White listed IP devices” “Dedicated Internet lines” “Using biometric devices and web camera.”etc.

It is clear that Mr Saxena is speaking of a secure network and this is not the classical “Block Chain Technology”.

Instead of running behind a fad called “Block Chain Technology”, Election Commission should consider use of “Digital Signature” and “E Sign” to let voters vote by remote log in and this is acceptable in Indian law as of now. This can be supplemented with data pseudonymization to achieve the objective.

If the secured network technology as is suggested by Saxena is to be used, the process will have to be Section 65B (IEA) certified and otherwise it would not be legally admissible.

Further, the remote voting based on “Block Chain” technology if attempted would be an invitation for disaster similar to what happened in US elections this year where unaccounted postal ballots caused a disruption to the election system.

If Block Chain technology is used say even for validation of a voter, it has to be based on a confirmation received by a majority of owners of a block chain node either public or private. This network can be easily manipulated to create false IDs and fake Votes.

Hence “Block Chain” technology of the way we understand now cannot be used in the E Voting system. If the EC and IIT Madras have some other technology in mind, they should stop referring it to as “Block Chain Technology” as if it would increase the TRP of the statement.

I look forward to a clarification from the EC and IIT Madras to clarify what exactly they plan to do, why they donot want to use the existing digital signature and E Sign framework and why they are using the terminology of “Block Chain” in this context.

Additional Information Received

As per additional information available, the EC has clarified as follows:

When the vote is cast, the ballot will be securely encrypted and a blockchain hashtag generated. This hashtag notification will be sent to various stakeholders, in this case the candidates and political parties,” the official said.

The encrypted remote votes so cast will once again be validated at the pre-counting stage to ensure that they have neither been decrypted nor tampered with or replaced.

“Suppose there is a Lok Sabha election and a Chennai voter is in Delhi, instead of returning to vote in his or her constituency or missing out on voting, the voter can reach a pre-designated spot set up by the EC, say in Connaught Place, in a particular time window and can cast his vote,” Saxena had said.

EC has said such voters may have to apply in advance to their returning officers to exercise the option.

With this clarification, what the EC’s remote voting system means is  that a copy of the “Vote” would be hashed and the hash value would be sent to the stake holders and the EC. Hash tags of a vote to a given candidate will all be identical and therefore such votes can be segregated into votes for different candidates. This is like the physical ballot paper being put in different boxes. (In case the vote is encrypted before hashing, the confidentiality may be maintained. But the need for keeping the political parties informed is not clear)

The Name “Block Chain Technology” for this is not very appropriate.

Also since votes are cast in specific voting booths, the booth master has to conduct a KYC and the booth agents of all the political parties will be present in the booth. The system only means that instead of one EVM per constituency, the voter can use a virtual copy of EVM of any constituency in the booth and he can exercise his vote.

The block chain concept is only involved in the fact that if there are 5 political parties in the election, then all remote votes would be informed to all the five political parties as and when the vote is cast. If it is sent as soon as the vote is cast, as indicated by the EC, the political parties would come to know the vote cast immediately.

Though the parties may not know who has cast the vote, the number of votes polled for a political party will be known. This would amount to advance information on the polling trend. In case the votes are stored and the forward is initiated only on the counting day, then it would be similar to the current practice of counting postal ballots before the counting of other votes.

A question however arises that if it is possible to send the postal vote immediately in hash form to the parties, then why not introduce the same system for the normal EVM votes also which prints out the VVPAT slips. At the same time, the hash value can be sent to the parties.

However this would create a law and order situation as the losing party would immediately disturb the election process.

If such advance information can harm the normal voting system, then it is obvious that the suggested system is also wrong.

On the other hand, I recall that I had suggested a system of “Cyber Law Compliant EVM system” through this website sometime around 2000. (Refer here). Even a prototype was suggested for development by BEL. However at that time the technology of touch sensitive screens was expensive and the system was perhaps not commercially feasible. But now VVPAT system is in place and it is working well enough.

What can be done:

The postal ballot system can be introduced in a different manner as follows.

