Naavi.org

Justice Sri B N Srikrishna drafted the Personal Data Protection Act of India is now in consideration for the Parliament to be passed into an Act.

In the meantime, in a big boost to the Indian version of the privacy law, a bill has been proposed in US for a Federal Privacy Law which has taken one of the most defining provisions of the Indian law into its recommendations.

This law is titled COPRA (Consumer Online Privacy Rights Act)

Today I came across an article titled “A New US Federal Privacy Bill-Is it GDPR/CCPA -like?”

I however felt that it should have also added “Is it PDPA (India)  like?” because of one of the significant new “Right” that it proposes to provide the data subjects.

For example COPRA suggests recognition of a Right that imposes 

“A Duty of loyalty by covered entities and specifically a duty to avoid deceptive practices”

This is exactly same as what Indian PDPA proposes under Section 4 stating

DATA PROTECTION OBLIGATIONS

4. Fair and reasonable processing.—

Any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.

PDPA further fortifies its intentions by calling the Data Subject the “Data Principal” and the Data Controller the “Data Fiduciary” making the Data Fiduciary take on trusteeship role which automatically incorporates the “No Deception” requirement proposed in the US law.

In a way this removes a huge perception hurdle for Indian privacy and data protection analysts to accept the new concept that “Data Fiduciary is a Trustee” because it is not only Justice Srikrishna who is saying so and not only Naavi who is evangelizing this interpretation but it is the US who is saying it.!

Naavi

In all information security problems, we consider “Security at Data Level” involving “Encryption” as a very important tool.

When data is at rest, it is possible to store it in encrypted form so that even if access is compromised,  the intruder cannot make use of the data. If the encryption is strong enough, the data can be practically considered immune to any adverse impact. Laws such as HIPAA as well as other laws, consider loss of encrypted data as not contributing to data breach.

Similarly, when data is under transmission, it is encrypted so that any evesdropper would be prevented from taking advantage of the interception.

“Encryption” is essentially a mathematical operation that works on “Data” which is a “Number expressed in Binary” and processes it as a variable in an encryption algorithm to produce a new number which is the encrypted data stream. The “Decryption” is a reverse mathematical operation that generates the original binary stream that can be read back as the original data.

Though “Symmetric Encryption” which uses the same key for encryption and decryption is used in most instances asymmetric encryption using different encryption and decryption keys  is preferred in some applications. In this system there is no need to transmit the encryption key to the intended person to whom an encrypted message is sent and it avoids the risk of compromise in the transmission of keys. This system can also be used for encrypting data at rest as well and is considered the legally approved method for electronic signature system in India.

If the encryption algorithm is strong and there is a good key management system to prevent compromise of the keys and avoid locking out of the data through loss of keys, the two key system is a good solution to many of the security problems. Since the resource utilization could create some usability issues, in some instances a combination of symmetric and asymmetric encryption may be used.

However, the Data Processors who are concerned about “Privacy” have often wondered how to cover the risk of data breach while the data is “Under Processing”.  Since hackers often get into the network of the data processors and many data breaches occur with the involvement of the employees themselves, the breach of data during its unencrypted state during processing phase has been a matter of concern to data security professionals.

With the increasing use of cloud storage and processing over the cloud, the risk of unencrypted data being handed over to the cloud operator was always a concern.

It appears that technology has now been developing to solve this difficulty in the form of “Homomorphic Encryption”.

Homomorphic encryption is a form of encryption that allow specific types of computation to be executed on cipher texts and obtain an encrypted result that is also in cipher text form  but  matches the results of the computation of the plain text and its encryption.

The detailed technology needs to be discussed separately. But the possibility of processing of encrypted information without decryption will be extremely interesting from the data protection view point.

At the same time attackers may use the same technology to corrupt the encrypted data as well and we need to develop security against attacks through homomorphic encryption used as a hacker’s tool.

More views are welcome.

Naavi

Certificate in Personal Data Protection Act (CPDPA) by Cyber Law College

In Association with

Foundation of Data Protection Professionals in India (FDPPI)

 Introduction

This course is meant to introduce the present and upcoming data protection law in India. The course is structured as a 12 session web based course and tentatively covers the following topics.

