Naavi.org

There is a big relief for people like us that Mr Modi is back. The relief is more because the alternative was a sure recipe for disaster.

But we the people of India are not content with the relief. We look forward to accelerated positive developments that can take our country forward. During the last few months of Modi 1.0, it appeared that Mr Modi was getting exhausted. Afterall the vicious campaign of the opposition was taking its effect on his self confidence. As a result the Government slowed down on many fronts during the last quarter of the 2018 and upto now.

The Tukde Tukde Gang led by advocates who were only interested in disrupting the society was well supported by the highest Court of the land and led the country into a “Temporary Policy Paralysis”.

This created a fear that if Mr Modi did not come back, the country would be destroyed by the opposition politicians supported by  PIL advocates who could make the Supreme Court dance to its tune. Now with the renewed support of 353+1 members of the Loksabha, Modi 2.0 is stronger than ever before and hence there is a temporary feeling of relief that the worst is over.

But has Mr Modi himself  recovered from his exhaustion and retained his vigour for an immediate return to fighting against the anti national forces or has been softened with the bombardment of the opposition over the last year, needs to be watched. 

During the last few months, I am aware that my professional image  was a little dented by my open expression of support to Mr Modi to the extent that in the social media, I was branded by trolls as Modi Bhakt. 

But in the interest of the nation, it was felt necessary for professionals like me to take a position openly and oppose the pseudo-seculars spread all over unmindful of the criticism that may come through. It is possible that this could have also adversely affected some of my professional work as well. 

Now it appears that the difficult period is over and the Indian electorate has silently brought Mr Modi back to power with a higher majority than before. Presently, we are waiting for the next step of cabinet formation and subsequently  the roll out of the Modi 2.0 promise.

Like the Justice Srikrishna concept of “Data Fiduciary”,  where we can expect the Data Controller to do more than what is contained in the consent because he is a trustee, Mr Modi is the “Citizen’s Aspiration Fiduciary”. What this means is that irrespective of what is stated in the manifesto etc, we the citizens expect that Mr Modi will act in such a manner that the Indian Citizen will benefit by his Governance in every aspect. The world is dynamic and hence the aspirations of people may also undergo a change.

As a Citizen’s Aspiration Fiduciary, we expect Mr Modi to keep doing things that are good for the citizens of India as we go forward. Hence we need to keep presenting our thoughts and ideas to the Government and Naavi.org will continue to do this in the domain of Data Protection, Cyber Laws, Information Security and related areas.

I thought I should wait to comment on the agenda for Modi 2.0,  until the cabinet formation is over, but some media elements appear to have already got their act together and started their campaign. In the Cyber Crime domain we know that whenever technology moves, it is the criminals who first make use of the new developments and the security professionals need to catch up.

Similarly, those who were opposed to many of the policies of Mr Modi in the earlier regime are the first off the block to start lobbying in the new regime even before it is formally in place. I already see planted stories and comments in the media/social media on certain  policy aspects as well as on who should be in the cabinet and what should be the portfolio allocations.

Therefore we also need to jump in and not allow the narrative to be one sided. As followers of this blog have recognized in my last post on the EVM, I have a tendency some times to express my views in advance to pre-empt the counter view point gaining ground. May be some of my apprehensions are therefore considered as speculations but I feel it is better to err on the safer side and start the counter discussions before it is too late.

I have been drawn into the political discussions since around the days of emergency in 1975. Though these were suppressed during my career as a Banker in the public sector, it obviously came back when I was free from employment obligations. 

People who have followed my other site www.aifon.org.in are aware that I have followed the electoral politics from time to time and expressed support for Modi and his predecessors in BJP.   Though I consider that Mr Modi is the best thing to happen to Indian politics as predicted by Nostradamus,  I will  continue to be the Chowkidar whether or not the prefix is still with my Twitter Handle or not.

In pursuance of this national responsibility within the chosen professional domain, I will try to highlight some of the policy decisions that I consider as needing special attention of Modi 2.0 government. In this series we will discuss the need for Bitcoin Ban, the PDPA Bill, the Intermediary Guidelines etc.  though it may be slightly uncomfortable to some of the professionals. 

This is a disclosure before I publish some of my view points on the unfinished agenda.

Naavi

Dark web is an aberration in the world of technology.It is a tragedy that Dark Web has spoiled the beauty of a concept called Internet.  Most security people talk of the impossibility of regulating the dark web. But just because a bad thing is difficult to remove, civil society cannot remain a mute spectator.

