Naavi.org

We have earlier discussed certain concepts of “Quantum Computing” at this site and its impact on Cyber Laws of Evidence, Encryption security and Data Protection. I give below the links to those articles for a quick review:

Quantum computing and Emerging Cyber Law Challenges… Are we ready? : March 10, 2018

Section 65B in the Quantum Computing Scenario: March 16, 2018

Theory of Dynamic Personal Data: March 31, 2018

In the wornderland of Quantum Cyber Law, Physics is part of the Law specialization: April 3, 2018

The Vast and Far Reaching Applications of Quantum Computing- June 20, 2018

China working on achieving Quantum Supremacy: July 5, 2018

China may be developing its own unbreakable encryption system through Quantum Computing: July 5 2018

Is it the beginning of the Chinese domination of the Globe?…Mr Modi to take note: July 5, 2018

10000 years=200 seconds in Sycamore Processor: October 24, 2019

Now I was delighted to see that one of my classmates in MSc, Physics at Manasa Gangotri, Mysore (1973 batch) has achieved significant breakthrough in the research field of Quantum Physics working in the MIT, USA. I want to share his story to the audience here as a tribute to his achievements.

I am reproducing the article which had appeared in the “Star of Mysore” on May 4

He is the second of my old friends who appears to have achieved global recognition for contribution in his field. The other proud classmate from my High School days was Colonel Gopal Kaushik who had a key role in the Indian nuclear test at Pokhran in May 1998.

I am proud to have the association of these two gentlemen and salute them for their achievements.

New Discovery By Kodagu-Born Dr. Jagadeesh Moodera And Team At MIT

It boggles the mind when told that a subatomic particle exists simultaneously at two different spots.  One location could be on your table and the other on the surface of Jupiter!

English Physicist Paul Dirac theoretically proved way back in 1930s that fundamental particles known as fermions should have a counterpart somewhere in the universe with an opposite charge – known as anti-particle.

Complicated. Difficult to fathom. I fail to comprehend.  Based on this theory it is theoretically possible to have ‘teleportation’ that are portrayed in science fiction movies and books.

Coorg-born Physicist Dr. Jagadeesh S. Moodera has been a scientist at Massachusetts Institute of Technology (MIT) since 1981. He has several path-breaking research papers to his credit. My wife and I had the good fortune of a guided tour of his laboratory at MIT during our visit to Boston to attend the Kodava Convention-2019, in September last year.

Dr. Jagadeesh explained the intricacies of the experiments that he and his team were involved in.   It was fascinating to see a huge setup with myriad tubes, probes, cables and instruments in order to create a 100% vacuum in a space of about 2 cubic centimetres.

Part of the experiment was conducted in this small space which was absolutely contamination free.  There was another setup equally complicated where a space was created for the experiment which was free of any kind of vibration – not even that created by the traffic in the streets distance away, or footsteps of students in the nearby corridors.  In addition, this space is cooled to -273 degree centigrade (that’s as close as one could get to -273.15 degree centigrade which is absolute zero).   The experiments were conducted under these ideal conditions and usually between 10 pm and 6 am when chances of vibration were the least.

The experiment Dr. Jagadeesh and his colleagues have been working on since 2012 was to discover what Italian Theoretical Physicist Eltore Majorana, extending on Paul Dirac’s theory, had postulated in 1937 that there should be some subatomic particles that are indistinguishable from their anti-particle.

Scientists have been looking for these particles named Majorana fermions. Many theories have emerged over the years.  Theoretical Physicists at MIT and elsewhere predicted that Majorana fermions may exist on solids such as gold under certain conditions.   Dr. Jagadeesh and his team were on a mission to discover the existence of the elusive Majorana fermion.

The experiment, extremely complicated, needed many long hours in the laboratory.  Dr. Jagadeesh explained how the delicate research was carried out at nano-particle level and observed through Scanning Tunneling Microscope (STM).  STM is capable of ‘feeling’ the presence of atoms and molecules.  3mm x 3mm was the size of the surface on which the experiment was carried out, consisting of nano-wires of gold, grown on superconducting material: Vanadium.

