Naavi.org

The ongoing controversy of “Preventing Fake News” has now taken an interesting turn with the Supreme Court directing the Government to file an affidavit within 3 weeks on how it proposes to link Aadhaar to the social media accounts as being discussed in the Madras High Court in a petition. The Supreme Court has acknowledged the misuse of social media and the adverse impact it has on the society and National Security.

In the past, when the Government came out with guidelines on “Intermediary Guidelines” as well as any other case involving the key word “Aadhaar”, the Supreme Court came down heavily against the Government as if it is selling out the Privacy Right of the Indian Citizens. The Privacy activists who want to oppose anything the Government does supported by the Congress advocates took the cases to the Supreme Court and prevented any action to be taken by the Government. But for this negative strategies pursued by some activists and supported by the Supreme Court, there would have been a strong “Intermediary Guidelines under Section 79 of ITA 2000” by this time.

Now the bench of the Supreme Court which has provided the current ruling appears to be very reasonable in acknowledging that neither the Supreme Court nor the High Courts are competent enough to take a final view on this techno legal matter and the Government is perhaps in a relatively better position to come up with a suggested solution.

The problem with the Government is that it does not have adequate mechanism to respond to such needs since it has killed the “Cyber Advisory Committee” which was mandatory for such purposes according to ITA 2000 and is banking on an inadequate set of Delhi based advisers to provide a solution which ultimately always falls short of expectations and meets the opposition of the Court.

I hope at least this time the Modi 2.0 Government finds a proper solution which should satisfy the Supreme Court.

Naavi has been advocating that within the provisions of the current ITA 2000 and the proposed structure of the Personal Data Privacy Act, there is a reasonably effective solution to meet this problem. Unfortunately the Government does not listen to innovative suggestions and the private sector is not sure of the revenue capability of such a solution. The so called “Innovators” in the Start Up domain are more interested in re-inventing the wheel by taking up the same type of project again and again without really taking up a really innovative project.

In the current context of the Supreme Court putting a sort of a dead line on “Traceability” of social media transactions, Naavi proposes that there can be a “Public-Private Partnership” which can meet the needs of the Government and at the same time make the project self sustaining and perhaps profitable.

I look forward to the Government coming up with a proposal to invite suggestions from the private sector and perhaps it may be possible to provide a good response to Supreme Court within the deadline.

Watch this space for more information on this topic.

Naavi

Yesterday, there was a conference titled “Communique19” at SITM (Symbiosis Institute of Telecom Management) , Pune.  (SITM is incidentally renaming itself more appropriately as Symbiosis Institute of Digital and Telecom management or SIDTM). The conference amongst other things discussed the Personal Data Protection Bill and the above photograph shows the panel members.

The panel as seen above consisted of (From Left to Right) Mr Satish Dwibashi of Wibmo.com, Mr Neeral Arora, Advocate and Forensic Expert, Dr Sriram of DSCI, Mr Venkata Satish Guttula of Rediff, as well as me and Mr Sridhar Sidhu of Wells Fargo.

While discussing the issues, I highlighted the differences between GDPR and PDPB/PDPA. I have explained the differences many times in this website and hence I am not going to repeat it and  will take up another point for discussion.

During the discussion which also raised the issue of  the “Data Governance Framework”, I highlighted the formation of the new Kris Gopalakrishna committee and the background in which the committee was formed.

I may recall my earlier article/s in which I had made a mention of “Community Privacy” as a concept which had been referred to by Justice Srikrishna in his report. I take this opportunity to explain what could be one instance of the “Community Privacy” which is reflected in the above photograph.

I, like other participants in the panel signed off a permission to SITM that any photographs taken during the session could be used by SITM in social media etc. This is pretty much what happens in every conference, though ICO, UK started the practice of giving a notice that such photographs may be considered as not violating the privacy of the individual.

The above photograph however has been uploaded by me here because I was one of the participants in the panel. However, in the process, I might have violated the wishes of any of the other participants who might have liked to keep the photograph out of view of the visitors of Naavi.org. Though the panelists might have given the permission to SITM and SITM has placed it in public domain and I have also sought permission from these gentlemen, it is not clear if they have consented for this publication.

This is a classic example of how data of one person becomes the “Shared Data” of another person due to the context in which the personal data is generated and the decision of the other person to share it according to his wishes could be a point of contention.