Naavi discusses the world of Dark Web for the India Legal magazine in this article.

Read the article here. ...Article titled Mafioso of the wired world

Naavi

Today is 25th May 2019, an year after the GDPR came into effect. During this one year, Indian Companies and the professionals in the Data Protection domain have discussed the impact of GDPR in great detail.

When we started the year, GDPR in principle was known for two years but the companies had not taken any action for their implementation. There was an expectation that the date could be extended. But when it dawned on the industry that no extension of date was in the offing, there was panic alround.

Indian companies were pushed to a higher level of panic by their US vendors who, because of their general concern arising out of the huge stakes involved demanded compliance from the Indian Data Processing contractors without fulfilling their own responsibilities as the Data Controllers.

It has taken a full year for this panic to subside. Now Indian Companies are aware that in most cases they are not Data Controllers. They are Data Processors and from a different legal jurisdiction. Their liabilities therefore are confined to the contract with the vendors from US or EU who are the data controllers and have to clearly indicate what “Privacy By Design” means in the specific context of the data processing contract between the two.

Indian Companies have also now realized that EU does not have direct jurisdiction on the Indian Companies who donot have offices in EU countries. Their liabilities arise only out of the indemnity contracts they might have signed.

In many cases, Indian Companies had engaged the sub contractors who were actually discharging functions of “Data Controller” where as the Indian company which was the principal in the contract was himself only a Data Processor to another Data Controller who appeared to be only a customer of the Indian Data Processor.

I suppose some of this role clarification might have occurred by this time and people are aware who is the Data Controller, who is the Joint Data Controller, who is the Data Processor and who is a a sub contractor and who is the Data Recipient.

Secondly, initially there was also confusion on what is the data that is subject to GDPR. Many of the companies did not have a mechanism to identify data of EU Citizens in respect of their activities in EU or identifying the activity in the EU region that they were profiling. The classification of stake holding data was therefore a difficult hurdle to pass through.

I hope companies have made some progress in this direction by now.

Once the roles are clarified and the stake holding data is identified, the companies have the technical wherewithal to implement compliance measures such as “Pseudonymization”, “Encryption”, “Access Control” and other measures that would be required for compliance.

This part of the compliance was perhaps the easier aspect since some tools were available and more could be acquired and created.

The last hurdle was the creation of the organizational culture that is conducive to the compliance. Typically, in the initial days, the hype was sufficient to make every employee aware that GDPR is big, there will be huge penalties etc.

But this awareness does not automatically convert itself into a compliance culture. Further the enthusiasm is likely to wane as the days go by.

Hence at the end of the first year, what Indian companies need to review is whether the employees are sufficiently tuned to the compliance culture.

This should be the task before every Indian Company exposed to the GDPR risk in this coming year.

As regards the Indian Companies, the coming year would be even more complicated from the point of view  of Privacy Compliance. With the return of Mr Modi as the PM, the unfinished jobs of the previous regime will move forward without much of a hurdle. One of the tasks that remained unfinished in the previous regime was the passage of the Personal Data Protection Act .

We can now expect that the formalities of the Bill being reintroduced and perhaps taken up by a Standing Committee for finalization, in the very first session of the Parliament is very high. I expect that the Data Protection Authority would be set up in the next 6 months and things will start rolling fast.

Indian Companies therefore need to incorporate the Indian PDPA compliance into their GDPR compliance plan at the earliest. Otherwise they will have to face a restructuring exercise a little while later.

Naavi’s initiatives for the coming year

Naavi has tried to make the industry realize that the time for action is now…before the PDPA becomes the law.

The FDPPI (Foundation of Data Protection Professionals in India) was formed by Naavi and his friends to address this issue of spreading the relevant knowledge and create a knowledgeable, skilled ethical eco system for data protection in India.

Now in 2019, FDPPI is likely to develop as the main representative of the Data Protection Industry in India and undertake activities that will enable the smooth implementation of PDPA of which GDPR would be a part.

Naavi on his own is in the process of developing the PDPSI (Personal Data Protection Standard of India” which will be incorporating the best global industry standards within the framework of the Indian Data Protection compliance requirements.

Further, Cyber Law College, which is the education wing of Naavi will start operating a new division on Data Protection education and training.

Ujvala Consultants Pvt Ltd, which is the consultancy wing of Naavi will focus on developing the Data Protection related consultancy with greater vigour.