MIT News dated 10th April 2020 has announced the successful sighting of the mysterious Majorana fermion by Dr. Jagadeesh Moodera and team. This is a major breakthrough.   In Dr. Jagadeesh’s words ‘We have shown they are there, and stable, and easily scalable.’  Please visit webpage: http://news.mit.edu/2020/first-majorana-fermion-metal-quantum-computing-0410

The finding that Majorana fermions are scalable and could be made into qubits (individual computational units) is spectacular.  These qubits could be used to build the most powerful and error free quantum computers. This will be a step closer to the phenomenon known as Singularity, which predicts that by the year 2042 AD there will be computers that will have computing power of all the human brains put together!

Once Singularity is achieved, humans need not invent anything further.  Solutions to the most complex problems will be arrived at within seconds.  If we had these computers today, a remedy for the current Covid-19 would have been found in a jiffy!

Dr. Jagadeesh’s wife Dr. Geetha Berera is a senior lecturer in MIT and we had an opportunity to visit her laboratory as well.  The couple are totally dedicated to academics and research. Every year they visit Coorg and conduct a Quiz programme for school students.  They are in the process of starting a school in Coorg under their organisation – CREATE Gurukula Trust – focusing on encouraging young minds in research activities.  Meritorious students at Coorg Institute of Technology (CIT) are recipients of annual scholarships and awards instituted by Dr. Jagadeesh and Dr. Geetha. Dr. Jagadeesh and Dr. Geetha are eminent role models for young Kodavas to emulate.

After FDPPI completed the two certification programs for Data Protection Professionals (CDPP-I),  with a program of 18 hours of online teaching, Cyber Law College of Naavi has completed one more crash course of 12 hours for about 45 participants mainly from the Elite CISO group of Delhi.

Presently another batch of around 40 persons from Elite CISO are undergoing another crash course program for 12 hours.

While Naavi is conducting these sessions and Cyber Law College is providing the participation certificates, these participants are also eligible to move further on to take up the Certification examination of FDPPI and get certified if they are interested in the certifications.

Naavi/Cyber Law College/FDPPI acknowledge the enthusiasm of the members of the Delhi chapter of Elite CISOS and more particularly Mr Vikas Arora in making this spread of knowledge possible.

Creating wide awareness of the Personal Data Protection legislation as it is emerging in India now is essential to ensure an early adoption of the act when it finally becomes a law.

Naavi

Critics are endangering the silent majority

There are a class of critics in India who donot spare any opportunity in taking a dig at the Government for every decision and also take the issue to the Courts to challenge every day to day operations of the Government.  This has happened earlier in respect of the ITA notification on Section 69 and Section 79 when Government wanted to make some amendments to the notification and the critics cried foul and went to the Court to stall the Government move. This frequent invocation of Court intervention by publicity hungry PIL lawyers supported by a section of the media which always highlights such opposition has posed many avoidable challenges to the Governance.

However, as a part of the democratic tradition of our country, it is necessary for us to accept such challenges.

At the same time, it is necessary for that section of the population which is in agreement with the move of the Government and is opposed to the critics not to hesitate coming out with their own opinion countering the objections despite it looking like swimming against the tide. But it is always the silence of the majority that enables the minority to create disproportionate noise and if we need to prevent misconceptions spreading out in the community, it is necessary to be vocal to express what we believe as true and face the backlash if any.

Naavi.org has been following this tradition since the 1998 when it started out its activity first under naavi.com and naavi.org (before naavi.com it was squatted by somebody else and had to be dropped).

Currently we have an occasion to express our views on Aarogya Setu the App which the Government of India is promoting as a measure towards mitigation of the Covid19 spread risk.

After the COVID Lockdown, there have been discussions on the strategy for lifting the lockdown and allowing the movement of people, starting of business activities in a manner that would not ignore the possibility of a spurt in the infection cases. One of the arguments have been that economy cannot be for ever put under lock down and we need to restart immediately.

