Naavi.org

The above face is a familiar face to many on the You Tube. This person has been posting many interesting videos particularly of ancient archaeological sites in India, Cambodia and many other places focussing on many interesting points which no body else seems to observe.

He has a very discernible eye to spot indications of some peculiarities in the construction of ancient temples many of whom like the Hampi and Mahabalipuram are well known to many tourists. But no body else has found certain points such as the possibility of ancient builders having used technology for rock processing, using of lathe type machines long time back, possibility of aliens being depicted in the sculptures etc.

There is no doubt that some of his findings are very significant and the scientific community could very well do a research of their own either to prove or disprove his views.

It is also an observation that when he talks of many ancient Shiva temples and interprets the Shiva Lingam and the Gopuram of temples  as a depiction of energy transmitters or communicators to the alien world, he speaks of Hindu tradition. Possibly thousands of years back only Hinduism was prevalent in these countries and hence only references to Hindu culture can be seen in these ancient temples.

I have viewed many of his videos and have not found any racist or communal thoughts in his publications.

But very recently, he published a video which he has called probably his last video a link for which is presently available here.

In this video he has pointed out that many of his videos have been subjected to moderation and some have even been removed by You Tube for no discernible reason.

We have seen Twitter always supporting Pakistani and Anti Modi subscribers and allowing fake news to be promoted against India. Now a suspicion arises whether Mr Praveen Mohan is being black listed because he takes the name of Shiva in many of his recent postings. One of the recent postings highlighted a structure in Mahabalipuram which he has called the structure as a “Olakkaneshwara temple” and discussed how it could be a light house built to guide ships approaching the coast.

He has indicated that this video was taken off by Youtube. It appears that it has been restored but it is not clear if other videos which he has referred to in his disclosure have also been restored.

But the incident indicates that there could be an anti India bias in the action of You Tube and perhaps they donot want thoughts which could re-write some of the historical concepts ignore the developments in countries like India in the ancient times and consider that all scientific developments originated only from the west.

It is time we Indians bring it to the notice of You Tube that its actions are being watched. If it thinks that it can misuse its popularity to prevent content that supports Indian culture and heritage, then its credentials as a company from US which champions free speech will be severely dented.

The Indian Government has to take note of this development and seek an explanation from You Tube as to their commitment to free speech.

A similar question has to be also raised on GMail which continues to hide the “Originating IP address of email senders” in e-mails received by g-mail account holders ignoring the right of an e-mail account holder to know from which IP address he has received an e-mail. The e-mail is a transaction between the sender and the receiver, GMail is only an intermediary under ITA 2000.

If this status of an intermediary has to be retained, GMAIL should not interfere with the communication that emanates from the sender’s computer and reaches the receiver’s computer. By changing the header information that starts its journey from the sender’s personal computing device, GMAIL is processing the information and not acting purely like an Intermediary. Hence it should lose whatever protection law normally provides to intermediaries.

Unfortunately in India our CERT-IN or the MeitY does not pull up companies when they behave illegally and irrationally and we tend to accept their actions as unquestionable.

Hope MeitY takes note of Mr Praveen Mohan’s complaint and also just as they reacted to Zoom with a project to develop an Indian counterpart, they should look for an Indian counterpart of You Tube.

Naavi

As the country has moved into the digital way of doing Business, Governance and conducting personal life, the threats of various kinds arising from the use of computers, mobiles and other devices that work on “Data” have only increased.

Technology persons often pursue their creative goal unmindful of the impact they cause on the society. Hence they often talk of “Disruption”. We as corporate managers and as users of technology therefore often confront the so called “Zero day vulnerabilities” that are exploited by hackers around the world to make money and commit all sorts of offences.

As a result today, we often find it difficult to trust content on the website, message that comes in WhatsApp or Twitter or even an email that lands directly with us. Now a days, if I get a phone call which says I am calling from Bank, instead of listening to it, we are more concerned in ending the call because we donot know if even picking up a call will let some virus in.

The biggest threat that we face today is therefore “Lack of trust” in anything that comes to us as “Data”. So, it may not be “Data which is on the run”. Some times we have to run away from data.

