Naavi.org

In the DPDPA implementation, we have been discussing he requirement of determining the “Age” of a data principal to identify if he is a minor or not. Without identification of the age, the obligations of DPDPA towards a “Minor” cannot be fulfiled.

At the same time, there is a need to develop a mechanism by which one can identify the class of data principals to which Section 9 of DPDPA is applicable (Minors and Disabled Persons). In the case of a minor the consent has to be provided by the guardian who may be either a natural guardian or a legal guardian. In case of the disabled persons, it is the legal guardian who has to provide the consent.

The “Legal Guardian” is always a product of the decision of the Court and unless the Courts create a system of publishing a data base of “Legal Guardians” approved by different Courts, there is no way for a Data fiduciary to know if a person is disabled or not. A request for this has been sent by FDPPI to CJI and some time in future it may see the light of the day.

As regards the Natural Guardian, law has its own uncertainty since there may be many single parents and divorced parents where the natural guardian cannot be determined by just identifying the father or mother.

It is the duty of the Government and the Judiciary to find a proper mechanism to identify the age of a data principal if they are serious about protecting the privacy of a minor. At present Data Fiduciaries simply accept a “Self Declaration” from the data principal that he/she is not a minor and proceed to provide services meant for adults. This is not an effective system for protection of privacy of minors without a verification of the declaration. We therefore need a mechanism for such verification.

At DGPSI, we need to identify a suitable mechanism for organizations to identify the age of a data principal. We have in the past discussed this in these columns and recommended the use of Aaadhar as an instrument for not only creating a “Age Pass” but also to verify the “Guardian of a minor”. (Refer article titled “Is there no solution for Age Gating?)

In this context we need to discuss the recent Supreme Court judgement in the case Saroj & Ors vs IFFCO-TOKIO General Insurance Co & Ors

An article titled “Aadhaar Card Not Suitable as proof of date of Birth: Supreme Court” was published in Live Law yesterday explaining this judgement.

We however would like to point out that the article with the above headline may not reflect the issue in the right context of “Age-Gating” for Privacy regulation and need to be read in the given context.

The context in which the Supreme Court decided in this appeal was that the insurance company had sought a reduction of compensation based on the age of the deceased in the Aadhaar Card vs the Age of the deceased as per a school leaving certificate. There were two age documents available and there was a conflict. The choice of the reference document would have materially altered the compensation payable to a victim of an accident which had taken away the life of a bread winner in the family.

We trust that the decision of the Court has to be viewed in this context.

It is also true that as observed by the Court, the purpose of Aadhaar was to establish the identity of the individual and the noting of the Date of Birth is only incidental.

However it is to be noted that Aadhaar is still the best Government document that can establish the identity of a person. The Adhaar card issued to a minor also records the name of the guardian. Short of a Court order, this is therefore the best document of proof of the age of a minor and the name of the guardian.

The documents which are collected for Aadhaar enrolment are available here and indicate the documents which are used for age verification.

The enrolment documents include the Birth Certificate, Passport, Certificate issued by an Orphanage, School Leaving Certificate, Service Identity Card, Pensioner’s Card, Transgender certificate.

The Aadhaar document therefore is not an adhoc self declaration of date of birth and is based on documentation. The subject Supreme Court judgement was a case where there were conflicting dates in different authentic documents and the Court had to prioritize one over the other. In the context they chose to chose the school leaving certificate ahead of the Aadhar.

DGPSI which is defining the Jurisprudence related to the DPDPA therefore does not suggest dropping of the Aadhar based age determining process for determination of a minor for the purpose of obtaining the consent from the parent.

We remember that when Supreme Court in the Afzal Guru case had held that Section 65B certificate for digital evidence as “Not Mandatory”, Naavi had disagreed with the Court and held to his view that Section 65B Certificate for admissibility of digital evidence was mandatory. It took several more years and the Judgement of PV Anwar Vs P K Basheer to correct the decision. Even subsequently, when Shafi Mohammed judgement appeared to disagree with our view, we held onto the view until it was validated in the Arjun Pandit Rao case. Now IEA has been replaced with Bharatiya Nyaaya Samhita and the jurisprudence that “Section 63 Certificate is mandatory for admissibility of digital evidence” holds, though the form of Certification has changed a little.

Similarly we hold onto our view on Age Verification for DPDPA purpose that an Aadhaar based system is acceptable as a “Reasonable Measure” for the Data Fiduciary to verify the Age. In every case it is not feasible for a Data Fiduciary to be a Court and ask for multiple age proof document and verify the same. Probably a Consent Manager can do it and the case of a specialized consent manager for minors is made out.