If however, there is an increased incidence of infections, while we keep the medical defense ready, we also need to improve our ability to track the movement of an infected person in the immediate previous 14-30 days to alert all those who came in contact with an infected person. Such persons can undertake a test and be assessed. If they are infected, they need to be treated. If not they could continue their activities with confidence.

In view of this requirement, worldover, Governments started introducing mobile based “Contact tracing apps”. These apps could use Bluetooth and GPS tracking of the mobile and based on other mobiles with similar apps could generate alerts when an infected person came near another non infected person. Such GPS based tracking has been regularly used by the advertising industry to provide information of services available around you (including Uber and Ola) and also for identifying your social media contacts if they are around.

The “Critics” who have so far been tolerant of the GPS based apps who bought the location information mostly from Google through their licensed mapping solution, have suddenly turned aggressive when the Indian Government wanted to introduce an App which could track the movement of the device holder in the immediate past. Along with this, the app provides some useful Covid information.

But the most important reason why this App is needed is to enable a healthy individual to avoid interaction with another person who may have either been positively diagnosed  for COVID or is suspected to be a carrier.

There have been two types of objections to this App. One is that it violates the privacy of an individual because it tracks his physical location. Second is that the information gathered may be misused for surveillance. One is a professional Privacy and Information Security argument and the other is purely political.

We shall restrict our discussion to the objections from the professionals and leave out the objections raised by Rahul Gandhi or Sashi Tharoor which are political comments. These politicians are known to pursue their agenda irrespective of the damage they may cause to the nation and it is their privilege  to do so. But many professionals are unable to keep their discussions free from political considerations and hence some of the criticisms from Privacy and Security professionals become coloured with prejudice and confuses an ordinary person.

The App which was launched on April 2, was first pushed by the PM on 14th April 2020 and  got critical attention when on April 29, the Government issued a circular that it is compulsory for all Government employees returning to work to download the app and keep it in operating conditions. This raised the bar since the Government was making it partly mandatory. In the private sector the employers were made responsible for similar compulsion if they wanted to re-open their business and allow the employees back to the offices.

The order of May 1st by the Government is said to have pointed out to Section 188 of IPC which suggests imprisonment upto 1 month for disobeying a lawful order of a Government servant.

The Privacy activists now have a serious objection for the mandatory nature of the need to download the app and to keep the Bluetooth and GPS tracking on at all the times because they consider it their right to privacy to hide their physical location at any point of time. Some Security specialists like the French citizen “Robert Baptiste” who uses the twitter handle “Edward Elliot” (Information from Wikipedia), also pointed out what they called as bugs in the app which could be considered as a security risk.

Many of these critics are advising public how to cheat the App and such advise can only be termed as lack of concern for national safety.

In Noida, a group of residents have started a legal battle against the local administration. They have now filed a police complaint and intend to take it up further with who else but the Supreme Court. In Kerala a Congress leader has already moved the High Court against the usage of the App and got notices issued to the Government.

While the Government fights the Covid19 at the medical level, it has been dragged into other side battles to divert its attention.  We need to wait and see whether the Courts would be able to see beyond technicalities and political prejudice and come up with decisions in the larger interest of the community since most of the persons who oppose the petitions may not be able to represent themselves in the Court while the supporters of the petition can engage the services of advocates who can argue that a Mango is an Orange if they are suitably paid and do it convincingly enough for the Judges to appreciate.

The Privacy Concerns

Some of the privacy concerns that have been expressed are that

1. Aarogya Setu collects personal information of an individual without his or her consent
2. The use of the app is made mandatory for all citizens
3. App is tracking the location of the mobile continuously
4. App collects personal information  such as name, phone number, age, sex, profession, countries visited in the last 30 days and whether a person is a smoker or a non smoker and his or her medical condition.
5. Use of the App raises the risk of “institutionalization of mass surveillance”
6. Use of the app urges people to Pre-emptively take tests and overwhelm the public heath systems prematurely
7. Use of the app inadvertently discriminates against regions which have fewer concentrations of smartphones

The Internet Freedom Foundation (IFF) which is spearheading the legal action in Noida has raised its objections through a letter written to the parliament members  and will soon approach the Supreme Court for relief agains their concerns some of which are common with the case filed in Kerala High Court.