This is what Justice Srikrishna indicated as “Community Privacy Issue” for which PDPB/A (nor any other law like GDPR) has provided an explanation. He suggested that the Government may consider a new regulation for this purpose.

If Kris Gopalakrishna Committee (KGC) takes a cue from the preamble in the circular indicating the formation of the Committee and interprets the terms of reference that such “Community Data” is “Non Personal Data”, it may include community data as part of its discussion and declare it as part of the “Big Data” or provide another intermediary status to such “Community Data”.

Is this therefore a case of “Community Privacy” that  needs to be regulated? .

If so how do we regulate it?…

Can the photograph per-se without the names be considered as “Not identifiable” and hence “Anonymous”? Or

does the degree of “Anonymization” in this instance is nothing more than “De-identification”? and does not constitute “Anonymization” as defined under PDPB?

..these are some interesting thoughts that emerge out of this instance.

In the past, I had raised the issue of “Recording of Telephone Conversations” and expressed the opinion that the conversation belongs to both the “caller” and the “called” and recording is considered as the right of both persons. In the context of our discussions now, I see a clear explanation to my earlier view because this telephonic conversation belongs to the class of data now known as “Community Data” and hence all the members of the community (in this case the caller and the called) has joint and several rights to use the data as per their choice.

This “Joint and Several” right to dispose of the data will be the key to defining the regulation of community data. Once such data is considered the personal data of each of the individuals, the rest of the regulation may follow the lines of PDPB/A as the contextual risk assessment demands. While each member may have a right to refuse permission to consider the data as Community data by specific disclaimer,  it may be considered that by default the data belongs to all persons in the community.

As regards the original photographer, his status would be like a “Data Fiduciary” who posts it in a social media or deals with the information in any other manner in the general interest of the data principals.

As regards the “Anonymization”, it may be considered that the photo without the names is actually “Anonymized” but only to a basic level of obfuscation. The identity of the persons is known only to those who knows either from their memory or by use of some identification tool.

Had we perhaps masked the faces, the anonymization could have gone to the next level and if all the others had been cut off from the picture, perhaps the anonymization would have been complete though it would have eroded the value of the data completely.

The person who assigns identity to the respective persons is required to take up the responsibility of “Re-identification” of the anonymized data (Which will be a criminal offence when PDPB/A becomes operational), unless he can provide a suitable defence of either “Prior Permission” or “Prior publication”.

If the identity is assigned by an AI algorithm and it commits a mistake, then there will be other issues such as whether it was a “Negligent Mistake” or “Recklessness/mischief” and accordingly the responsibility will have to be placed.

Consent is otherwise inherent in the participants allowing themselves to be photographed.

While these comments and opinion applies without much of a controversy in case of a photograph of this nature on the stage where a panel discussion was held, during such conferences, many “Candid” photographs are also clicked by the photographers which may capture moments which the subject may or may not like to be made public.

How should such photographs be handled? will it require “Explicit Consent”? are points of a separate debate. The responsibility of the photographer and the first publisher of such photographs is high in such cases.

This discussion on “Community Privacy”  as well as the resolution through considering them as a “Joint and Several Right” is raised I believe for the first time in India. Readers are welcome to contribute their thoughts.  I hope the KGC takes note of these views and incorporates it in its deliberations.

I am also trying to convince a few experts in Bangalore to constitute a shadow committee to discuss and deliberate this issue of “Community Privacy” and publish a document. Let us see how this project proceeds.

Naavi

At one time, Bankers were considered trusted individuals and respected in the community. But with the advent of technology, Bankers of the older generation receded into the background and technologists came into the Banking profession. Today Technologists have become Bankers and Traditional Bankers who still remain have become slaves of technology aware persons within the Bank.

The new generation Bankers are short on integrity and follow the Kaliyuga principle of “Self Benefit” and “Self Preservation” at the cost of anything. This generation would not hesitate to destroy their neighbor if it helps them.

I as an ex-Banker is making this statement after observing the behaviour of some of the Bankers in the current banking scenario.

People are aware how ICICI Bank in the case of S.Umashankar who lost money through phishing, went about sharing the fraud  proceeds with the fraudster, tried to shield the fraudster by erasing evidence, by refusing to file Police complaint etc. There are several instances where insiders in Banks have themselves committed offences and otherwise assisted outsiders in committing frauds against innocent customers and then dragged the cases in Courts for years using the money power.