During 2018, Naavi was working on a system of pseudonymization and anonymization for which a provisional patent had also been applied. Now Naavi intends to integrate it as a part of the PDPSI implementation structure and throw the idea open for implementation.

In the meantime, Naavi.org along with the Privacy Education Center (www.privacy.ind.in) and other associate websites will continue to spread knowledge through the web.

Coming months are therefore appearing to be exciting as we look forward to a new Government, new initiatives and a new hope.

Naavi

We have time and again stated what we think is the correct legal position as regards the controversy raised by the opposition regarding the VVPATs.

The Supreme Court could have avoided the current problem by ruling in the first place that the VVPAT is only an acknowledgement and it has no legal significance or precedence over the electronic click made by the voter. However, the Supreme Court did not factor in the nefarious motive of the opposition to disrupt the counting process using the VVPAT as an excuse.

Now the opposition has raked up an issue that VVPATs should first be counted and tallied before the counting the electronic votes recorded in the EVM is undertaken. Mr Chandrababu Naidu has also revealed their intention that if there is any mismatch, the counting should be stopped.  It is therefore clear that the objective of the opposition is to stop counting and create a constitutional crisis.

Under the circumstances as an observer of the Cyber Crime and related scenario, I anticipate the following developments tomorrow which will all be aimed at confusing the Election Commission and harassing them to yield to the demands of the opposition.

1. At the time VVPATs are taken up for counting, first there will be a call for tallying the machine number, the number of votes etc recorded in the form given to the polling agents by the poll booth officials.
2. When these are done, there could be one or more booth agents who would have changed the form which was in their hands for some times now and claim that the information given to them at the booth and what is now being shown do not tally. Hence there will be a claim that the machines have been switched or the votes have been tampered with.
3. If the discussion goes past this and counting is done, then the polling agents who will be present at the counting of the physical slips will say that some slips were wrongly dropped into BJP box and it has to be recounted again and again. They may also ensure that one or two slips are stolen and destroyed. They may even hide it inside their inner clothes like the drug peddlers or even eat up one or two of the slips. The EC would not be able to forcibly check the agents physically like the ED or the Police and a ruckus will be created that there is a difference in the count and hence the counting should be stopped forthwith.
4. There may be demonstrations and physical violence outside.
5. There will be an urgent mention at the Supreme Court for a stay.

I therefore request that the EC and the Government of the day responsible for the law enforcement in each counting centers which include those under the control of Opposition ruled states like West Bengal and Andhra Pradesh to ensure that the counting process is not interrupted.

It may be necessary for the Central Forces to be in charge of all counting centers to manage the law and order situation.

At the back of all this, I reiterate that the VVPATs are only acknowledgement slips and the vote of the voter is recorded electronically in the EVM and if there is any discrepancy, the EVM count should be considered as valid.  Further litigation if any should be after the candidate is declared elected and an election petition is filed.

Any other approach will be unfair and also illegal.

Naavi

[PS: Happy that the above concern did not materialize. EC refusing to agree for the VVPATs to be counted first was helpful. Also Mr Chandrababu Naidu losing badly in AP and Mamata being jolted in WB further defused the opposition. Overall, we are relieved that the Tukde Tukde gang was defeated and nationalist forces marched to a grand victory……Naavi, 23rd May 2019]

The opposition parties aggrieved by the exit poll results are raking up an issue with the EC regarding what needs to be done when there is a mismatch between the VVPAT counting and the EVM records.

The Supreme Court which did not have the appropriate vision to take a view on this when the matter was before it just ruled that in 5 booths in every constituency, VVPAT has to be counted. This means that about 8000 VVPAT slips may be counted in every booth. If there is a counting error then there could be a difference of one or two vote numbers with the EVM count. This may be insignificant but is enough for the political parties to cry that there is some thing wrong with the EVMs and the election should be repeated with ballots.

The EC has internal dissensions which may actually complicate the issue.

I therefore provide here what I think is a legal position to be taken into account.

The Indian Elections have adopted the EVM system for which there is sufficient legal backing. As per this, election is conducted by the voter expressing his choice by pressing the button on the EVM. The process of voting is therefore completed when the button is pressed. The count of this is in the EVM. There ends the election process.

The VVPAT is a system that provides an acknowledgement to the voter. The acknowledgements are preserved for verification in case of large scale malpractice as evidence. But the VVPAT slips are not votes. They are secondary confirmation to the electronic signal generated by the depression of the voting button.