At FDPPI, we can state that the data principal can provide any one of the following documents as age of proof namely

1. Birth Certificate,
2. Passport
3. School Leaving Certificate,
4. Service Identity Card,
5. Pensioner’s Card

We would also like to add PAN Card and Driving License to the above list. Obviously a court order would also have to be accommodated in this accepted document list. However, these documents may not be as easily verifiable as the Aadhar data and hence Aadhaar remains the preferred reference tool.

As we have discussed earlier, the verification of age is not only a requirement for a person who has already declared himself as a minor so that we donot want anonymous malicious adults in minor community. For this purpose, we need to apply age verification to all data principals as a general rule of entry. Verification of who is the guardian is a more complicated exercise and at present Aadhar is the only document (other than a court order) that has this data. PAN card of a minor may also have this information but they may not be as many minor PAN cards as there are minor Aadhar cards.

To summarize, we may say that the Supreme Court judgement cited above is not a bar on use of Aadhar for the purpose of age verification in the DPDPA compliance and can be one of the several ways by which the data fiduciary may satisfy himself about the status of a data principal as a minor or not a minor.

Naavi

Naavi.org has been in existence since 1998 (initially as Naavi.com) and has been providing knowledge inputs on Cyber Laws, ITA 2000 and now DPDPA etc. Over these 25 years, lot of content has been accumulated on the website though it might not have been organized properly.

Now it is intended that Naavi.org will be converted into a Video Blog so that the content of Naavi.org will slowly be described in short videos.

The videos will be accessible through a mobile app.

The objective of this exercise is to bring educative content on DPDPA, Data Protection and Cyber Laws in video form. So far, I have been more comfortable with the written articles on naavi.org though several videos are present in the You Tube channel youtube.com/naavi9 Naavi Academy will be a direct interaction of Naavi with the students of Cyber Law and Data Protection.

Naavi Academy videos would be available through a mobile App for easy access.

This activity will mainly support the Cyber Law College and FDPPI activities of conducting Courses on Cyber Law and Data Protection.

If found feasible, some of these videos may also be grouped separately into a structured presentation for privileged access.

This is the beginning of a new phase of Naavi.org and its mission to spread knowledge. Watch out for more information…

Naavi

DGPSI as a framework targets the compliance to DPDPA. It can be used by Data Auditors to audit the compliance of an organization and certify them for adequate compliance. DGPSI can also be used to make an assessment of the compliance maturity through the Data Trust Score or DTS which can be used for monitoring the compliance and build an assurance for the Data Principals.

At the same time, DGPSI also has another use for those who build Privacy Compliance technical tools such as those for “Data Discovery”, “Data Classification”, “Consent Management” etc. This is for creating “DPDPA Compliance Software Tools” for compliance.

Since DGPSI is a reflection of DPDPA, DPDPA Compliance in a technology situation is better addressed by DGPSI Compliance.

Hence Privacy Enhancement Tool (PET) developers can target DGPSI Compliance to be built into their tools and thereby become DPDPA Compliance. Such tools can also be audited by DGPSI auditors and certified as “DGPSI Compliant”. They can even be assigned DTS scores to indicate the level of assurance.

Naavi invites technologists to come forward and tweak their current tools to meet the DPDPA compliance through being DGPSI Compliance through appropriate DGPSI Consultants and obtain a DTS Score for their tools.

The Data Auditors of FDPPI are being trained to make such assessments and provide assurance certificates for tools with a DTS score which fairly represents the ability of the tool user to meet compliance of DPDPA while he processes personal data using the tool.

This is a unique process and will take time to develop. The Data Auditors need to be specially trained for this purpose. But a beginning has been made and this should usher in a new era in PET development in India.

Need for Incentivisation

During the early days of HITECH Act implementation in USA, there was an incentive scheme by the US Government to promote use of HIPAA Compliant technology by the Health Care industry. This included a system for certification of “HIPAA Compliant Software” the use of which would make a covered entity eligible for subsidy. A total of $17.2 billion was distributed under this scheme over 5 years from 2009-2014 and is believed to have contributed significantly to the adoption of technology by the health care professionals. This was more relevant for individual doctors and small pharmacies where the lack of funds could have delayed the adoption of compliance technology.

It is time for India to consider a similar system to promote use of DPDPA Compliant technology and introduce some incentives to the Data Fiduciaries particularly in MSME sector to promote use of “DPDPA Compliant Software systems” for processing personal data.

It is our desire that before the Government can introduce a system for such purpose, we have a system of evaluation of software to be certified for DPDPA Compliance. Once such a scheme is introduced, there will be many players who would introduce their own DPDPA Compliance systems and promote them with aggressive marketing efforts. Naavi and FDPPI would however endeavour to make “DGPSI Compliance” as the hall mark that should have its unique value.