Recently we came to know that “Data” of one big company were attacked by a hacker group who first of all encrypted the data and made it unusable and further threatened to release confidential data to the public. They wanted payment of a big sum of ransom that too to be paid in the currency of the criminals called Bitcoins.

“Phishing” continues to affect us particularly importers and exporters who face impersonated messages such as we have changed our Bank account..please remit the invoice payment instead of the regular account to another account. In one such case a big company in Saudi Arabia paid out rs 190 crores to the fraudsters instead of to ONGC. We are also aware that many times money has been taken out of the Banks through the SWIFT messaging systems.

Every day we also hear about the losses common people face through GPay or other mobile payment systems

These kinds of frauds appear simplistic and not as sophisticated as the Stuxnet attack on the Iranian nuclear system or North Korean attack on Sony corporate network, or DDOS attacks launched from CCTV cameras, robots made to drop material on shop floor to murder workers, Automated Cars being hacked causing accidents or Drones trying to hack into your systems by hovering around your wifi devices.

While we are struggling to tackle such technology related attacks, the advent of a new law in India called Personal Data Protection law  is making the life of Corporate manager more complicated because the law is expecting you to take pro-active steps to prevent frauds failing which even when there is no attack, the corporate may be  imposed hefty fines.

This new development is coming in the form of “Personal Data” which is a subset of the “Data” and is like the “Hazardous inventory” you may have in your godown.  It may look small in quantity but the drums of those explosive chemicals require greater attention than the tonnes of steel which you can leave in the open space without much of a security risk.

The cyber threats like ransomware have moved from “Encryption” to “Threat to release the information” because release of personal information could be more damaging to a company than not being able to decrypt the information that is locked up.

The threats are therefore changing their nature and companies have to ensure that apart from protecting data from being unauthorizedly accessed, modified or denied access, threats such as “Non Availiability of Consent”, “Use of data for purposes other than for which they were collected”, “Retention of personal data beyond the expirty date”  etc can become more damaging.

Hence organizations need to change their outlook on defining what is a “Cyber Incident” and how they have to respond to a Cyber incident involving potential personal data loss.

The advent of the new law means also new responsibility centers in the organization along with the conflicts between the senior executives whose area of influence is getting disrupted.

The CEOs therefore have both the challenges of shielding against the known cyber threats but also bring about a transition of the organization to recognize the need to change the focus of security from “Protecting Data” to “Protecting the so called privacy rights of an individual”, which may require a complete overhaul of the business architecture.

The days for business managers is therefore challenging and exciting.

Naavi

www.liveibc.com/mmalive

www.facebook.com/mmachennai
www.youtube.com/madrasmanagementassociationchennai

In case you need any further assistance contact MMA Chennai:

The PIL filed against the Kerala Government and Sprinklr in the Covid patient data processing contract has brought before the Kerala high Court one of the first real tests of the Privacy Protection principle in India

The Court has in its preliminary hearing passed several injunctions against the US company Sprinklr raising questions on the privacy protection of the patients. The Court has set the next hearing by 18th May 2020.

We need to note that India is in the threshold of passing its own Privacy protection law and soon thereafter there will be discussions with the GDPR and other international regulators about the “Adequacy” of the Indian privacy protection regime. For this consideration, apart from the law as passed, the attitude of the Courts will be an important factor. Hence the way Kerala High Court decides in this case will determine if the Indian judicial system respects privacy adequately or not.

The order therefore requires to be studied on some of the academic points that it raises.

Copy of the order

This case has arisen because Kerala Government entered into a contract with Sprinklr, an online data processing company to process the Covid patient’s data. It has been challenged on several grounds and what we are interested is the privacy issues that have come up for discussion.

The issue here is that the data sought to be processed by Sprinklr is “Sensitive Personal Data” and there is an issue of  “Reasonable Security Practice” and “Due Diligence” under ITA 2000 (Section 43A) . Since the Personal Data Protection Bill 2019 (PDPB 2019) is sought to be a direct replacement of Section 43A, the reasonable security practice may be currently considered as the compliance requirements as stated in the PDPB 2019. Hence we need to evaluate the arguments on whether Privacy Protection is adversely affected or not by the contractual arrangement with reference to PDPB 2019.

