Naavi.org

Naavi was the first person in India to have raised the need for making EVMs cyber law compliant.

It was way back in 2001 when that Naavi first flagged the possibility of Hacking in Indian Elections.  It was pointed out at that time itself that the EC should recognize that under ITA 2000, any election malpractice could be called as Hacking and imprisonment of upto 3 years could be invoked on those who indulge in booth capturing and related offences.

Again in 2003 when an incident was observed in Tamil Nadu where a sticker of one party was fixed in front of a candidate of another party to mislead the voters, a more detailed analysis of what makes EVMs cyber law compliant was discussed. (Refer here)

The essence of the problem was that the EVM was a system where a paper ballot paper is pasted on the face of the EVMs containing the buttons which were internally connected to a counter. It was therefore possible for the paper ballot to be manipulated so that the votes given for one person as per the printed ballot paper actually went to another candidate inside the machine.  It was considered as inappropriate legally to thus link a paper document to an electronic data base.

A Solution was also suggested which was

a) Replace the front of the machine containing the ballot paper with a touch sensitive screen and display the candidates list along with the symbol (now photo can be included) and provide for the voter pressing on any part of the row.

b) Once the Vote is thus cast, display the ballot paper with the vote mark as the old paper ballot paper used to look along with a time stamp.

c) Calculate the hash value of the displayed document and print the hash value with time stamp on a roll of paper sealed inside the EVM.

I can boldly say that the EC did not understand the benefit of such a system and even now may not be able to appreciate why this system was suggested.

At that time, the only issue was the cost of a touch screen of the size required for the EVM and the need to replace the available units.

Now after 15 years we are back to discussing how to make EVMs more reliable. The EC has now adopted the VVPAT system which involves a second unit, printing on a roll inside  the second unit and capturing the vote slip in a box.

The Cost of EVMs today are much higher and the addition of the VVPAT as a separate unit along with the need to transport it secure it etc makes it perhaps more expensive than the earlier proposal. The touch screens have also become much economical now and I have a hunch that the solution suggested by me would be far more cost effective.

I therefore urge the Government to even now consider this suggestion seriously.

In the meantime, the Supreme Court is expected to hear the PIL filed by the opposition parties who have demanded that 50% of the VVPATs are to be manually counted. This is after their earlier request for 100% counting having been rejected.

Mr Chandarababu Naidu is personally attending the hearing in the Supreme Court to add the Political touch to the hearing. The CJI himself is under great pressure as the lobby against him is creating personal pressure through the harassment case.

The Supreme Court may therefore be under great pressure to oblige to the opposition demand and take India back to the days of manual ballot paper system.

However, I would like the Supreme Court to keep in mind that “Counting VVPAT Slips” is not the same as “Counting of paper ballots”.

ITA 2000 renders VVPAT to be an “Electronic Document”. It is not a paper document. Hence the laws under ITA 2000/8 apply along with Section 65B of IEA as to the recognition and admissibility of the VVPATs in Court proceedings.

Once the Court agrees to VVPATs being counted, a question arises as to what will happen even if an insignificant difference arises between the electronic counting and the manual counting of the electronic documents called VVPAT slips.

Firstly the legality of manual counting of an electronic document is questionable. It is like manually counting the rows of a table as displayed in the computer screen and using it as an over riding of the electronic counting which the computer may display as “Number of Rows”.

Just as the physical paper pasted on the electronic document should not be linked to the button with an electronic circuit inside, the electronic document of VVPAT slip if counted manually will not be legally valid.

Secondly, the intention of the voter is expressed when he presses the button on the EVM (Unit 1 ). That unit has captured the “Button Press” in its data base which gets counted electronically.  The VVPAT on the other hand is a secondary tool which is provided to enable the voter to be satisfied that his vote has gone to the right party. What the VVPAT unit displays is only a secondary confirmation and not the primary vote. If the voter sees any discrepancy, he has a right to object immediately. If not it is presumed that the secondary confirmation is acceptable.  The secondary confirmation is displayed in the VVPAT by an instruction sent by EVM. Though this follows the initial pressing of the voting button, the VVPAT instruction goes after the vote is registered. Hence it is a transaction which occurs after the voting process is over.