The main argument against the app is the “mandatory nature” of the order for employees. Otherwise, the consent is provided by the people who download and the privacy policy indicates the use of the information which may pass the test of reasonableness given the present public health emergency which we are in. The security objections raised by Edward Elliot have been found to be only peripheral issues not serious enough to be worried about. The objections of IFF on overwhelming of public health system etc are gap fillers in the petition and donot need attention.

The Government has also clarified that the data collected is stored in the user’s device and would be deleted in 30/45 days. Hence most of the Privacy concerns are being addressed.

No Need to Put the Source code in the open

There is one demand that the Aarogya Setu source code should be put in the open source. It is not recommended since hackers are waiting to subvert the system and whether they call themselves “Ethical” or not they cannot be trusted.

“Obfuscation” of the code is an information security strategy and the Government should secure its source code to prevent motivated attacks.

Circular should  be Re-worded

We need to therefore come back to the “Mandate” and the pointing out of Section 188 of IPC.

The Government as usual has not anticipated the possibility of the opposition mounting this attack through the legal challenges and perhaps thought that we are in the era of “Dharma Yuddha” where in times of crisis, certain norms of opposition would be followed. But for the Duryodhana clan, everything is fair in politics and pulling the rug under the Government even at the time of this crisis is only a fair game.

As a result of this, the Government failed to put its circular in the proper perspective and has given a handle to the opposition to beat itself. The only saving grace for the country is that we have a PM who is not allowing himself to be distracted from his goal and doing his best to take steps towards mitigation of the Covid19 risk in a manner he thinks is best. All the critics are not able to provide any alternatives but are only happy to criticize. They deserve to be ignored.

I however suggest that the Government should re-issue the circular of May 1 with a cover note where it should state as follows:

“Lockdown continues until further notice and no body should move out of their houses unless they have necessary pass issued by a Government authority.

However, exception would be granted to those individuals who voluntarily submit themselves to a discipline which includes social distancing, wearing of masks and keeping an active Aarogya Setu enabled smart phone.”

If people realize that it is in their own interest to know if the person next to him is not a person who has recently returned from a vulnerable foreign country or was a person who was assessed infected less than 45 days back, they would gladly agree to use the App.

The Organizations and the Government have every right to secure their working area by mandating that employees will continue to be on work from home location unless they start using the Aarogya Setu app in the interest of other employees with whom they may come into closer contact if they attend the office.

It is the right of other employees who have downloaded the App in their own health interest to insist that no dilution of this order should be permitted.

Courts whether it is the Supreme Court or the Kerala High Court should not take any decision without considering the rights of this silent majority of people who are concerned with their colleagues who may be carriers of the infection and may join employment by disabling the Aarogya Setu app or the Bluetooth/GPS  functionality because they have a false sense of them being Privacy warriors. If the Courts ignore the safety of this section of people who are 9.5 crores at present, it will only display a judicial impropriety that is avoidable.

Digital Rights Survive if we survive COVID-19

For activists,  I would request them to check their own suggestion on storing of the information in the device etc as provided in their website and accept the Government clarification in this regard. If they shed their anti-government attitude they will agree that this app has a purpose and we don’t gain anything by killing it.

Activists  should also spend their energy more fruitfully and look at the Net Neutrality concept being adversely affected by the Alphabet & Apple agreement on sharing of GPS data, the Bois Locker room issue, the INS attack on WhatsApp admins, Banning of Tiktok, Banning of Crypto Currencies etc., which are all representations of misuse of Internet Freedom,  rather than focusing only on anti Government issues.

Activists should realize that Digital Rights will survive only if we survive COVID-19. Let us fight COVID-19 first and then focus on digital rights.

Pass Personal Data Protection Bill 2019 immediately

The petitioners who have approached the Courts will be pointing out that the lack of a Privacy Protection Law is allowing the Government to indulge in this excess.

