Agencies empowered under Sec 69. No Need to raise a false alarm

Posted on December 21, 2018 by 98410spice

 The uninformed media is at work since morning commenting on the MHA Order notifying additional agencies empowering use of powers under Section 69 of ITA 2000/8.

Refer notification here:

According to the notification, 10 agencies such as the IB, ED, CBI etc are notified as authorized agencies.

Until now according to the earlier notification G.S.R. 780 (E) dated 27th October 2009, for such orders the competent authority was the “Secretary of Ministry of Home Affairs” in the Central and State Governments. No other agency had been named for execution of the action envisaged.

The Competent authority was empowered to authorize an agency of the Government for the purpose. The process for authorization was detailed in the notification. What the MHA has now done is to exercise these powers to notify the agencies which can exercise the powers.

The powers are as per restrictions inherent in Section 69 (1) and are well within the constitutional provisions.

For immediate reference we quote the section 69(1).

“Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource”

It is prudent for responsible citizens to recognize that the powers are to be exercised under a process and are well within the provisions of Constitution and refrain from making a hue and cry about a routine notification.

Such powers of India has been there since long under Telegraph Act itself and is also present world over including USA and UK. The powers are essential for Governance and does not preclude action against people who misuse.

Section 69 itself contains an inbuilt provision for preventing misuse which may be invoked if concerned citizens have any issues.

Under Section 69(2), the law provides that the

“Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out shall be such as may be prescribed”.

In the event the procedures and safeguards are not followed even by a Government official, it would tantamount to “Unauthorized Access” and could be considered as an offence under Section 66 of ITA 2000/8 which has a punishment of upto 3 years.

Those who are today throwing tantrums on the TV and those members of the media who are raising the bogey of Privacy, Constitutional rights etc are either not adequately informed or are as usual raising a bogey to criticize the Government.

I will not be surprised if politicians raise ruckus in the Parliament and some activists also go to Supreme Court against the order.

Let’s understand the law as it is and respond without raising a needless false alarm.

Naavi

The Second Awakening… What is there in Rules of Oct 27, 2009 on Section 69?
The Second Awakening… What is Section 69?
Snooping and Section 69 of ITA 2000: Beyond Politics, Distrust and Passion..The second awakening
Agencies empowered under Sec 69. No Need to raise a false alarm

The MHA Notification
Section 69
Section 69 Rules of 2009

Articles on ITA 2008 written in 2008/9

Posted in Cyber Law | Tagged , , | 1 Comment

Securing the world against Rogue Robos

Posted on December 20, 2018 by 98410spice

Several Movies have captured the ugly face of Technology.  Most of the time this is because technologists intoxicated with the power of technology often create monsters without knowing the consequences. With the growth of Artificial Intelligence and humanoid robots, the dangers are increasing everyday and we need to respond to this alarming situation.

A Scary incident has now been reported from a Lab in Japan. The incident reportedly occurred in August 2017 and a whistle blower has revealed it now. In this incident 29 humans were killed in a lab producing autonomous war robots. The four soldier robots went rogue and started shooting the humans. Out of these three were dis assembled physically by the workers while the fourth was smarter and was searching the satellite data base on how to re-arm itself.

Ultimately this also might have been dismantled but the fact remains that the dangerous phase of AI is now before us and if we continue to act intoxicated and donot learn from our mistakes, we are creating  robot monsters which will destroy the humanity.

But some of the videos in the link Six scary things about AI raise concern about the capacity of the robots to think on their own and also express views about conflicts with the human race make everyone sit up and take notice of the possibility that the movie kind of situation may become a reality too soon for comfort. We may not be able to find a Rajnikant in real life to save us from the damages that rogue robots may create.

It is time that the international community takes some corrective action to ensure that “Artificial Intelligence Does not over ride the “Isaac Asimov Principles of  Ethical Robotics“.

Japan was instrumental to the first atomic bomb being dropped and now it appears that it can be the source of the next great tragedy on the planet.

Imagine what could be the consequences of terrorists either acquiring these “Autonomous Military Robots” or hacking into some of them. If we donot have a security solution for such incidents, it is better we donot create these monsters.

Earlier Incidents

From January 25, 1979 when an accident at the Ford Factory claimed the first human life by a Robot to the reported death of 29 persons in a Japanese lab by a “Rogue Robot Soldier” being manufactured, there have been several accidents where Robots have claimed human lives.

Some of them are captured here.