The VVPAT slip therefore does not have any legal validity as a “Vote”.

If therefore a discrepancy arises between the EVM and VVPAT, then the EVM count has legal validity and the VVPAT count only creates confusion and controversy. Having accepted the VVPAT manual counting, tomorrow we may not be able to ignore even if the vote difference is just one or two as in principle it may mean that the Electronic counting was not correct and therefore has to be cancelled.

If the Supreme Court is naive to accept this politically motivated PIL, then it will give room for a complete disruption of our election system which has been hailed the world over.

I therefore urge that the Supreme Court takes a proper decision that protects the integrity of the elections and donot give room to the anti national opposition parties to disrupt the democratic system in the country by discrediting our system of EVMs.

If necessary in future, EC can adopt the Naavi model of EVMs suggested above and strengthen the system further both technically and legally.

These opposition parties have proved both in West Bengal and in Amethi that even the EVM based voting can be rigged with booth capturing. It is unfortunate that the EC and the Supreme Court does not take suo-moto action in such cases but is serious on mischievous litigation of the opposition parties.

What is again under test in this case is the ability of the Supreme Court to understand techno legal issues and also its ability to steer clear of politicization of litigation in the Supreme Court.

Let’s keep our fingers crossed.

Naavi

(P.S: Report has come that SC has rejected the PIL. We welcome the decision)

Some of the earlier articles:

Hacking and Indian Elections

Cyber Law Compliance and Electronic Voting

Clarifications on Cyber Law Compliance of EVMs

Hacking and Indian Elections …Naavi.org

Cyber Law Compliancy and Electronic Voting…Naavi.org

PIL Filed on EVMs in Supreme Court..Naavi.org

Order Passed on PIL on EVMs..Naavi.org

EVM Controversy

The NSE Co-location has been identified as a massive scam and SEBI has taken the unprecedented step of penalizing NSE and some of its executives. (Refer ET article here)

We refer to our earlier article “Whistle Blower Reveals Information Security Breach and Fraud at NSE” in which the NSE Co-Location Scam was discussed.

Now SEBI has conducted an enquiry and come to the conclusion that NSE failed in its “Due Diligence” which allowed some of the brokers had an unfair advantage in trading which could have enabled them to make an unfair gain of enormous provisions.

A Copy of the SEBI order is available here. (Copy also here)

The incident is an eye opener to Information Security professionals as it throws up the deficiencies in managing critical array of systems where the server to which a user logs in and the relative time of logging in had a profound impact on receipt of trading data. Those who had the knowledge of the system were able to develop an algorithmic trading pattern which enabled them to make unfair gains.

The scam also exposed the weaknesses of the Audit system in which reputed information security auditors were involved.

The enquiry has also highlighted that there was no laid down policies and procedures for allocation/mapping of IPs  and no SOPs to deal with request for change of servers.

The report of SEBI contains complete details which will make delicious reading for information security specialists.

In conclusion, SEBI has stated that though sufficient evidence was not available to conclude that NSE had itself committed a fraud, lack of due diligence was proved and penal action is based on this.

As a penalty, NSE has been digorged (asked to repay all the unfair profits made) of Rs 624.89 crores which was the profit made from co-location services in the period 2010-11 to 2013-14

SEBI has also barred NSE from security trade for 6 months from the date of the order

Also, two of the formed MDs of NSE have been disgorged 25% of their salaries in the relevant period.

The amount so recovered would be credited to the Investor Protection Fund.

We congratulate SEBI on successfully concluding this complicated investigation and taken  penal action.

This incident should be an eye opener to all information security managers of critical systems.

Political Fall out

In India, every major scam in recent times has inevitably been linked with politics.  So is this scam.