1. Evolution of Privacy Law in India. (ITA 2000-ITA 2008-Puttaswamy Judgement.etc.)
2. Understanding the Concept of Privacy and its relation with Data Protection
3. Applicability, Exemptions, Transitional Provisions
4. Data Principal’s Rights and Data Protection Obligations
5. Grounds of Processing
6. Transfer of Personal data outside India.
7. DPA and DPO
8. Compliance Obligations
9. Penalties and Offences and Grievance Redressal mechanism
10. Data Protection Challenges under New Technologies
11. Data Governance Framework
12. Interactive discussion

During the course of the discussion provisions of Information Technology Act 2000 (ITA 2000), as well as international data protection laws such as GDPR and CCPA will also be discussed through the focus would be on the Personal Data Protection Act 2018 (Draft law proposed by the Justice Srikrishna Committee).

The Course recognizes that the law is now developing and proposes to provide a free follow up session whenever the final version of the law is passed.

The course will be conducted through online sessions conducted through one of the platforms such as Zoom and connectivity links will be sent to the registered students before the session/s through the registered e-mail.

The First Batch is scheduled to commence from December 7, 2019 with the first session from 11.00 am.

All registered students have been informed over the registered e-mail address about the commencement.

Any person who needs further information may contact Naavi.

Details of Cyber Law College are  available here

Details of FDPPI  are available here

Naavi

The essence of corruption is that it takes root  in the principle that “One who financially benefits from an act turns soft on the legitimacy of such an act”.

It is therefore understandable that one financially benefits by a crime, he would turn soft to the crime. Most ISPs today are soft on pornography or spamming because they benefit from the traffic.

Privacy is preferred by many businesses because criminals thrive in an anonymous world. Hence Apple wants to protect the encryption of even the ISIS customers and ICANN wants to protect the identity of website owners who openly indulge in frauds.

Google does not want to disclose the identity of its customers who send fraudulent e-mails except when pushed to the wall by the law enforcement. Proton mail, anonymization service providers and the bullet proof hosting services exist because criminals are their valued customers.

Similarly, if the regulators benefit from their crimes, with an opportunity to levy a hefty fine, criminals may consider it better for them, because then there is a possibility how so ever small it is that the regulator would start nursing a soft corner for them.

This tendency must be identified and resisted.

When looking at some of the recent GDPR fines on Airbus and Marriott hotels a thought occurs whether the regulatory authorities are silently gloating over the opportunity to collect hefty fines when the companies are already wilting under reputation loss, business loss and perhaps individual law suits.

In the Airbus data breach incident, the ICO has levied a fine of Euro 200 million which is said to be a record. This is at 1.5% of the global turnover of the company though the ICO had the discretion to fine up to the upper limit of 4% if it wished.

According to Airbus the data breach occurred due to a sophisticated, malicious criminal attack which compromised customer names, email addresses, payment card information, credit card numbers, expiry dates and credit card security codes. (British Airways says that CVV numbers were not stored by them).

The Marriott issue was slightly different. In this incident for which ICO fined Sterling 99 million, Marriot acquired Starwood in 2016 whose systems were not adequately secured. The data breach occured in the period between 2014-2018 and ICO felt that sufficient due diligence was not exercised during the acquisition process.

In both cases as in many other instances of data breach, hackers targeted specific assets and awere able to penetrate them with sophisticated attacks. Of course this also indicates that the securiy was insufficient and was compromised.

However, when levying the fines, the regulatory authorities need to remember that the organizations might have taken steps which might have failed in the given circumstances. Hence the authorities need to be considerate to whether the organization was “Negligent”, “Reckless” or was outsmarted by the hackers before deciding on the fine.

After all, fines are supposed to be a deterrent and not a means of revenue generation by the regulatory agencies. But this thought is likely to be corrupted in due course as the colour of money in the hands of the regulators will change their perception.

Even if the initial crop of regulators may be honestly levying the fines only with an intention that it will be a deterrent for others, in due course, the earnings on fine collection gets into the balance sheets of the regulators and it will soon become a significant revenue item.

At this stage, the financial managers of these agencies will start checking the “Growth” of “Earnings through collection of fines”  and start measuring the efficiency of the regulator from the amount of fines collected.

When the volume of fines collected determine the promotion of the officers of the supervisory authority, they will start enjoying  the power to impose large fines to an extent that the expenditure budget of their organization will be balanced with the levy of the fines. The fines will then  be decided not as a “Percentage of the global turnover of the company where the data breach occurred”, but as a “Percentage of the annual expenditure of the regulatory agency”.

This is not an allegation but a reflection of how things may turn out in future based on an understanding of human tendencies.

To prevent this trend developing and taking root and to emphasize that the role of the regulatory agency is to improve data security and not collection of fines, these agencies need to deploy their own policies where the officials do not become tyrants.

The efficiency of the officers of the regulatory authorities should therefore be measured positively with the number of cases detected and fined but negatively with the increase in the quantum of fines.