  1. 25th January 1979: Robert Williams killed in the Ford Factory at Flat Rock, Michigan. This was dubbed as an accident since the worker ignored a safety measure and accidentally switched on the machine while trying to repair it. (Refer here).
  2.  May 7, 2016: Joshua Brown killed in a self driving car accident when his Tesla failed to distinguish a Tractor trailer in front from the sorrounding bright sky and drove under the 18 wheel trailer and crashed. This was clearly a failure of the software and caused by the negligence of the developer and deficiency of testing.
  3. 2007: Nine South African Soldiers were killed and another 14 wounded after an anti aircraft weapon (Oerlikon GDF-005) started shooting by itself. It could be termed as a techno mechanical failure where the gun jammed and exploded before going berserk and firing 250 rounds. Software failure was not ruled out.
  4. July 7, 2016: Police in Dallas used a robot to kill a dangerous killer who had killed several persons and hiding in a building by attaching a grenade to a robo and sending it to the garage where he was hiding and exploding it. The person killed was Micah Johnson but the use of the “Bomb Detecting Robot” to execute the human was perhaps a justified action of the police under the circumstances. (P.S: It would be interesting to know how the pseudo human rights activists and the Indian Judiciary would react if such action is taken in Kashmir by the Military)
  5. 9th December 1981: An accident at Kawasaki heavy industries killed Kenji Uranda, a 37 year old man who was trapped by the working arm of the robot when it was being repaired. (Refer here). This also can be identified as an accident caused by the negligence of the worker.
  6. 2015: A man was reportedly killed in Baunatal, Germany in the Volkswagen plant when he was grabbed by a robot and pinned against some metal sheets causing injuries to which he succumbed later. It was again classified as an accident caused by human error.
  7.  March 2017: A lady, 57 year old Wanda Holbrook  was killed by a robot at Ventra lonia Mains Plant in Michigan where she worked as a maintenance specialist. In this incident a robot picked up a trailer part and dropped it on her skull. (Refer here). This could be a planned murder because there were unexplained multiple faulty maneuvers it carried out resulting in the death.
  8. 2009: 40 year old Anna Vital was killed by a robot at Golden State Foods in California, when a robo grabbed the worker like a box it was supposed to handle and crushed her to death while she went near it to correct an error….another accident by human negligence.
  9. 2015: 24 year old Ramji Lal working in a SKH Metals factory in Manesa India was stabbed to death by a robot. He had tried to correct the position of a metal piece which had been lifted by the robot when the moving arm hit him. The case was wrongly recorded as a case of electrocution and not as a “Death caused by a robot” perhaps to avoid the payment of compensation. (Refer here)
  10.  June 2016: Regina Elsea, a 20 year old was killed by a robot at Ajin USA, a South Korean owned plant in Alabama while trying to repai a faulty robot. Several safety violations  by the unit to maximize profits were revealed during the enquiry.
  11. July 2017: There was also an incident of a Robot suicide (Refer here) when a security robot in Washington drowned itself in a pond but the incident could be considered as an Accidental fall”.
  12.  May 2018:  The Uber Car accident (Refer here) can be also added to the above list. In this incident Uber had deactivated the emergency braking system and relied on the human driver to act. The obstruction was detected 6 secs before the accident and the emergency brakes could have been deployed about 1.3 secs before the crash had it been active. But in this case the human driver was not alerted in time to act. (Refer here). This was both a technical error and human negligence.

It is estimated that prior to the current incident. over 61 deaths and injuries have been caused by industrial robots (Refer here).

Isaac Asimov laws

The legendary scientific fiction writer Isaac Asimov had in 1942 itself laid out three laws of robotics which was a guidance to be followed by all programmers. While some of the cases referred to above are clearly accidents, it is clear that there are errors caused by faulty programming in many of these cases.

The three laws which he wrote were as follows:

  1. First Law – A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. Second Law – A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
  3. Third Law – A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws

When Asimov wrote his fiction, I am not sure if he could visualize the full impact of the “Artificial Intelligence” as we find today and the nature of the society that abounds in financial greed and religious fanaticism. The current scenario appears far more dangerous than what Asimov could have envisioned.

It is time therefore for the Information Security Community to start thinking of the safeguards that we need to build to ensure that AI is not used indiscriminately by unethical and negligent software workers.

Naavi

Also Refer: Six scary things about AI

Posted in Cyber Law | Tagged , , , | Leave a comment

Is Rs 1 Crore fine on Indian Bank a sufficient deterrant?

Posted on December 12, 2018 by 98410spice

The Reserve Bank of India in a press release dated December 11, 2018 imposed a monetary penalty of Rs 1 crore on Indian Bank for non compliance of its directions under the Cyber Security Framework of 2016 and the Master directions on Frauds reporting.

RBI has in the process clarified that

“This action is based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers.”

Considering that in the past RBI has been content with fines of Rs 5 lakhs and Rs 10 lakhs for failures in KYC, the imposition of a penalty of Rs 1 crore appear eye-popping.

It is certainly a departure from the past in the fact that the fine is relatively significant and it is for “Non Compliance” of an order related to “Cyber Security”.