1. Authentication of the voter has to be based on e-sign .
2. Casting of vote is done by a virtual EVM created on the fly based on the constituency to which the voter is attached.
3. The Virtual EVM would be displayed on a touch screen and when the voting button is pressed, the system should create a voting symbol on the screen (as if a rubber stamp has been put on a printed ballot), capture the screen image, calculate the hash value and store the hash value in a printer.
4. Just like a serial number being present on the voter slip which is entered in the physical election booth under a serial number which can be linked to the specified VVPAT, it may be possible to establish a link to the digital signature with the actual vote cast through a serial number. To ensure privacy there may be pseudonymization of the digital signature record with the pseudonymization table being kept with an official other than the one who has control to the Virtual EVM.
5. The Virtual EVM should be counted just like the other EVMs on the day of the counting but at one central place.
   1. At this time, the votes should be verified with the hash value once again to rule out any corruption or manipulation from the time of voting and the time of counting and then sent to the respective counting booth of the constituency through a digitally signed communication from the central counting booth to the constituency counting booth.
   2. Then it can be merged with the counting at that booth.
   3. The Ujvala-Bellur  e-document audit system can be used for the verification of the votes.

I hope this system can be given effect to.

Naavi

Naavi has been singlehandedly fighting against legalization of Bitcoins in India. Bitcoin is a poison that can corrupt any body. Those who already have a stake in Bitcoins will always fight for legalization of the Crypto currency system. Some of them are tech experts and even industry giants. But that does not mean that their views are good for the country.

Rihanna may be a celebrity singer. But her views on farm laws donot deserve to be heard.

Similarly the views of industry giants which the PR machinery of Bitcoin industry are promoting need to be dumped with contempt it deserves.

In the midst of planted articles in the media including Economic Times and Business standard, it was refreshing to see an article today in Financial express titled “Is it smart to invest in Cryptocurrency right now?”  by Mr Varun Malhotra, Director & Founder of Financial Services (EIFS).

Before Mr Nandan Nilakeni joined the bandwagon of Bitcoin supporters, Elon Musk of Telsa was a vocal supporter. It is now reported that Mr Elon Musk invested $1.5 billion in Bitcoin recently and therefore there is no surprise that he supports Bitcoin.

On the otherhand, Mr Warren Buffet has taken a stand “Cryptocurrencies basically have no value and they don’t produce anything…In terms of value: zero. I don’t have any cryptocurrency and I never will,”

It does not take rocket science to understand why Cryptos are being encouraged by people who want to hold digital black wealth. Bureaucrats, Politicians and even Judges in India or elsewhere may still favour Bitcoins but we know why they may have a soft corner for the Crypto currency. It is the greatest technology tool for Cyber Criminals and anti social elements including drug peddlers, illegal weapon dealers, cyber terrorists etc.

But why is it that the Indian Government is still hesitant to ban Crypto currencies? Why is that the Cabinet of Mr Narendra Modi has not passed the Bill? is an enigma.

Has it got anything to do with elections in West Bengal? or Kerala? Are Modi and Shah not courageous enough to take on the digital black wealth holders before the elections?…is a question we should pose to the BJP as well as the RSS.

I have sent many requests even to RSS and its known ideologues regarding the Bitcoin ban and even they seem to keep tight lipped.

Corruption has a wide footprint. We never know how powerful it can be. Let us see if there is a strategy behind this silence.

Naavi

Recently, we have seen how Twitter challenged the sovereignty of India by refusing to abide by the lawful notices issued by the Government on removal of content which were false, some of them posted under fake accounts and attempting to promote violence and rioting in India. WhatsApp also has been resisting the directions from the Government to assist them in law enforcement issues when the platform is used for promoting communal disharmony and riots.

The Government after hesitating to take a firm action for several years, finally came down with a firm hand with the Intermediary and Social Media Guidelines issued on February 25th which addresses both the Twitter arrogance and WhatsApp reluctance.

However, true to the nature of Indian democracy, the Supreme Court has now stepped in to take over the executive functions of the Government and determine whether the Gazette notifications should be first approved by the Court.

Now that Mr Ravi Shankar Prasad joining hands with Mr Prakash Javdekar together exhibited some courage which was missing with the Government for a long time, Mrs Nirmala Sitharaman on her own is still in the zone of hesitancy when it comes to the decision on Crypto Currencies. Mrs Sitharaman is presently concerned with the passage of her bill and perhaps has no energy to open another front of conflict on Bit Coins particularly when many in the bureacracy and political circles are themselves wedded to Bitcoins as the “Currency of the Corrupt”.

One of the first disappointments for the undersigned was when Mr Rajeev Chandrashekar met the Crypto lobby in Bangalore and gave a moral support. Now Mr Nandan Nilekeni

the Executive Chairman of Infosys has been roped in by the Bitcoin lobby to oppose the move of the Government to introduce a bill to ban Crypto Currencies.

Mr Nandan was once a blue eyed boy of Sonia Congress and even stood for election in Congress ticket in the constituency presently represented by Mr Tejasvi Surya. But his pet tech project namely the Aadhaar was actually given life by the Narendra Modi Government and not the UPA Government which he supported.