In India where we are still in the process of finalizing the PDPA, we should consider if some checks and balances can be introduced in the regulation itself to ensure that the DPA does not become seduced with the possibility of levying large fines just because it is permitted under law. We must introduce a “Justification Statement” to be provided by the authority every time a fine is levied which should be available for review in a suitable manner.

If such self imposed restriction on the quantum of fines is not introduced, regulators may subconsciously feel happy whenever a hacker successfully publishes a data breach since it becomes an opportunity for the regulatory agency to profit from.

If the law enforcement agency then asks for some assistance in prevention of such crimes, the regulatory agency even if being capable of giving good advice  may refrain from doing so since reduction in crime will reduce their revenue.

We should be conscious of a possibility of such a tendency developing in the market and debate the measures to prevent it.

Comments are welcome.

Naavi

More on Marriott breach

Where to the fines go?

I reported a fraud on Uber yesterday stating that when the driver cancelled a scheduled trip, I was still charged for the same.

Since yesterday I have been pursuing the complaint on twitter and though the complaint was acknowledged, there has been no resolution so far.

I also point out that the complaint mechanism is inefficient since my issue is not clearly listed in the standard complaints and there is no proper provision for sending an e-mail complaint. According to Indian law namely ITA 2000/8, Uber is an intermediary and has to provide a “Grievance Officer” as per the requirements of Section 79. The contact details of the Grievance officer should be available on the website but there is no such information.

I would like to present here the trip details

The first picture here was taken from the Uber website and indicates in the billing that  I have travelled from one place in Bangalore 560050 to another place in Bangaore 560023.

The time of departure is 4.40 am and time of reaching is 4.58.

But the map shows that the icon has not moved from near the South end circle and the trip time s 00.00.14.

The second picture below shows the bill sent to my email.

The incident points out that the Uber App is faulty and provides false information about the trips.

From the critical point of view of “Evidence”, the records give mistaken impression that I was at two different places at the same time.

Secondly, despite the trip showing “Zero Time of Travel”, a charge was made for a trip showing a point of pick up and point of drop.

It is therefore evident on the basis of the data that a “Fraud” has been committed. The rewards have been shared between the driver and the Uber. If and when I am provided a refund, the fraud may be downgraded to “Attempt to Commit a Fraud”.

From the technical view point, it is possible that the App may have a bug and if so, it is for Uber to come out and make the necessary confession that the App is faulty.

I have received information from other users with similar experience and some of them have felt that this is done deliberately by Uber under the hope that certain number of customers would not challenge the wrong debit and the company would profit from those debits even while those who complain are provided the refund.

At this point of time, this is a charge which needs to be investigated.

If Uber is honest as a technology company, it should conduct an audit of all incidents of billing where there is zero time of travel but a positive billing and identify the amount of wrongful gain they have made.

The information I have provided here is sufficient for the Bangalore Police to launch an enquiry for “Cheating” and also for the Adjudicator to take up Suo moto an enquiry for wrongful gain. The CERT In should also undertake an audit of the Uber App and check if the charges made here in are correct.

Naavi

It was a personal observation today that an Uber driver cancelled my  scheduled trip and still the amount was immediately debited to by Paytm account.

I later found out that this experience has been observed by many others who have reported it on Twitter.

I suppose Uber will refund the payment. But there appears to be a larger issue here.

It is observed that the Uber app shows the trip map where the vehicle has not moved out from its location and the time of debit was the time supposed to be at the start of the trip. Both these should have been recognized by the app to conclude that the trip did not take place and hence the debit should not have arisen.

Alternatively, it is suspected that this is not merely a bug in the App but could be a fraud indulged in by some drivers. If the app can be used to debit an amount  X without the trip having been undertaken, it is possible that it can debit any other amount and at any other time from the linked PayTm account. When there is an immediate debit after the driver’s cancellation, we may observe the debit and report it for refund. But if the debit is made after some time, it is possible that the users may not observe the unauthorized debit.

Further if the app has a bug which can raise a debit for a trip which has not taken place, it can perhaps be also used for altering the amount of debit.

Hence this bug indicates the possibility of a serious fraud.

At the same time, I also point out that Paytm debit note did not have a provision for immediate indication of an unauthorized transaction as is required under the RBI rules.

PayTm should check and introduce the change in their SMS notification as required under the Limited Liability Guideline.

I am waiting for a response from Uber and Paytm in this regard and later would take it up with RBI.

Any body else with similar experience may kindly inform.

Naavi