I wish that the Government takes the cue and based on whatever public comments already with it, go for immediately passing the Personal Data Protection Bill 2019 after conducting virtual meetings of the Parliamentary committee.

PDPA has the exceptions under which the Aarogya Setu could operate as a Sandboxed scheme.

Naavi

(Views expressed here and in other articles on this blog are entirely the personal views of Naavi)

(P.S. This article was first published in India Legal Magazine)

One business that has thrived during the lockdown in various parts of the world is video-conferencing, virtual meetings and virtual collaboration solutions. Many large corporations have already installed virtual meeting infrastructure across their branch offices and were quickly able to adapt to this form of doing business by adding more individual users logging in from different locations.

A large number of SMEs and individual businesses, however, had to search for affordable and easy-to-use solutions to establish face-to-face contact with their workers scattered in different locations. Educational institutions also had a requirement to conduct classes in the virtual environment to meet their teaching deadlines. Such users found that the Zoom communications platform was convenient and affordable. As a result, its business spurted from around 10 million users to 200 million.

Companies, which had competing products and were big names in the industry, felt their egos bruised by the phenomenal success of this relatively small company. They launched a well planned attack on Zoom and the fact that it was promoted by a Chinese entrepreneur. They tried to bring down its popularity partly to get some business themselves and partly to satisfy their hurt egos.

The campaign against Zoom revolves around security issues. One issue is that uninvited persons can log into running sessions where there is no password set for the meeting or where the password is weak and predictable. As the meeting password is not considered as important as bank account passwords or similar other access environments, users tended to set weak passwords. These intrusions were highlighted as “Zoom bombings” and the possibility of corporate espionage was stressed.

Secondly, data used during corporate meetings had to move between different users and to ensure that this moved without much latency, the company maintained servers in different countries, including China. Rivals highlighted this and showed the possibility of Chinese espionage.

A third complaint raised was that Zoom claimed to have “end-to-end encryption”, whereas it was theoretically only encryption from the sender’s computer to the receiver’s. It was quite like an “https” connection and did not extend to the processes within the sender’s and receiver’s systems at the application level. This was suggested as a deliberate misrepresentation. There was also an allegation that Zoom shared some data with Facebook without the knowledge of the user and that some log-in IDs and passwords were on sale on the dark web.

As a result of these allegations, a campaign was launched to show that Zoom video-conferencing solutions were unsafe. Media, which did not understand the depth of the problem, also painted a picture of Zoom being the only software where all security flaws were found and hence its use should be discontinued. Neither the media nor others presented any better alternative. Its Chinese ownership was also a reason for some to switch to other solutions.

It was unfortunate that the home ministry became a pawn in this game of one up-manship. As usual, a section of the media claimed that the home ministry had evaluated the Zoom application and was not in favour of its use from the security point of view. While the ministry’s concern about the use of Zoom for meetings of government officials was perhaps genuine, the unusual action of it coming up with a press release, including a set of “secure configuration guidelines” was strange. Though this notification was meant only for government departments, the media implied that it was a national security advisory. Normally, any such guidance should be the responsibility of the Ministry of Electronics and Information Technology (MeitY) and there was no need for the home ministry to step into its shoes and come up with operating guidelines on a subject in which it has no direct knowledge or expertise.

By the time this notification was released, Zoom had already attended to most of the concerns. It changed the default settings of the meetings to a higher security level and left it to the choice of the user to downgrade the security features. It also provided an option to the user to avoid servers in specific countries such as China.

Zoom bombings were due to the user’s negligence. Instructions were released to set a strong password, use the waiting room facility and to lock the meeting if needed. This could avoid unauthorised entries into the meetings. Zoom also clarified that personal data sharing with Facebook occurred because its software development kit (SDK) for log-in authentication collected information beyond the permissions required and granted. It appears to be a deliberate violation of privacy by Facebook, though there could be some negligence on the part of Zoom too.