One of the complaints we always had about Banks is that they donot take the RBI’s instructions seriously and RBI is content in just sending circulars but not imposing its decisions on the Banks. We have often pointed out that Banks like ICICI Bank and SBI are so powerful when it comes to policy making by RBI that often it is the Banks which dictate the terms to RBI rather than the other way round, through the combined strength of the Banks through the IBA.

It is therefore refreshing to note that this time RBI appear to say that it is serious that its directions are taken seriously.

Many of the Banks openly declare that they would provide only such security as is “Commercially Feasible” and make security a trade off with its own profits. This fine therefore does raise the bar a little higher than what it was earlier.

However, will this be a sufficient deterrent?… In our opinion, not necessarily…for  the large Banks. Afterall this fine of Rs 1 crore will be an indirect burden on the public since the Bank will factor it in its service charges or simply let it be borne by the shareholders.

When the ATM security was in public discussion a few year’s back, Banks started charging extra money per transaction to cover the security guard’s cost etc., but soon the charges remained while the services promised never happened.  The same thing will happen now and Banks will pay off the monetary fine from their profits and except for a small ripple, continue to function the way they do now.

If real improvements are to be brought in the service of the Banks, a part of such burden should be imposed on the officials who were negligent in implementing the security guidelines. Such responsibilities need to be imposed even on the Board of Directors, the CMD as well as the CISO. The fine can be in the form of a percentage of their salary to be recovered say for about a year so that every month they are reminded of their dereliction of duties. Even the Board of Directors need to be imposed a penalty in the form of an individual fine out of the sitting fees or remuneration.

I hope the RBI will take note of this suggestion for the future.

Naavi

 

Posted in Cyber Law | Tagged , , , | Leave a comment

“Tweets are not Facts”….” WhatsApp” is not “Whats up”

Posted on November 30, 2018 by 98410spice

Speaking in the context of the Rafael deal the French Ambassador has reportedly made a comment “Look at Facts…not the Tweets”. This was as much an advise to the traditional media which is sensationalizing the social media posts of  Congress whose political ambitions has made the Tweets as a tool of spreading disinformation. The obliging media picks up anything and everything thrown at them and convert it into a political narrative.

It could be Rafael or RBI Board meeting, the CBI internal politics or even the quality of currency notes. Media is capable of converting it into an anti Modi narrative and keep shouting.

In this unfortunate situation, the innovative technical tools such as Twitter or Whats App have become more tools of creating false narratives and defaming people. The politicians should be credited with the successful corruption of an innocent tool created by the Internet to give “Voice to the Ordinary people”.

Today, even the owners of these business are carried away by the increased use that these false posts create and think they are generating more revenue like the TV media that goes after TRP at any cost. But in the long run this trend is eroding the credibility of the system and as soon as the election fever is over, the backlash will hurt these services to the extent that in due course they will be extinct.

In the interest of survival of these social media vehicles, it is necessary that they donot mis-interpret “Free Speech” as “Freedom to spreading falsehood”. If they do, they will be digging their own grave.

It is therefore time for the society to think and implement such measures that would enhance the “Trust” in these social media usage.

Though it looks ridiculous to many, there is a valid argument for the creation of “KYC based identified accounts in Twitter and WhatsApp and an Ethical declaration to be open to being banished for deliberate false postings”.

Twitter has the system of “Verified” accounts but it is not being implemented properly. Twitter’s approvals are biased and genuine accounts are often denied the “Verified Tag” without any reason. There is a need for introducing a new system of “Identified Social Media Postings”. The Face Book and WhatsApp should join this consortium.

Probably these business entities will not see the value of such “Identified Accounts”. I therefore call for a new Start Up business in India which runs an “Identity Service” to issue “Verified Tokens” to users of Social media so that there is more responsibility for social media users.

Of course this is not a solution for the Political parties posting false narratives for political gain but still, it would go a long way in establishing a “Responsible use of technology”.

Naavi

Posted in Cyber Law | Leave a comment

UK DPA strikes at Uber: Delivers a lesson in Password construction

Posted on November 28, 2018 by 98410spice

Uber has been fined by the UK DPA for UK sterling 385000/- (Approx Rs 3.5 crores) for failing to protect its customer’s data during a breach.

Refer report here

The breach occurred in November 2016 when GDPR notification was in place and UK was part of EU. It involved a Cyber attack on a US server of Uber maintained by Amazon Cloud service which was compromised and about 2.7 million accounts of UK citizens with names, email addresses and cell phone numbers of the users having been potentially accessed.

In US, Uber had reached an agreement with all the 50 states to pay a compensation of $140 million (approx Rs 1017 crores) for the same breach.