After Mr Nandan went back to the corporate world he had consciously avoided  controversies. However, by entering a debate on Crypto Currencies which the Government and the RBI has an inclination to ban, he seems to have strayed back into the domain of controversy.

I hereby call upon him to clarify the context in which he made the statement

“We need to look at how it will help Indians, how MSMEs can access capital using Bitcoins. “

He was in a conversation with Balaji Srinivasan an investor who appears to have expressed a view

“India should champion decentralized cryptocurrencies like Bitcoin and Ethereum to safeguard national security, prevent de-platforming and hasten India’s development as a global power”

According to the report in Money Control which is part of the larger PR exercise with articles expressing similar sentiments in Economic Times, Business Standard etc., there are 75 lakh investors from India and 10000 to 15000 crore worth Crypto currencies in the hands of Indians.

We would like to read this as 75 lakh tax evaders with Rs 10000 to 15000 crores of digital black money in their hands which needs to be brought into the main stream economy.

The Crypto exchange leaders are keeping up a bold face and are even stating that the rumour of banning is actually increasing the investments in crypto currencies. If we believe this statement, there is a scramble for moving the Indian official currency holdings to foreign destinations.

Mr Nandan and others are trying to take cover of their support to “Digital Money Laundering” by holding out the “Block Chain” technology as a great innovation. Even if we accept that Block Chain is a good technology, it does not mean that it should be encouraged to host digital black money.

I would like Mr Nandan and Mr Balaji to clarify with all their economic wisdom, how they consider that shifting  Currency holdings of Indian Citizens to a decentralized form of currency namely “Bitcoin” would not starve the economy of legit currency holdings and not  create a chaotic level of disruption that will destroy the country.

In order to preserve their vested business interests, Mr Nandan and Balaji should not take a view that is inimical to the national sovereignty over currency. We are today not under a “Nityananda regime in Kailash” and if the world order should remain in tact, such support to Bitcoins by industry giants need to be condemned.

We are aware that Mrs Nirmal Sitharaman is too soft to call a spade a spade and would like to beat around the bush to be apologetic. But truth has to be called out.

Bitcon is evil. All connected crypto currencies to which Bitcoin is convertible are by association also evil. They are a challenge to the Indian sovereignty.

We must therefore be bold enough to say no to Bitcoin everytime…

Naavi

I refer to my previous articles related to an e-mail from a company with a domain name privacybee.com registered at  Seattle P O Box address in the state of Washington.

The company is not a resident company in California nor in EU region. But it quotes privacy laws such as

“Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation.”

to state that if its request to “Delete” a certain personal information is not adhered to,

“Privacy Bee, are reserving the right to take legal action against ..and to lodge a complaint with the responsible supervisory authority.“

For people who know the privacy laws it is a threat that GDPR supervisory authority may fine upto 4% of your turnover or the AG of California may impose a fine of at least $7500/.

This is a harassment of the mail recipient.

We can also note that the company quotes a “Power of attorney” which has no recognition and uses e-mail address and a name without any verification such as a digital certificate etc,

There are hyperlinks to be clicked for further information which will install many cookies and there is no guarantee that they are not malware in themselves.

Even if you visit their web page several javascripts may become active and whether they have any malicious effect is to be checked.

The Privacy policy of privacybee.com itself may not be fully  compliant with CCPA nor GDPR and certainly not the laws of India as applicable now for such websites.

This company is using the cover of Privacy laws to scare Indian companies and encouraging Indians to part with their e-mail address for a “Scan” which itself could be a way of collecting personal information without accountability.

There is a need for the Indian industry to study the business model of this company and prevent it from illegal collection of personal data of Indians.

We may re-iterate that PDPB 2019 expects such agencies to register themselves as “Consent Manager” with the DPA and subject itself to the discipline of a “Data Fiduciary” which includes submission of a “Privacy By Design” policy with more details of the processes used by the company to handle the PII of Indians.

Further there is a transfer of information out of India and even under the current ITA 2000/8 without considering the due diligence of PDPB 2019, there are “Reasonable Security Practices” which the company may not be following.

I wish CERT-In conducts an enquiry of such companies who are like “Ambulance chasers” and discredit the Privacy Regulations meant to protect the genuine victims of identity theft and privacy infringement.

I request every professional to think if they receive the kind of email referred to in my previous article how would they respond.

Since compliance to the request would mean providing an assurance that

“We donot have the personal details of the data subject and/or we have deleted all copies of information related to this data subject from all the resources of our company and our dub contractors”

each of the professionals may also consider what would be the cost of attempting to address this speculative query which is unverified and not backed by legal authority

Naavi