The controversy regarding end-to-end encryption was more of semantics than anything else. Security experts say that if the encryption is not done at the application level and decrypted only at the destination, it cannot be considered as “end-to-end”. It is possible that the marketing personnel at Zoom called their encryption “end-to-end encryption” without recognising the difference.

However, most messaging services, including popular email ones, use only transport-level encryption and not the real end-to-end encryption. Even banks in India may not be using real end-to-end security. Hence, singling out Zoom for such a mistake is unfair.

Before the home ministry jumped into the fray, it should have realised that the problem with Zoom was both of technical interpretations and user awareness. It was not an issue of fraudulent intention. The ministry was not capable of understanding the nuances of technology and should have refrained from giving the impression that it was giving a technical advisory on Zoom.

Criticising Zoom without criticising Facebook for misusing the consent shows prejudice. Perhaps this should be investigated as the Facebook log-in SDK of the type used by Zoom may also be in wide use in India by others. In all such cases, there could be a siphoning off of personal data beyond what has been consented to by the user. The home ministry has not revealed that email providers also use only VPN security and not end-to-end security. If so, it would have placed the issues observed in Zoom usage in the right perspective.

If Zoom had installed any malware like some Chinese applications do, then the home ministry would have had a reason to issue such advisories. But it did not consider TikTok and UC Browser type applications for a ban. This could be due to their ignorance or pressure from certain business lobbies. It is also to be recognised that Zoom has been promoted by a person of Chinese origin but is not a Chinese company. It is a US company and the promoter is perhaps now a US citizen settled there.

The ministry should also have realised that Zoom as a company is not like telecom equipment suppliers like Huawei or Chinese mobile companies. Some of these companies have allegedly preinstalled malicious applications to bring users under surveillance of the Chinese government. Even point of sale systems used for card authentication at shops and biometric devices used for Aadhaar authentication are being imported from China and the ministry should worry if these have any hidden backdoors.

The ministry appears not to have heard about Deepfake and Deepnude applications which threaten society and could create huge problems. If it was watching the web world, it would have moved to block such apps along with voice-changing apps, Blue Whale or other gaming apps which require urgent attention. It has also remained silent when larger security issues arose when Bitcoin exchanges were allowed to resume their operations, unmindful of their use in possible terror funding.

By not coming out with advisories in such cases and over-reacting to the Zoom controversy, the ministry appears to have been used by industry in a commercial war between companies. In comparison, MeitY has responded positively to the incident by trying to encou­rage an indigenous replacement for the Zoom software. It has announced a prize of Rs 1 crore for this.

Naavi

(Link to the article in the magazine is here)

A few days back, Google and Apple , the owners of the Android and IoS systems and considered business rivals, came together to make a surprise joint collaboration arrangement.

The collaboration appeared like an attempt to regulate the use of Contact Tracing apps but has a long term implication on the way the World Governance system functions.

If the UN does not wake up, we will have a new nation state that will be under the control of Alphabet and Apple  (A &A) Incorporated.  Facebook-WhatsApp has already created its own nation state with its own currency Libra. If A&A opts for a currency of its own, they will disrupt the current global system more than what the North Korean -China combined regime can do together.

Soon we may have a constitutional crisis of Companies incorporated under the laws of a sovereign State trying to create their own constitutional islands. This idea was effectively used by  Swami  Nityananda who has purchased an island and declared it as a Nation “Kailaasa” with his own Governance system.

Naavi

Alphabet and Apple create a separate legal zone for Mobizens

According to this report in Economic Times

“Apple Inc and Alphabet Inc (Google)would ban the use of location tracking in apps that use a new contact tracing system the two are building to slow the spread of the novel corona virus”.

The Companies plan to allow “only”  public health authorities to use the technology. At the same time they also said that they would prevent the Governments from using the system to compile data on citizens and that was the primary goal of this joint exercise.