In this connection , the Data Protection obligations, the Rights of the Data Principal, the mandatory explicit consent, the restrictions on transfer of personal data outside India, the security requirements etc become relevant.

At the outset we need to identify that the information on Covid is “Sensitive Personal Information” and hence it requires “Explicit Consent” for processing  and transfer out of India.

The Court has spoken of the need for “Confidentiality” and “Anonymization” that also need to be discussed.

According to the defense of Sprinklr,

a) The confidentiality of the data of the citizens is guaranteed as per the terms of the contract.

b) The State Government has undertaken to take full responsibility for its protection

c) Available protection systems on the Amazon cloud service makes it impossible for Spinklr or anyone else to breach confidentiality or to deal with the data surreptitiously or maliciously.

d) Sprinlkr at present does not hold any data at present and has transferred all such data back to the Kerala Government.

e) Data resides in India and hence any breach of its confidentiality will expose Splinklr to action in India and hence the standard form clause of jurisdiction in USA should not be objected to.

The MeitY has argued that Sensitive personal data should always remain in India and also that the data should be anonymized before it is handed over to the processors. It has also rightly insisted that the data which was transferred earlier should be confirmed as having been purged by the company.

Considering the current status where the Court does not want to adversely affect the Government’s efforts in controlling Covid, the Court has decided to take an interim view only on ensuring the confidentiality of the data and take up a detailed hearing later on.

The injunctive relief granted by the Court is therefore under this consideration that Confidentiality of the data has to be maintained.

The approach of the Court is to be appreciated that they have tried to take a balanced view and rejected most of the contentions of Sprinklr without taking any drastic step that could adversely affect the Covid prevention efforts of the Government.

But when the case is heard in detail the defense provided by Sprinklr will come for a detailed scrutiny. In this regard, its Privacy Policy, the Terms and conditions, the Data Protection Addendum, the GDPR privacy by Design policy will all come for scrutiny.

There is a possibility that between now and the next hearing, Sprinklr may make changes in its website policies which will amount to tampering with the evidence. Hence all these documents have been archived by CEAC  and any changes  if attempted will be provable as tampering of evidence. 

From a first glance of these documents, it appears that the defense of the company that it follows international standards of data protection and hence nothing can go wrong may not be a tenable argument. There is enough indication that the documents are only statements of intent which does not seem to be reflected in the actual implementation.  The information so far available on the news reports is sketchy and if the company is subjected to intense cross examination, it may be possible to bring out more inconsistencies to prove that they donot have any credible evidence to substantiate their defense.

It will be interesting to observe how both sides take the case from here. We would refrain from more discussions at this stage for reasons of propriety. If however a need arises in the coming days, more points may be taken up for discussion.

What we are interested is in observing if the Court will impose a heavy penalty as envisaged in PDPB 2019 which is also consistent with the GDPR which the Company swears by. The penalty to be imposed has no relation to the fact that the sensitive personal data has now been returned or that the Company has deferred the receipt of remuneration by 6 months. We know that “Data” has value and just as Crude oil can be sold at -37$ per barrel, it is not impossible to think that “Data” can be bought at “Zero” value for the hidden benefit it represents.

Also the attempt to justify the jurisdiction clause which requires Kerala Government to raise its disputes if any in New York is laughable to say the least. If a dispute arises, the company would definitely raise the jurisdiction clause and stall any proceedings in India.

I wish the company was more straightforward than to claim that the jurisdiction clause does not matter. If so, it will be a great precedent to all other customers of Sprinklr and other service providers to simply ignore the jurisdiction clause and proceed in India.

It is open the Court however to accept the admission of the company that since data is stored in India, the company can be sued here. The Court can  confirm that since the Contract is a standard form contract, and it is not supported by authentication by digital/electronic signature, it has only the status of an implied dotted line contract and hence the jurisdiction clause deserves to be rejected as an Unconscionable clause”.

This will help many others and also provide a new reason for imposing data localization in the PDPB 2019 since it helps in overcoming the inconvenient jurisdiction clause. If the company retracts on this argument as they are likely to do, then the current argument will be considered as an attempt to mislead the Court.

It is also strange that the Company is arguing that the State Government is indemnifying the Company by taking “full responsibility”. If so, it is another point that proves that the contract is unfair to the Kerala Government.