I would like to draw the attention of readers to the article here.

This article traces the beneficiaries of the fraud to none other than Mr P Chidambaram and Karti Chidambaram. It suggests that the total earnings made unfairly by all the persons involved could be of the order of Rs 60000 crores. It is difficult for any of us to evaluate the allegations made in this article to Mr P Chidambaram and Karti Chidambaram. But the allegation cannot be ignored and needs further investigation at a different level.

It is not a coincidence that this fraud occurred during the UPA II regime and it involved a very sophisticated financial and technical knowledge in executing it.

It is possible to believe that the MDs of NSE were perhaps victims in the cross fire and were not directly involved in the fraud. In fact the fraud was highly sophisticated and it is reasonable to expect that it was beyond their comprehension levels.

While SEBI could not go beyond the current investigation, it may be necessary for the Government to now continue the investigation from where NSE has left off with a CBI investigation to find the real beneficiaries. CBI may also take the assistance of experts perhaps from FBI who have experience in investigation of complicated techno frauds in Bitcoin investigation and other frauds.

Coming as it does during the election time, there should be no attempt to bury this fraud as a simple cyber crime. It deserves to be classified as one another Scam of the UPA II era where money of the Indian public were looted.

Once again, considering the political implications, we need to again appreciate the SEBI for the action taken.

Naavi

The security measures that the Sri Lankan Government has initiated int he aftermath of the terrorist attack on 21st April 2019, include a total shut down of the social media in Sri Lanka.

India has also adopted Social media shout down from time to time in Kashmir though India will never be able to replicate the strong will of Sri Lanka in such national security matters. Though we have strong expectations from Mr Modi to take care of national security, we still have Congress which supports Paksitan, Terrorism and the Tukde Tukde Gang as part of its election manifesto.

We also have a Supreme Court which obliges the Congress advocates and is prepared to defer cases against congress interests indefinitely to suit the political convenience of the party. In these circumstances the threat of a total social media shut down in India may not be high.

However, in the aftermath of the Sri Lankan incident and the possibility that the strong measures that they are initiating in curbing terrorism could push the sleeping cells from there to Kerala, which is a fertile ground for terrorism to grow in India, the next Government is likely to push the stalled amendments to the Intermediary Guidelines . T\

This will require more of self regulation by the Social Media companies and if they donot oblige, we may have stringent action against individual social media companies such as Whats  App or Face Book.

To prevent Government action, I wish that these social media companies start tweaking their services to ensure that their platforms cannot be misused.

I strongly advocate that all these social media companies introduce an option for flagging the users with “Identity Verification”.. As we gradually create an “Identified Social Media Network”, the “Anonymous Social Media Network” will shrink in size and can be subjected to stronger controls.

Face Book started this trend during the elections to ensure that “Political Advertising” is restricted to only identified/verified accounts. This should be extended even after the elections so that we reduce the size of the “Anonymous Social media network”.

Naavi

Naavi was the author of the first book on Cyber Laws in India when he released “Cyber Laws For Netizens” on December 9, 2000, the day when Information Technology Bill 1999 was introduced in the Parliament.

Now the proposed draft Bill titled “Personal Data Protection Act 2018” had been introduced in the last Parliament on the recommendations of the Justice Sri Krishna Committee.  This would have been the first dedicated Data Protection legislation in India and would be so when it is ultimately passed into a law.

At present the Bill has lapsed due  to the dissolution of the Parliament and will have to be re-introduced in the next Parliament.

There is no reason to think that the Bill will not be re-introduced immediately after the new Parliament comes into existence and becomes a law which may be renamed as “Personal Data Protection Act-2019”.

After the developments in the Election scenario in the last two days, it appears that the BJP Government led by Mr Modi is likely to come back. We can therefore expect that the Bill PDPA 2018 will be reintroduced shortly without much changes and will be passed during the current year.

Naavi has already taken the initiative to create an online training program on PDPA 2018.in as it exists now.