In the upcoming training for Data Auditors in Mumbai scheduled for January 24, 25 and 26, this aspect would be discussed in greater detail. Before that training, this may also be discussed in the IDPS 2024 on November 30 and December 1 at Bangalore. Watch out for details for both programs in FDPPI website. (www.fdppi.in)

Naavi

The recent spate of fake Bomb threats to different Airline companies and an open advisory from a Khalistani Terrorist not to travel in Air India are acts of terrorism that fit well into the definition of Cyber Terrorism under Section 66F of ITA 2000.

It is surprising that the Ministry of Aviation seems to be searching for ways to strengthen the aviation laws to make such threats punishable. I request the Civil Aviation Minister Ram Mohan Naidu Kinjarapu to take note that there is already a law in India under Section 66F of ITA 2000 which states inter-alia as follows.

“Who ever “with an intention to strike terror in any section of the people”, accesses a computer resource exceeding authorised access and by mens of such conduct is likely to cause disruption of services essential to the life of the community, shall be punishable with life imprisonment”

Hence there is no need for a separate law and tweaking of Airlines Rules to file a case of terrorism against those who send the fake emails either to Airlines or to schools etc with bomb threats. Once such cases are filed, they are recognized across the globe and can be taken to Interpol for investigation if required.

The reason why these threats are proliferating and will continue to proliferate is that it is child’s play to get an email account in Proton Mail or similar email services which provide an anonymous E Mail account from which such threats can be sent. There are proxy servers which provide services to hide the IP addresses also. It is therefore near impossible for the investigating agencies to quickly decypher the identity of the sender.

While it costs almost nothing for the attacker to send an email, it costs in the range of Rs 25 lakhs for airlines to divert flights in mid air for security reasons, conduct a security drill before it is released once again. In view of the ease and economy of such cyber attacks, these will continue and a solution has to be found by the Government as otherwise the asymmetric attack will cause huge damage to the country.

The solution to this lies in getting the cooperation of the service providers like Proton Mail or the VPN service providers to get the identity of those who use the facilities for committing international terrorism. The contracts of such providers always indicate that the services shall not be used for terrorism.

For example the terms of service of Proton Mail indicate as follows:

Any Account found to be committing the listed unauthorized activities will be immediately suspended.

2. Authorized use of the Services

You agree not to use your Account or the Services for any illegal or prohibited activities. Unauthorized activities include, but are not limited to:

1. Disrupting the Company’s networks and Servers in your use of the Services;
2. Accessing/sharing/downloading/uploading illegal content, including but not limited to Child Sexual Abuse Material (CSAM) or content related to CSAM;
3. Infringing upon or violating the intellectual property rights of the Company or a third party;
4. Harassing, abusing, insulting, harming, defaming, slandering, disparaging, intimidating or discriminating against someone based on gender, sexual orientation, religion, ethnicity, race, age, nationality or disability;
5. Trading, selling or otherwise transferring the ownership of an Account to a third party (with the exception of Lifetime Accounts, which can be sold or traded exclusively through the Company);
6. Promoting illegal activities or providing instructional information to other parties to commit illegal activities;
7. Having multiple free Accounts (e.g. creating bulk signups, creating and/or operating a large number of free Accounts for a single organization or individual);
8. Paying for your subscription with fraudulent payment means, such as a stolen credit card;
9. Engaging in spam activities, which are defined as the practice of sending irrelevant or unsolicited messages or content over the internet, typically to a large number of recipients, notably for the purposes of advertising, phishing, or spreading malware or viruses;
10. Sending junk mail, bulk emails, or mailing list emails that contain persons that have not specifically agreed to be included on that list. You agree not to use the Services to store or share content that violates the law or the rights of a third party;
11. Abusive registrations of email aliases for third-party services;
12. Attempting to access, probe, or connect to computing devices without proper authorization (i.e. any form of unauthorized “hacking”);
13. Referring yourself or another one of your accounts to unduly benefit from our referral program’s benefits (see section 9 for discretionary benefits of the program).

Similar conditions will be available in all VPN services as well as all domain name services.

The first requirement for our law enforcement is therefore to quote these terms and demand that the service provider disclose the identity details of the account holder who is committing a terror activity. This can be supported with a Court order.

In case these service providers refuse to abide by the request, it can be escalated into a notice alleging an attempt to shield the perpetrator of the crime and make the service provider a c0-accused for conspiracy. This will provide power for the law enforcement to take direct action against the service provider in an Indian Court and later enforce it in the relevant country in which the service provider is registered. They will not be eligible for protection under Section 79 of ITA 2000 if they donot cooperate with the information sought with a due process of law.