Another point which the Company seems to  forget  is that in “Personal Data Protection”, ensuring “Confidentiality” is only one aspect. It is an information security issue and is a necessary but not sufficient condition of data protection obligation.

What is more relevant in data protection is that beyond securing the confidentiality, integrity and availability of personal data there are other aspects of consent, rights, the lawfulness of the processing etc.

Hence just because the data is protected (we are not aware if the Amazon cloud data was actually encrypted), it does not mean that all obligations of data protection are fulfilled. Also just because no data breach has occurred now, we cannot say that the contravention of the privacy right cannot be recognized.

Hence the last word has not been said in this case. We hope that the High Court stands upto the principles and come to a good conclusion without succumbing to the defense of “urgency” etc.

Naavi

Also Read

It is reported today that the Kerala High Court has ordered that Kerala Government was wrong in getting the personal data of Covid patients processed with Sprinklr, without de-identifying the personal data. It has also ordered that the patients are to be notified by the Government .

The Kerala Government had appointed the  US based service provider for analysis of Covid patient’s data which ran into a political debate of nepotism as well as a debate on the infringement of privacy of citizens. We can leave the political controversy aside and focus only the issue related to the Privacy of the patients.

In this case, Kerala Government was a customer of Sprinklr and used the Software as a Service (SaaS). Data was provided to Sprinklr initially directly on their website and later by the Kerala Government from is website. Processing was done by the Sprinklr engine which must have worked from US and then the processed information was stored either in US or other servers.

The service involved sharing of the Covid patient’s data which is “Sensitive personal data” under ITA 2000 (amended in 2008) as well as any norms that can be traced to the forthcoming Personal Data Protection Act in India or the prevailing global norms of GDPR.

Though the Company is a US company is bound to follow the principles of “Reasonable Security Practices” under Section 43A of ITA 2000/8. The Company is also expected to follow “Due Diligence” which is “following such practices as a prudent person would follow under similar circumstances”.

As of 25th April 2020, a prudent organization in India dealing with “Sensitive personal information” would consider the provisions of the Personal Data Protection Bill 2019 as the guidelines of privacy to be followed as due diligence.

The Kerala Government is also obliged to consider the Justice Puttaswamy judgement declaring Protection of Privacy to be a fundamental right of an Indian citizen.

More importantly, the Kerala High Court itself in the Oomen Chandy Case  (WP(c) No 40775 of 2017),5  has  said

“The newly recognized fundamental right to privacy, which takes within its fold the right to protect ones reputation as well, would merit classification as a fundamental right that protects an individual,  not (only) against the arbitrary State action, but also from the actions of other private citizens, such as the press or media,”..

Hence both the Kerala Government and Sprinklr were bound to recognize the Privacy protection guaranteed under the Puttaswamy judgement and initiated Privacy protection measures in the collection, processing, storing and disposal of the sensitive personal information.

In the Indian context, the Privacy law may be new to the Kerala Government but Sprinklr is claiming that its services are “GDPR Compliant”. Hence Sprinklr was fully aware to the sensitivity of the information being processed and even if the Kerala Government was not conversant with the privacy laws in general, should have cautioned the Government on how to address the issue.

The first thing that comes to everyone’s mind is the “Consent” from the patients. There is also the question of possible transfer of data out of India either for storing or for processing for which  an “Explicit Consent” was required to be called for by Sprinklr even if Kerala Government was not aware.

Further though the Government can claim exemption for “Medical Emergency”, the exception under PDPA applies only to an entity such as a hospital transferring the patient data for the purpose of medical treatment etc and not for Big Data analytics which can be done by many Indian companies.

Further, Indian PDPA goes beyond the “Consent” related constraints and holds the person who collects and processes the personal data in a capacity of a “Data Fiduciary” meaning a “Trustee” who has to protect the privacy of the data principal as per the Puttaswamy judgement principle. Hence no implied consent with concessions for transfer of data to a US entity can be presumed as “Due Diligence”.