Though this appears to directly reflect on the Arogya Setu app in India and its intended operations on which a team of “Highly Concerned Privacy Activists” are working to prevent the Government of India from misusing the App for public surveillance, the issue is more universal. Several states in USA as well as other countries including UK have started using mobiles as an instrument for locating an individual and thereby trace the movements that could lead to tracing the contacts of people with others who may be having infections. If a person is detected as having been infected, it is considered useful to know his movements in the last few weeks and the persons with whom he came into contact with so that the potential risks can be identified and acted upon to reduce the spread of Covid 19.

The new system prevents the use of GPS location data for tracing and requires the contact tracing apps to use Bluetooth in a manner that Apple and Google dictate , for tracing which is considered less reliable.

Google and Apple also said that they will allow only one app per country to use the new contact tracing system. They will allow different States in US to use the system independently but in other countries, they may or may not allow the regions to use the system independent of the federal Government.

By these moves, Google And Apple are projecting themselves as the saviours of the Privacy of people across the globe and dictating terms to the sovereign Governments. They have thereby thrown a challenge to the global Governance system and creating a “Nation State” governed by the users of the Android-IoS driven mobiles.

In this new suggested order, the Android-IoS mobile holders are “Mobizens” of the Android & Alphabet  (A&A) state and the responsibility for protecting the fundamental right of privacy in this nation lies primarily with the A& A.

A &A opt out of protection under Section 79 of ITA 2000/8

Under the current laws prevailing in India the activities of any organization dealing with “Electronic Documents” is regulated by several measures. The sale of mobiles is regulated by business license and a mobile is a system of hardware, the OS, the default OEM apps and the apps downloaded and installed by the owner of the device.

Alphabet and Apple control their own App Stores and are considered responsible for malware free apps to be allowed to be listed there, which they have not been successful in meeting.

Under ITA 2000/8, the mobile is a computer and the OS and apps are accessories. Owners of these accessories are “Intermediaries” with their own responsibilities. Under Section 79 of the Act, Intermediaries are liable for any contravention committed by a user unless “Due Diligence” is exercised and the intermediary is not in complicity. For an entity to use this safe harbor clause, it is necessary that they fulfill the definition of an “Intermediary” and the conditions for availing the protection under Section 79.

The definition of Intermediaries under Section 2(w) of ITA 2000/8 is

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

Under Section 79 (2)

Notwithstanding anything contained in any  law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link  hosted by him.

But the above provision would be applicable (besides due diligence and lack of complicity) only if

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties  is transmitted or temporarily stored; or

(b) the intermediary does not-

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission

By virtue of the above provision, the moment Alphabet and Apple take on the responsibility of how the GPS system or Bluetooth system works in their system, they lose the status as an “Intermediary”.

Hence the CERT-In should issue a notice to both the companies Alphabet and Apple if they are opting out of the Section 79 protection if any available to them under the Indian law.

A & A are Data Fiduciaries/Data Controllers

Now looking at the forthcoming data protection act that is envisaged in India, any data handler who determines the purpose and means by which the personal data will be processed will be considered as the “Data Fiduciary”. Elsewhere the entity may be called “Data Controller”.

The data fiduciary /data controller does not have an independent legal power to determine how the personal data may be handled. Either the data principal/subject should provide a consent by which the personal data has to be processed as per the choice of the data principal/subject or the law should have provides certain exemptions and derogations.

While the Governments may use the powers of exemptions because they have a duty for public safety and health, it is not clear under what legal grounds can A&A state can claim immunity from not giving a choice to the owner of the system to give permissions for the use of his personal data.

Indian law has a provision by which Alphabet Inc or Apple Inc may register themselves as “Consent Managers” who will also be a data fiduciary and have the authority to determine how consents can be given on their behalf for the personal data to other third party data fiduciaries including the Governments. GDPR and other laws may not have similar provisions.

Since the DPA in India under PDPA  is not yet in place, it may not be possible to check the intention of the companies under the provisions of PDPA.

However, a notice can be issued under ITA 2000 itself about whether Apple and Alphabet would like to register themselves under Section 67C as one of the “Digi Locker” service providers. Avoiding an available legal provision to get the permission of the lawful authority is a clear violation of the law of the land and cannot be attributed to ignorance.