The VVPAT is generated not by a voter’s action but by the action of the EVM after the vote is recorded. Hence it is a subsequent event.

Hence if there is a mismatch between the EVM count and the VVPAT, the EVM count should prevail. In case there appears to be a large scale malfunctioning where the difference is statistically significant, then the matter becomes an issue of the post poll legal challenge. What is a “Significant” difference for a 1600 or so votes is what a statistician can determine. In my view it could be some where like 2% or about 30 votes.

I hope the EC and the Courts will consider this view when they have to consider the objections.

Naavi

Naavi.org has been in the forefront of discussions on Cyber Crimes, Data Security, Compliance requirements etc. The objective of all this is to ensure that “Digital India” does not suffer from the lack of security that is in the DNA of online transactions. 

In this journey towards “Secure Digital India”, we need to ensure that the digital payment systems are properly secured. In this process, internationally there have been several initiatives such as the ISO 27001, PCI DSS, SET protocol for card processing, 3-D Secure and its adaptations by VISA, Masters, Amex etc.

In India we have the RuPay scheme which has been conceived to provide a domestic system to enable Indian Banks and financial institutions to participate in the electronic payments market. The Rupay-e-Commerce architecture takes into account the three domains of the issuer, NPCI and the acquirer. The NPCI operates the PaySecure system and the NPCI switch and enables the authentication of the transactions.

The RuPay system has the potential to be a popular global brand like the VISA and Masters. Similarly the authentication system that Rupay adopts also has a potential to be a global system.

India has an advantage that is not available to other countries in the form of the Aadhaar identification system. Though the Supreme Court has placed some curbs on the innovative use of the Aadhaar for authentication by private players, there are acceptable work -arounds and even the possibility of convincing the Supreme Court on specific national security projects for the use of Aadhaar.

If we can use both the Aadhaar network and the NPCI together, it may be possible to enhance the security of online payment systems to a level which could be better than other existing systems.

While the 3-D secure system has the 3 domains namely the acquirer domain, issuer domain and the interoperability domain, which has also been used in the PaySecure architecture of NPCI, it may be possible to look at a four dimensional system (4-D Secure) based on the following constituents.

1. 1. Consumer
   2. Merchant
   3. Banking/Financial institutions
   4. Technology

In this model there are four responsibility centers. The Technology is the “Interoperability domain” managed by say NPCI. The Banking is the domain of all card issuers and payment system managers. The Consumer and the Merchant are the basic originator and destination of the underlying transactions.

This model recognizes that “Technology” is the interface between the different legal responsibility centers. In the first leg of the transaction, the  transaction originated  by the Merchant has to be authenticated by the Customer or vice versa.

In the second leg, the financial part of the transaction originated by the card owner or the Merchant has to be authenticated by the card issuing Bank/his agent .

If the origination of the financial part is a “Pull Transaction”, the Merchant sends his request to the acquiring Bank. If it is a “Push” transaction, the customer sends his request to the card issuing Bank.

The Technology Provider can act as an agent of the Card Issuing bank or the Acquiring bank. The Technology provider can use the UIDAI authentication service in any permitted form. In case of high value transactions, the full e-KYC formality can be invoked. In other cases simple random multi factor parameter check can be used. The identity parameter input if taken in the form of Virtual Aadhaar at the Merchant’s website, it may be within the current directions of the Supreme Court.

Other options including collection of the identity parameter by the Banking system instead of the Merchant or by the UIDAI itself or by NPCI as an agent of UIDAI can be considered and brought into the protocol.

The above is a thought which may be refined by technology experts. However the essence of this suggestion is that we can develop an online payment architecture which is unique to India and if it gets traction, develop similar standard models elsewhere where the UIDAI type of authentication is substituted by some other acceptable trusted third party authentication acceptable to the Banking system or the Card issuer consortium.

I invite technology specialists to improve upon this model if possible and take it forward. I urge NPCI to take the lead in this direction by forming an expert committee along with UIDAI authorities and the MeiTy and examine the possibilities.

Naavi

Reference Articles

Principle of Secure Technology Adoption…creating a secure ecosystem for cyber transactions

Will Rupay challenge VISA/Master and be a global brand?

Aadhaar adds another security layer to frustrate “Benami”s

It is Y2K moment again in India, with Virtual Aadhaar ID