In the instant case, both Kerala Government and Sprinklr are “Data Fiduciaries” since the purpose and means of processing is determined more by the SaaS company than the Kerala Government which is the user of the service under the terms and conditions under which the Sprinklr service is on offer. (Though the Data Protection Addendum on the website makes the Kerala Government the Controller and Sprinklr the Processor. In that case the data protection clause should have been directed by Kerala Government to Sprinklr which certainly is not the case here.)

As per the statement of one of the advocates representing the Kerala Government, it is claimed that the Company has a privacy policy and follows international data protection norms ensuring a high level of confidentiality of data. It is stated that the data was stored in an encrypted form in Amazon cloud in Mumbai.  If this contention is proved by evidence, it can prove that one copy of the data was perhaps stored in India. While the security of the information might have been secured against further breach because of encryption, the disclosure of the data to the service provider is still outside the consent mechanism.

The High Court has taken note of this in its order and come to an opinion that it was wrong for the Kerala Government to have shared the information with the SaaS provider without “Anonymization”. (We presume the Court was referring here to Pseudonymization or de-identification).

A quick glance at the Website of Sprinklr.com indicates that it uses several sub processors for processing work, and makes a mention of GDPR  and CCPA. However it does not mention compliance of ITA 2000/8 nor any Indian privacy laws.

Whether the policies which are declared on the website are operative or not can only be tested if data principals in India send requests for personal data processed and seeking portability of the data or right to forget. The company will most probably  reject any such requests under some excuse.

As regards the cross border transfer, the policy does not even recognize that it is in operation in India and hence the possibility of its compliance to Indian laws is clearly absent. It clearly says that it offers its clients the option to host the data in USA and Europe and there is no mention of the storage in Mumbai.

Without going too deep into an analysis it can be considered that Sprinklr is not in compliance with Section 43A ITA 2000/8 and it has rushed to the processing because the business opportunity fell on its laps.

Now that the Kerala High Court has caught the privacy related short comings in the process, it is necessary for Sprinklr to immediately stop receiving identified personal data of the patients which is any way not required for the purpose for which the data is being shared with them. The analytics that they may do has no relation to the identity of the person by name and hence it should immediately agree to an intermediary like NIC conducting “De-identification” process before the data is handed over to Sprinklr.

Simultaneously Sprinklr should transfer the processed data up to date to a custodian like NIC and purge all related data in all its servers and provide appropriate evidence of the erasure.

There is therefore no logic for the Kerala Government or Sprinklr to take any  excuse to process the identified data. They need to immediately engage the services of another intermediary, trusted in the Indian environment such as NIC or CDAC to put together a de-identification-re-identification framework  to continue further processing.

NIC should be more than capable of this exercise and if not there would be a number of software companies in India who can do it.

It would be interesting to see how the case develops further and whether the Court takes any cognizance of the principles of privacy protection that has been included in the upcoming privacy act.

In the next hearing we hope that the Court will place a substantial fine both on the Kerala Government and Sprinklr on the lines suggested in the PDPA Bill 2019 which is Rs 5 crores for the Kerala Government and upto 4% of the global turnover of Sprinklr. This will be in addition to the personal relief that can be claimed collectively by the data principals.

Naavi

(P.S: This is a quick comment based on the news reports that have just appeared. More may follow)

Also Read

It has been an observation that Cyber Criminals try to target  such destinations where the possibility of reward would be high.  The recent attack on Cognizant through a ransomware called Maze indicates that despite the Company being well informed about Cyber threats and probably well equipped with experts to guide the Information Security aspects in the Company, it could be successfully compromised by the attackers. It could be due to the persistent attacks on a large number of employees through phishing e-mails and probably using the Work From Home situation which could have diluted the security measures that this attack was made possible.

It is understood that the Maze users have a history of demanding ransom upto US $6 million (Rs 42 crores) and also disclose upto 700 MB of confidential data of a company in the past.  So Cognizant would not escape easily if they chose to pay a ransom which could be of the order of US $10 million (Rs 70 crores). And this has to be paid in the form of Bitcoins which means that Cognizant has to invest in black money to the extent of Rs 70 crores. The share holders of Cognizant can object to the use of company resources for this purpose. It is possible that Cognizant may have some coverage of Cyber Insurance but whether it will apply to the payment of extortion arising due to the negligence of the company and if so to what extent is not known.