Fortunately, both the RBI and the TDSAT along with some of the cyber savvy adjudicators under ITA 2000 (It Secretaries) have come to the assistance of the innocent Cyber Fraud  victims in Banks and held the Banks liable to pay the fraud amount back to the victims. They have recognized that dilution of security through negligence or otherwise is an assistance for the commission of the fraud and hence the liability should be borne by them.

The “Limited Liability System” introduced by the RBI was one of the greatest steps in this regard and accordingly, in any case of fraud involving internet banking or credit cards or debit cards, where the fraud has been committed by an outsider, the Customer would have Zero liability if he disputes the transaction when he receives the SMS alert. In such instances, the Bank has to restore the account by providing value dated credit to the customer without any delay.

In order to avoid this liability, Banks have started to play games which are exposing the malicious nature of current day Bankers in India.

Yesterday, I came across an incident involving HDFC Bank in which a credit card customer has found that during the period when his old credit card is being replaced with the new credit card, the old credit card has been swiped in a foreign location for over Rs 1.26 lakhs. The customer when he received the call from the Bank to verify the transaction, has stated that he has not carried out the transaction. However, next day, Bank has sent him an SMS that they were not able to reach him when they tried to inform him about the transaction.

If the Customer thinks that he has already replied and does not take further action to continue disputing the transaction, perhaps the Bank would later on say that he did not respond within 3 days or 7 days and try to hold him liable.

It therefore appears that the Bank is trying to create an evidence that it has tried to contact the customer and he was not available. This is a fraudulent action of the bank which should result in criminal action against the persons responsible.

In another incident, ICICI Bank has called a customer about a new card and the card fees. After the customer has indicated that he has no intention of using the card because it is not a free card as was marketed, he has still been billed and is being threatened with adverse effect on CIBIL rating. At the same time, the Bank has recorded a wrong e-mail address of the customer and keeps sending mobile SMS which cannot be replied back.

In both these incidents, Bankers of the current generation have come out as unreliable and fraudulent. The possibility of insider involvement in these instances are high.

I hope both HDFC Bank and ICICI Bank wake up and remember that they exist because of the customers and they need to respect genuine customers and not take any stand that will favour the fraudsters instead of the genuine customers.

Naavi

(This is in continuation of the previous article)

We shall now take a few other comments made by Mr Kris Gopalakrishna as follows and try to derive an inference out them.

5.“I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.

6.“The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”

7.“Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”

I am not sure why Mr Kris says that “Establishing policies around data…is not codified today”. The PDPA does exactly address this issue (though it is in the process of being enacted). The Corporate responsibilities on what principles of collection and processing is to be followed and how the “Data Trust Score” has to be developed etc has been addressed by PDPA. We have to only get the law passed without delay and get the implementation process into action.

As regards the concerns about disclosing the identity, the concept of the data collector being a “Data Fiduciary” and exercising the responsibility of a trustee can address the concern to a large extent, much more than what GDPR has addressed in GDPR as the Data Controller’s responsibilities.

If therefore the KGC does not trample on the implementation process of PDPA,  privacy governance in India through data protection would make substantial progress. If the DPA then takes control then the data protection regime can bring confidence to people concerned with their privacy.

Speaking on “Anonymity” Mr Kris has commented

8) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”

This aspect has been addressed by PDPA both by declaring that Anonymization will make a personal data go out of the jurisdiction of PDPA and also criminalizing the re-identification where anonymized information may be re-identified.

The very definition of “Anonymization” is that it can never be re-identified, but under the concept of “Dynamic Data” and the “Corporate restructuring” as well as AI, no body can be certain that an anonymization process be 100% effective.

The failure of anonymization and consequential re-identification can be addressed under PDPA if properly implemented by hoisting vicarious liabilities on the inefficient anonymization as well as the re-identification.

Lastly, Mr Kris has reflected

9. “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”

In this comment, Mr Kris has acknowledged the need for data sovereignty and the need for the country to consider aggregated personal data as an asset of the nation. It is precisely this concept which is in conflict with commercial exploitation and the committee has to  show how it will ensure that the national interests are not compromised.

Partially the PDPA will address this issue. KGC will however need to ensure that any of its recommendations donot provide loopholes for commercial establishments to take out the benefits of Indian personal data out of the country. If they are allowed, this will be considered as “Data Laundering” or “Data havala” similar to money laundering and havala.

If this committee can find a Data Governance framework that can prevent the TransUnion type of data heist, then it will be a great achievement. Let us hope the committee would be able to reach this goal.

(Comments welcome)

Naavi