In the meantime, the law enforcement can also take action to block the domain such as “Protonmail.com” from India along with the associated VPN services ignoring the cries of the digital andolan jeevies.

I request the MHA and MeitY to immediately initiate action to co-operate with the Ministry of Civil Aviation in initiating an action in the above direction.

Naavi

In a recent meeting of the officials of MeitY with the ministry, it is reported that the officials suggested the industry to get cracking on the implementation of DPDPA 2023 without waiting for publication of the rules.

This suggests that the MeitY is still not clear on some of the aspects of the law and how it has to be implemented.

In this context the DGPSI which was developed as a “Framework for Implementation” of DPDPA 2023 assumes a much bigger role as a document that would be the codification of the interpretation of DPDPA 2023 for the implementation by the industry.

DGPSI is therefore the “Jurisprudence” for DPDPA 2023. It indicates how the DPDPA 2023 can be interpreted and implemented. The legal basis is implementation as “Due Diligence” under ITA 2000.

Watch out for more in a series of posts here.

Yesterday we had a very useful discussion on whether there is a need to regulate the Dark Web and whether it is desirable and whether it is feasible.

As expected one school of thought was of the firm view that “Dark Web” cannot be regulated and if you try to bring down one Tor Site, another will come up and so on. There are no two opinions that hackers who function in the Dark Web are confident that the law enforcement cannot catch them. There are law enforcement persons as well as security professionals who simply are happy observing the dark web. In fact many security professionals make a living out of monitoring the dark web.

The fact that dark web is thriving because of the presence and availability of crypto currencies like Bitcoins and Monero is well known.

One common view of the professionals was that even politicians are having a cut in cyber crime proceeds and in Crypto Form and hence they are not interested in taking any action against them. It was however noted that regulation of Crypto currencies in India has been effective and Indians are using Dubai as the center for exchange of their black wealth to Crypto currencies and back. Havala operations are also in place between India and Dubai so that ransom money payments demanded in crypto currencies can be carried out.

At the end of the discussions, it was clear that the need for regulation of Dark Web and Crypto Currency is very much needed unless we want a “Digital Jungle Raj” in Digital India.

However there is no consensus on whether any regulation is feasible on Dark Web in India. Many are obviously against such regulation since their lively hood could be affected. They belong to that school of thought that let there be Crimes, Let there be victims of Cyber Crimes. We shall make our money through legitimate business surrounding dark web.

At Naavi.org we believe that “Impossibility of regulating Dark Web” is only an excuse not to try.

In fact we have not prevented road accidents but we have laws for traffic management. We have similarly laws on drug abuse or gun selling or terrorism but we are not able to eliminate them. What we as a society need to do is to take a position to declare that we would not support the Dark Web and the Dark Currency come what may.

It does not matter we shrink our Web space by creating an “Iron Curtain” and restrict use of Internet, ban the domains such as proton mails and continue to ban any substitutes that may come up.

If we cannot ban Tor browser because it is required for any reason, then make it’s possession subject to registration of a person as a “Registered Ethical Hacker” and bring accountability to the use of the Tor browser.

Under Section 67B of ITA 2000, any person  who creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner.

A similar law should be considered for restricting the use of Dark Web.

Under Section 84 C of ITA 2000, Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed is also punishable.

Dark Web which is an instrument of crime along with Tor browser, Proton mail (and other similar services) as well as the Bitcoin type of Private Crypto Currency are all therefore classified as instruments which “Causes such offences…..defined under ITA 2000” . Hence there is already a law that can be used against the use of Criminal Instruments.

Any person in possession of dangerous weapons in the physical world is looked upon as a potential threat to the society and Police maintain a register of such persons as “Rowdie Sheeters”. At the same time we allow police, security agencies and celebrities including people like actor Govinda to possess revolvers for their own safety or for other purposes.

Similarly, we can mandate that any person who wants to use any of the dark web tools should be registered with the national security agency as a “Registered Ethical hacker” and report his activities periodically in the form of an audit report. This will bring accountability to the use of dark web by security persons and segregate them from “Unregistered ethical hackers” who can be classified as “Black hat hackers”.

We advocate MHA to bring in an explanation to the existing laws at appropriate places to state “Possession of dark web tools …as per a list to be published … will require mandatory registration failing which the possession itself will be punishable.

We agree that a section of the society will ignore the law. It does not matter. Let us at least give an opportunity to the “Friends of the digital society” to declare their honesty in good faith by registering themselves as persons who possess ability to wade into criminal space but use it responsibly.

Naavi