The ICO’s notice indicates that the attackers acquired the credentials for access to the cloud server by accessing a private repository of codes on GitHub by a trial and error based method akin to a brute force attack on a combination of user name and password. (Credential Stuffing).

Uber paid a ransom to the attackers amounting to US $100000, which they treated as a “Bug Bounty” payment and then introduced additional security to change the keys.

From the incident it appears that the  user name and passwords used by 12 Uber employees on the GitHub which was available in a code in plain text was first accessed and the combination tried on the Amazon cloud server. Since the same username-password combination was used by the employees on the Amazon account, the attackers were able to access the cloud server.

The decision may appear erudite but it must be debated whether this incident indicted a “Negligence” on the part of Uber and if so, the extent of such “Negligence”. Was the security otherwise used was “Reasonable”.

Once a breach has happened, any amount of security appears inadequate. The regulator has to ideally put itself in the shoes of the Company and evaluate whether under the circumstances in which the storage was designed, the security was adequate. The regulator should avoid penalizing the business entity with the benefit of hindsight and demonstrate its power to penalize.

Further to take objection to how Uber treated the payment to the attackers whether it was “Bug Bounty” or “Ransom” was perhaps beyond the scope of the authority of ICO. It could have avoided treading into this domain which could have been an accounting necessity. It could have been dictated by the insurance coverage needs. The procedure for bug bounty not having been adopted is an matter which is of no concern to ICO.

It appears that ICO exceeded its boundaries in this respect which may be  indicative of a bias with which the decision of penalty could have been arrived at.

It is also strange to observe that ICO has placed a disincentive on the Company’s right to appeal (by offering a discount if appeal is not resorted to) which may not be entirely legal.

This was a case fit for a nominal fine meant to flag a kind of attack against which companies need to guard against.

The lesson to be drawn from the incident is that “Users should not  use the same user ID- Password Combination” across different services.

This will now become a new paragraph in the Password policy of every organization.

Naavi

Posted in Cyber Law | Leave a comment

EY flags Crypto Currency as a threat. Will Supreme Court take note? or Ignore?

Posted on November 26, 2018 by 98410spice

Ernst and Young recently published a survey on “Responding to Cyber Crime Incidents in India”. Some interesting insights are reported in the survey.

One of the insights which is important from the point of view of the Supreme Court hearing on legalization of Bitcoins requires to be taken note of.

The survey speaking on “Crypto Currency” as an emerging area of risk, states

“The challenges in using virtual currency is that these systems are capable of facilitating tax evasion or illegal activities because of the anonymity factor which is built into the system. As a result, Bitcoin is a preferred mode by hackers for ransomware. …. The rise in usage can lead to a surge in cyber-attacks, raids and fraud. “

The Government of India and the Supreme Court which are under tremendous pressure from the Bitcoin industry and the supporting media should take note that “If Bitcoin is legalized in India, the country’s economy would be doomed”.

The Bitcoin being the “Currency of the Criminals” and “Currency of the Terrorists”, the easy movement of crime money across the entire economy and across borders would provide an easy channel for rewards to be distributed for different forms of crimes. Once the tracking of crime money becomes fuzzy, financial crimes will become difficult to be prosecuted since Courts would demand “Evidence of Money Trail” which will go dark with the use of Bitcoins.

The Supreme Court has to ask itself the question,

Is the Court able to understand the adverse impact of Bitcoin on the Country and be honest and bold enough to ban Bitcoins? or

Will the Court hide behind the technicalities and try to give breathing space for Bitcoins?.. which all the corrupt elements of our society worship…

Citizens of this country will draw their own conclusions on who is on the side of Corruption and who is not based on the arguments that will follow in the Supreme Court.

At present it appears that Naavi is a lone warrior in the social media fighting against Bitcoins.

Traditional media including the CNBC TV, Bloomberg, Business Standard, Economic Times, Republic TV, Times Now are all either in direct support of Bitcoin or exercising restraint on passing any adverse comment on Bitcoins.

There is an organized PR team working at planting favourable stories in the media to influence the Government to come up with a favourable view under which the Supreme Court can pass a favourable decision.

Mr Modi appears to be too distracted with the politics around him to be able to respond decisively. I am reminded of the Mahabharata war where Arjuna is dragged out of the main battle scene when the Kaurava’s planned a Chakra Vyuha which consumed Abhimanyu. Similarly, the election politics is dragging Mr Modi out of the Bitcoin scenario leaving the decision entirely to Mr Arun Jaitely.

Will Mr Arun Jaitely be able to stand up to a commitment of eliminating the Digital Black Money called Bitcoin?…So far he has not shown any indications of the same. Hope this time, it will be different.

However, I hope there are many silent supporters who may not be vocal but their silent voices would reach the Supreme Court.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment