Naavi.org

The gory incident of a boy in Belgaum, Karnataka, beheading his father for not allowing him to play PubG Mobile has shocked all sane persons and brought the  focus back on the ill effects of Mobile Game Addiction on the youth of the country.

While participating in a TV discussion today, I was surprised at the number of calls received from different parts of Karnataka pleading the channel to do some thing to get PubG banned to save the youngsters who have become addicted to the game.

In the past, we have discussed the adverse effect of BlueWhale  and urged the Government to take suitable action including identification and removal of dangerous games like the Bluewhale. It appears that PubG (Player Unknown’s Battle Grounds) is far more dangerous than Blue Whale.

Blue Whale used a process of cyber hypnotizing the player and leading him to commit suicide. But it required a mentor to carry out its design and appears to have petered out after the arrest of the founder.

In the Belgaum incident, the boy has planned out the murder of his father in a gory manner and locked up his mother first before assaulting the father and chopping off his head and hands. The anger that he has displayed is surprising and indicates the profound impact the  Game has created on the boy.

Some of the other incidents reported include the following:

1. 1. A 20-year old boy from Jagitial, Telangana died after playing PUBG Mobile for 45 days. After suffering intense neck pain, she was taken to the hospital where the doctors found the nerves in the neck were damaged. The boy died while undergoing treatment.
   2. In a recent report, a boy from Chhindwara in Madhya Pradesh accidentally drank acid mistaking it for water while playing PUBG. He was rushed to the hospital and doctors have now said that his condition is now out of danger.
   3. Two persons who were busy playing PUBG on train tracks were knocked down by a train. The incident happened in Hingoli district in Maharashtra. They were run over by a Hyderabad-Ajmer train. An accidental death report was filed.
   4. A fitness trainer from Jammu allegedly started hitting himself after losing at PUBG. He was reportedly playing the battle royale game for 10 days. Doctors state that although he is recognising people, he is still not very conscious and still under the influence of the PUBG game.
   5. In another incident, a boy died of Cardiac Arrest after playing the game continuously for 6 hours.

There have been many more incidents reported where the adolescents have shown violent reactions when asked to stop playing the game. Many have dropped out of their colleges out of the addiction.

As the clamour for the game being banned grows, PUBG is preparing to release Mobile Season 9 on September 13. Before launching of this new version certain challenges have been thrown up to offer some freebies to the players and this may be the cause for a rush in completing the assignments leading to the violent behaviours we have seen.

The National Child Rights Commission has stated that the game should be banned because of its violent nature.

In some of the States, PUBG has already been banned. There have been as many as 10 arrests for people accused of playing an online game despite the ban being enforced.

However, the ban has not been effective partly because the game is a downloadable game and once downloaded, it stays in the mobile even if further downloads are prevented.

Time has come for the MeiTy to recognize that this game deserves to be banned completely to protect the youth.

Some may wonder, what is the use of banning a game when many more similar games may sprout up. Some want to blame the parents of these players (most of them are boys in the 17-19 years of age) for their failure to stop the addiction without understanding that parents are not expert psychological counsellors and if they attempt to correct the behaviour of these addicted kids, more violent backlashes will happen.

In the case of Bluewhale the affected kids were of lesser age and some corrective action could be taken by schools. But PubG addiction appears to be more on young adults who are out of school and therefore it is difficult to counsel them in the schools or colleges through an effort can be made.

One of the features of the game reported by a person was that the game gives an option to name the enemies with real world persons before killing them in the battles. This feature of the game makes it possible for the gamer to name the characters after people around him like their parents or friends or teachers and go about to kill them in the virtual game to derive a satisfaction. The problem however is that this may incite them as in the case of the Belgaum incident to commit the killing in the real world instead of the Cyber world.

This feature of the game may therefore be considered as “Inciting Violence against living persons” and could be a valid reason to ban the game.

It is reported that the Jordan Government has already banned the game in their country.

We urge the ministry to immediately issue an order under Section 79 of ITA 2000 to declare this game as harmful to the society and bring it down from the playstore. Simultaneously, all  MSPs should be ordered to kill the game in any of the mobiles where they have been already downloaded. This of course needs to be through an order of the Government in the interest of the community.

We therefore appeal to Mr Ravi Shankar Prasad, the honourable minister of IT in the Central Government to take immediate action in this regard to get the game banned.

To prevent sprouting of similar games, the Government should set up a “Controller of Online Games” and monitor such dangerous games and take immediate action to get them removed.

We also urge the responsible people in the community like the parents , teachers, and child right activists to approach their respective MPs to take up the request with Mr R S Prasad and push for action.

We also urge the media to take up a sustained campaign on an all India level to ensure that the issue gets the attention of the Government of India immediately.

Naavi

PIMS (Personal Information Management System) is the next buzzword in the Information Security domain that will be discussed by the Data Protection professionals.

Presently, two international frameworks namely the BS 10012 and ISO27701 are available for us to follow. The undersigned has however developed a separate framework titled the Personal Data Protection Standard of India (PDPSI) which has been developed with the exclusive idea of assisting Indian Organizations and more particularly the SMEs and MSMEs.

It is our belief that Information Security Framework is developed by experts in order to guide the community for adopting it as a business practice that benefits the organization. When multiple organizations adopt a food framework of information security, the community would benefit.

Such a framework should be “Open Source” and not looked upon as a Cash Cow by charging exorbitant fees for the community members to know what is the best practice to follow.

Whether it is BS 10012 or ISO 27701, it costs around Rs 13000/- each to acquire and read. ISO 27701 makes normative reference to four other standards namely ISO 27000,ISO 27001,ISO 27002,ISO 29100. To understand ISO 27701 we therefore need to acquire and study all these collateral documents. Fortunately BS10012 does not have any normative references.

Those organizations which are considering the PIMS now and donot have earlier ISO implementations, need to therefore spend a significant money just to acquire a document that lists out the suggested practices. The interpretation and implementation through a consultant is the additional expenses.

Basically these frameworks list out the broad outlines of compliance requirements as follows:

1.Leadership
2.Planning
3. Support
4.Operation
5.Performance evaluation
6.Improvement.

ISO 27001 continues with specific guidance related to ISO27001 and ISO 27002 as also guidance directed to Controllers and Processors.

The PDPSI incorporates all these principles though the document is under development. In principle, PDPSI focuses on five foundation principles represented by the following diagram.

This model compresses the normal technical controls into one segment and all policy controls into a second segment. The need to manage the human elements is packed into the third segment. The Leadership, commitment etc is clubbed under Responsibilities. The classification of data is considered a separate foundation requirement which defines also the scope of the implementation. 

PDPSI recommends a “Distributed Implementation Leadership with a Top level policy leadership along with a designated person for accountability”.

For those who are accustomed to a specific format of the ISO/BS, PDPSI appears as a raw document. Salient features of PDPSI is explained under www.pdpsi.in

The normative references (to keep to the familiar term) are made to IISF 309 (Indian Information Security Framework), Theory of Information Security Motivation, Naavi’s pyramid model of Prioritization of Information security objectives.

The Classification model is depicted in the following diagram.

The classification of the data incorporates the “Subject Laws” so that PI-GDPR is classified differently from PI-PDPA.

The measurability aspect will point to a “Data Trust Score” for which one of the recommended approaches is the Naavi’s 5X5 DTS system indicated below.

The distributed model of responsibility sharing is reflected in the Governance model indicated below. (Explained in greater detail on www.pdpsi.in) 

Overall, PDPSI attempts to cover the principles inherent in both ISO27701 and BS10012 and provides a greater focus for an Indian organization with a few innovations thrown in between.

Once PDPSI is fully developed with the assistance of other professionals who are well versed in ISO/BS but are free mentally to pursue a more “Made in India” framework, it could be adopted widely.

In the meantime, some of the principles enunciated in PDPSI is expected to become part of the ISO/BS in their revised versions. Also the Data Protection Authority of India which is likely to come up in 2020 may adopt most of the principles under PDPSI as suggested framework under PDPA.

In the meantime, Naavi.org will continue to develop this concept which is already being applied by Naavi where ever it is relevant.

Naavi

Many times disputes that arise with service providers of various agencies are resolved easily when we are able to reach out to the right persons in the organization.

ITA 2000/8 mandates that every online service organization (who is an intermediary) needs to mandatorily provide the name and contact details of the Grievance Redressal officer on their website.

Unfortunately, most websites not only hide their contacts for receiving complaints but also hide their physical address to which any notice can be sent by a consumer.

Though this is a violation in itself that can be penalized by either an Adjudicator or perhaps by a criminal Court too, most organizations out of ignorance donot provide the contact details.

I am happy to provide a compilation of nodal officer’s contacts which have been compiled by one diligent law enforcement professional. While care has been taken to update the list, errors and omissions could be present. I hope the public will consider this useful.

List of Nodal Officers of different e commerce agencies in India.

I request these and other organizations to point out if any corrections are required. We welcome other intermediaries to share their contact addresses.

We may also bring to the attention  of readers 5t our Associate service center at ODRGLOBAL.IN provides online dispute resolution service which can be effectively used to resolve consumer disputes. We invite these agencies to use the services of ODR Global. It should be economical and also convenient.

CDMAC (Cyber Disputes Mediation and Arbitration Center) is one ADR center whose services may be invoked if a more serious arbitration of a dispute is required. First level disputes can be mediated by Naavi. For the time being, in the interest of the e-Consumers, such mediation would be provided free of charge.

Any collaboration  in developing  the ODR platform  and CDMAC are welcome.

Any enquiries in this regard  may be sent to Naavi.

Naavi

P.S: The following address in the list was corrected on 8th September 2019:

Yahoo India Pvt Ltd, Unit No 304, A wing, 3rd Floor, Satellite Gazebo East Wing, Guru Hargobindji Marg, Andheri (East),Mumbai 400093.
E Mail: in-legalpoc@verizonmedia.com

Recently, Mr Amit Shah, the honourable Home Minister of India collected information from across the country on the amendments that are required to the law to effectively counter Cyber crimes. Information coming out of the ministry seems to suggest that a new “Cyber Crime Act” may be in the anvil to supplement and partially replace the provisions of Information Technology Act 2000 as amended in 2008 (ITA 2000/8).

According to this report in Times of India  the new approach would be to amend the ITA 2000/8 to keep most of the civil offences under the present act and create a new Cyber Crime Act to address the issue of Cyber Crimes.

One of the features being considered is to ensure that there will be no inter state jurisdictional barrier for Cyber Crime investigations. This would be a good move if it is extended to the full extent including the creation of the National Cyber Crime Police cadre which is a long term necessity in India.

Other than this provisions of Chapter XI of ITA2000/8 may be shifted into the new Act. In the earlier act there was no recognition of  “Cyber Squatting” as an offence and this is due. Section 66A which covered Cyber harassment was wrongly scrapped by the Supreme Court and requires to be reinstated in some form.

The Intermediary guidelines which were sought to be amended and were opposed by some activists may now find a place in the new Act.

Hopefully some of the evidentiary issues including Section 65B of IEA that affect prosecution may get tampered with.

Let us wait and watch what more changes are going to be proposed. We hope the law will be stringent and at the time fairly implemented with checks and balances to prevent misuse by the Police and clever criminals and harassment of honest Netizens.

We need to specially watch out for lobbyists specially from the Banking sector will try to influence the changes in their favour.

Hopefully the draft would be available for public comments during the winter session along with the revised Data Protection Bill.

Naavi

The Subhash Garg Committee’s report on Fintech has touched on several aspects of the industry. It has interalia recommended on two aspects which are immediately relevant for us as observers of ITA 2000 and PDPA.

Firstly it has recommended changes to ITA 2000, to bring in the documents kept out of ITA 2000 under Section 1(4).

The recommendation is as under

Para 2.4.6: Re-engineering Legal Processes for the Digital world

The Committee recommends review by Department of Legal Affairs of all such legal processes that have a bearing on financial services and consider amendments permitting digital alternatives in cases such as power-of-attorney, trust deeds, wills, negotiable instrument, other than a cheque, any other testamentary disposition, any contract for the sale or conveyance of immovable property or any interest in such property, etc., (where IT Act is not applicable), compatible with electronic service delivery by financial service providers.

These exemptions had come in due to some specific thoughts which were relevant in 1998-2000 when the law was drafted. There are certain changes that have occurred in technology that may warrant a rethink on some of the aspects. However, the steering committee was neither tasked to think about changes in ITA 2000 nor it had the necessary expertise.

Hence the suggestions can only be taken as nothing more than an indication to the Government and should be handled with care.

Secondly, the committee has also made suggestions regarding the powers of the proposed Data Protection Authority proposed under PDPA, as under.

Para 4.4.3: Coordination with Financial Regulators:

The Committee is of the view that in some cases, data privacy requirements in existing legislation may need to be reviewed in order to tailor them to the emerging data privacy legislation. The Committee also considers that given the fact that sectoral regulators are already taking steps to maintain the security and confidentiality of consumer data in their respective jurisdictions, some obligations the Data Protection Bill seeks to place on the DPA may be given to the sectoral regulators to discharge. Regulators must therefore carefully review their existing regulatory framework and identify any changes or modifications that may be required to the current regulatory framework.

It appears that the committee was apprehensive of the loss of power of some of the other authorities who may have to work as per the directions of the DPA. It is obvious that the DPA will respect the sectoral regulators and accommodate their views in the implementation of the Data Protection regulations. But there has been a tendency by different departments of the Government to come up with their own Privacy related regulations that could overlap with the PDPA and confuse the market players.

This should be avoided. Let the DPA come into existence as per law with suitable flexibility in defining the codes and practices in different sectors and then discussions can be had with individual sectoral regulators so that their views can be accommodated.

Naavi