As a part of the curriculum support, Naavi is now preparing a Book titled “Personal Data Protection Act” which will be released shortly.

Initially the book will be used as course material for the PDPA training program and will be placed on the E book section thereafter.

Naavi

We have been discussing the different aspects of the  Personal Data Protection Standard of India. (PDPSI).  During these several articles, we have discussed the philosophy behind the PDPSI and some of the controls which require a special mention.

In continuation of our exploration of PDPSI, I would like to present the “Pentagon Model of Personal Data Protection” which provides a quick overview of the PDPSI approach.

The model is presented in the picture above. Naavi has earlier adopted the Pyramid Model for Information Security Implementation  and a Pentagon model for Information Security Motivation 

The pyramid model was appropriate for prioritization but the closed polygon model was found more suitable to represent the Information Security Motivation. A similar model appears appropriate for representing the requirements of the Personal Data Protection also.

The difference between the hierarchial model of the pyramid and the closed model of the polygon is that the hierarchial model is meant to be built level by level while the polygon model would require all wings to be in place simultaneously to close the polygon.

Since “Pentagon” represents security in general, we have adopted the pentagon model and put all requirements identified under PDPSI into the five categories which form the five boundaries of the Personal Data Protection pentagon.

To understand the five elements of the pentagon, let us analyze each of them with reference to our earlier detailed articles.

Element 1: Classification

As we have discussed in detail,  (Article 1:Article 2) “Data Classification” is the starting point for the exercise and the foundation of a proper construction of Privacy by design. Data Classification also defines the scope of the compliance exercise since it maps the Data Protection law to which the compliance needs to be bench marked. 

Element 2: Responsibilities

The responsibilities under PDPSI does not start and end with the DPO. DPO will remain the pivot around whom the responsibility is shared across the organization starting from the Board and the Data Protection Committee at the top to “Internal Data Controllers” spread across the organizations handling different functional responsibilities. This system of diversified responsibility recognizes the practical problems that a DPO would face in an organization particularly if it is spread across different functions and different geographical locations. Once the functional management of data and its security are in proximity, the implementation of any policy becomes easier.

Element 3: Tech Controls

Technical controls of Information Security are well researched and there is a lot of knowledge and skill in organizations around the world. These controls in the form of different hardware and software devices/applications provide solutions for meeting the CIA aspects of Information security and the extended concepts of accountability which includes Authentication and Non Repudiation. The Firewalls, IDS, Anti Virus, Access Control, Encryption, Digital Signature, version control, Data Leak Prevention systems, Multi factor authentication systems, the DRP/BCP systems, Forensic devices, etc all form the control tools under this head. 

Element 4: Policies

The Policies part of the pentagon represent all the different policy and procedure documents that are required under the data protection laws including the Information Security policy, Privacy Policy, the Notification, Business Associate policy, Whistle Blower Policy , legitimate interest policy, Incident management policy, Data Disclosure cum Breach Notification policy, Business Agreement Control policy, HR recruitment, termination, sanction policies, the BYOD, Hardware/Software purchase policies, the web and email usage policies, documentation policies etc are all part of this segment of compliance.

Element 5: Culture

Apart from the Technical and Legal aspects of compliance addressed by the two earlier elements, the “people” aspect and in particular the “Behavioural Aspects of People” that affects the compliance is an important issue in itself. This may include the awareness building, motivation of people to be compliant, along with the incentives and disincentives to ensure that a proper “Data Protection Culture” is built in the organization. 

While Classification and Responsibility assignment are essentially a one time exercise (except for changes that need to be accommodated from time to time), the three other segments require continuous monitoring and may also require different skills and knowledge. In large organizations three different experts may be required to address these three issues differently or the DPO should have the multi dimensional expertise.

This model breaks down the PDPSI into 5 elements for easy management. I suppose that this Pentagon model of Personal data protection would provide some clarity to organizing  the Data Protection Compliance exercise in an organization. 

Naavi