A &A should come under the Scrutiny of Competition Commission

Looking from another angle, if Alphabet and Apple having a monopoly of 99 % of the use of “Mobiles” and the activities of “Mobizens”, then all their activities including the current joint venture should be seen with the compliance of the Competition law.

Today A& A is taking the excuse that they want to be the sole distributors of GPS access because they want to protect privacy. Tomorrow they will make it the instrument of making money and be the sole suppliers of GPS data for all application owners.  This is a dangerous monopoly situation.

The Competition Commission should therefore issue a notice to both the companies to explain their stand.

Elliot Anderson should provide guidance for a public cause

I also need to add here that there is one most concerned French citizen who impersonates himself under the pseudo identity of  Elliot Anderson and writes “Aarogya Setu: The story of a failure”

This person may very well be a direct contact of some Indian politician and  could even be a person sitting in Delhi since he is the first to react on Indian developments  even before other Indian security professionals can get a scent of something happening here.

It is to be appreciated that he identified some bugs in Aarogya Setu and gave a notice to the Government to “respond …or else….”. He has explained his analysis of the app after decompiling the source code. Probably what he has pointed out is correct.

But many of the technical experts consider that the bugs pointed out are not significant weaknesses that can compromise the data which is lying inside the user’s device itself in an encrypted state. If accessed it will be hacking of individual device owners, whose privacy Mr Elliot Anderson is so concerned about. (P.S: This is based on the Government’s announcement that the personal data is not transferred  to a data server and is stored within the device).

According to an expert

“For apps of this scale that handle sensitive data, sophisticated code hardening and app security tools like DexGuard or Arxan need to be used. These tools modify the app at build time to add code and also have features like root detection and Frida detection built in”.

The Copyright Issue

However we need to reflect,

If I just call myself an “Ethical hacker”, does that give me the license to overlook Indian Copyright Act or DMCA or any French Copyright Act?

…to the extent of de-compiling the source code and publishing it?

If I am good enough to find the flaws should I not give a reasonable time to the app developer to make corrections? Or even better

Should I not myself suggest the App developer what corrections can be made?…particularly when we are talking of a non commercial public safety app of a sovereign Government fighting the pandemic?

Declaring an App as a Protected System

Had the Government declared that the App is a “Protected System”, even an attempt to unauthorizedly access the source code would have qualified for an imprisonment of 7 years. It is good for these so called ethical hackers that Government did not remember Section 70 of ITA 2000 and how it could have been used to protect such motivated hackers.

The Government which acknowledged the report of Mr Elliot and made some corrections which it thought was necessary should have thrown back a challenge to Mr Elliot to suggest how the code should be modified to prevent the bug he points out. Then we could have found out if Mr Elliot was willing to help in the public cause or only trying to strengthen the hands of the Indian opposition and our own indigenous Privacy activists who along with their friendly media keep criticizing all Government moves without suggesting any alternatives and call themselves “Internet Azadi Brigade”.

If the Government does declare Arogya Setu as a “protected system” now, it will ofcourse face the charge of “Shooting the messenger” charge and hence they may not have the courage to do it.

Need for better articulation

If however the privacy policy provides some warranties such as storing of data within the device, deletion after a specified time etc and declares the purpose, then the only issue that remains for criticizing the app is the “Mandate that it has to be installed by all workers returning to work”.

The Government could have articulated its measure by stating that “Lock down continues in public interest but relaxations are provided only for those who have installed the App”. This would have appeared like a favour rather than saying “All can return to work but they have to install the App” which looks like a punishment.

Naavi

(Comments invited)

Naavi is conducting another online Crash Course on PDPA . This will be a 12 hour course spread over two week ends. There will be two sessions of 75-90 mts each day between 4.00 pm to 7.00 pm.

Participants of this program would be eligible to take the Certification program from FDPPI for “Certified Data Protection Professional-Module I” with a further payment of Rs 5000/- towards membership (If they are not already members) and an examination fee of Rs 5000/- (Total additional amount payable Rs 10000/-). Contact  for more information.