Further if the data that has been lost relates to personal data of EU countries, the company has to also face the GDPR fines which could be also debilitating. If the personal data lost includes Indian citizens or Indian companies, there could be action against th company through local courts. The company is fortunate that the Personal Data Protection Act is still not in place and like the Breach Candy hospital, this major data breach will go unpunished under Indian law. Though CERT-In may send a notice, it is unlikely to take any action an the company may relatively face less trouble from Indian regulators than from the EU GDPR authorities from multiple countries.

It is regrettable that  large company like Cognizant should have fallen to the malware and it will take some time to understand what really went wrong.

For the time being we would like to look at another dimension of the fraud and in particular how the inaction from the Union Home Ministry under Mr Amit Shah has contributed to this attack and will continue to encourage more such attacks.

Recently the MHA stepped into the shoes of MeitY and gave a security advisory on the use of Zoom video conferencing software. Though the advisory was meant for Government department, it was released as a PIB press note giving an opportunity to the ignorant media persons shouting that “MHA had declared Zoom as Unsafe”. As a result many members in the public including companies might have dropped Zoom and moved to more vulnerable tools.

However, MHA has so far not opened its mouth on the issue of “Bitcoins” and when a strange Supreme Court judgement came out indicating restoring of Bitcoin Exchanges, neither the Finance Ministry under Mrs Nirmala Sitharaman, nor the Home Ministry under Mr Amit Shah nor the MeitY under Mr Ravishankar Prasad, took interest in filing a review of the faulty decision .

Every body seems to be happy that the Supreme Court has taken the responsibility to give a sense of approval to Bitcoins on its shoulders and the industry can make hay while the sun shines by converting the legitimate white money in the country to digital black wealth in the form of Bitcoins and other Crypto currencies.

So far we were considering that Mr Amit Shah could be relied upon when national security is at stake and since Bitcoin is the currency of the criminals and terrorists, he would take steps to ensure that its acceptability as a currency for settlement of financial transactions would be recognized as a national security risk. This hope has been belied. Unfortunately he and his department has displayed no urgency in this matter while they rushed to give a premature advisory in the case of Zoom.

It is well known that to prevent a crime, the ability of the criminals to benefit from the crime has to be stopped. So if crimes like Cognizant attacks have to be reduced, it should be made difficult for the criminals to benefit by collecting the ransom  in Bitcoins.

The first step for the MHA is therefore to take steps to bring out an ordinance to ban Crypto Currencies forthwith so that the Ransom ware distributors are choked of the reaping financial rewards arising out of their crime.

Secondly, MHA should issue a notice to Cognizant not to pay the ransom since it would encourage similar attacks on Indian companies and also result in a Black Money transaction of an amount equal to the ransom.

I hope Mr Amit Shah is able to understand the long term damage that is being made to the Indian national fabric by allowing Bitcoins to continue to exist.

I request Mr Shah not to accept any view from his department that suggests that “Supreme Court has held Bitcoin as Valid”. Supreme Court has actually not validated Bitcoin or Crypto Currency. On the other hands, the three judges have delivered a cleverly constructed judgement like a Bollywood story so that without telling that Crypto Currency is a valid currency in India, they have created a false impression to let the industry benefit fraudulently.

The RBI and  the Finance Ministry should have come up with an amended Circular to re introduce the ban on Crypto Exchanges and the MeitY should have come up with the law on banning Crypto currency which is already in draft stage. But all the three wings of administration have remained silent or have been silenced by the power of crypto currency corruption.

If Mr Amit Shah along with Mr Narendra Modi are the last repositories of honesty and lack of corruption in India, they should make moves to bring a ban on Crypto currencies immediately.

There is no need for the Government to wait for the current Covid 19 crisis to be over before taking action in this regard since this is the time when more such attacks will happen on other organizations since the “Work From Home” situation has exposed most companies to the risk of malware from the home environment jumping into corporate networks.

Stopping ransomware attacks is therefore a Covid priority. If Stopping Bitcoin circulation as a currency relied upon by the criminals is a step in this direction, this is also a Covid priority.

If the MHA, Meity, MOF and RBI are not collectively deaf, I suppose they will listen to this appeal for ban on Crypto currency.

Naavi