Naavi.org

Yesterday was a day when ignorance and politics took over the debate on the new MHA guidelines under Section 69 of ITA 2000. As expected, the Congress politicians opened the debate in the Parliament with the “Jupiter Escape Velocity” fame expert commented that “India is being converted into a Police State”. Several other politicians such as Sitaram Yechury, Asaduddin Owaisi, Omar Abdulla joined the line of political experts who declared that there is a need for Supreme Court to take a hard look. Towards the end of the day Congress appeared to pull back when they realized that Section 69 in its present form was actually passed into law by the Congress Government itself.

Though some sane voices did emerge from the Cyber Law experts, later in the day, the media as usual continued to bombard the sensational angle as if India has over night become a Police State. The young anchors talking like experts in Cyber Law referred to the Puttaswamy judgement and declared that Privacy is under threat.

In the professional arena, some sense prevailed except for a few Privacy passionate enthusiasts expressed their anguish that the law can be misused.

Behind the criticisms that prevailed all across the media it was evident that many of the commentators were realizing for the first time that there was a section called Section 69 in ITA 2008 and it provided for certain powers for interception etc.

The situation was similar to the moment in 2011 when after the passage of the rules under Section 43A, the IT professionals suddenly came to realize the existence of ITA 2000/8 which became a law on 17th October 2000 with the important amendments of 2008 becoming effective from 27th October 2009.

Perhaps this second awakening is good for the society since we need to understand and appreciate the nature of ITA 2000/8 which is an important legislation of the “Digital Society”. So far everybody was talking of “Digital India”, “Digital Disruption”, “Innovation” etc with complete abandonment of an awareness of the background law.

This debate on “Snooping” however absurd it is, will perhaps result in at least some of the politicians and professionals developing a better understanding.

In the discussions that ensued yesterday, following points have been raised.

Timing: Why did the Government come up with this notification? Does it have anything to do with the forthcoming elections?
Privacy: Does this notification affect the principles of Privacy as a Fundamental Right?
Surveillance: Does this notification mean that the named 10 agencies will start snooping on 1 billion people from tomorrow?
Oversight: Does such powers require a judicial oversight?
Prior Debate: Was a public debate required before this notification was released?

Naavi had highlighted the sweeping powers that sections 69,69A and 69B provided to the state when the amendments were passed in 2008. Unfortunately, at that time no body took notice.

Then on 27th October 2009, the notification called “Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 was published. These guidelines had some ambiguities. This notification has in fact cleared some aspects of this notification which were difficult to interpret because of the inherent ambiguities. The MHA notification has therefore come as a relief as it sets dome doubts to rest.

I anticipate that the controversy on Section 69 would not die down. The next level of action would be when people like Prashant Bhushan, Indira Jaiswal and others would raise the issue in the Supreme Court.

The Supreme Court is known to be vulnerable to succumb to media hype as it did in the case of Section 66A judgement and partially in the case of the Aadhaar judgement and arrive at incorrect interpretations. Hence we need to place on record our views so that the false propagandists donot hijack the debate.

We shall therefore explain the Section 69, the notification of October 27, 2009 and also answer some of the questions raised above in a series of articles that will follow.

We hope this will clarify the uncertainty that may prevail in the minds of the public. This is only an academic explanation of what ITA 2000/8 for those who want to debate the law.

This may not however satisfy the Politicians who want to any way blame the Government because they feel that they have a friendly media which will make any lie uttered 1000 times look like truth. We have to leave them revel in their imaginary world.

...To Be continued

Naavi

Reference:

The Second Awakening… What is there in Rules of Oct 27, 2009 on Section 69?
The Second Awakening… What is Section 69?
Snooping and Section 69 of ITA 2000: Beyond Politics, Distrust and Passion..The second awakening
Agencies empowered under Sec 69. No Need to raise a false alarm

The MHA Notification
Section 69
Section 69 Rules of 2009

Articles on ITA 2008 written in 2008/9

Some media reports: The Wire : Arun Jaitely : Rahul Gandhi: Owaisi : Experts

Posted in Cyber Law | Tagged section 69, snooping | 1 Comment

Agencies empowered under Sec 69. No Need to raise a false alarm

Posted on December 21, 2018 by 98410spice

The uninformed media is at work since morning commenting on the MHA Order notifying additional agencies empowering use of powers under Section 69 of ITA 2000/8.

Refer notification here:

According to the notification, 10 agencies such as the IB, ED, CBI etc are notified as authorized agencies.

Until now according to the earlier notification G.S.R. 780 (E) dated 27th October 2009, for such orders the competent authority was the “Secretary of Ministry of Home Affairs” in the Central and State Governments. No other agency had been named for execution of the action envisaged.

The Competent authority was empowered to authorize an agency of the Government for the purpose. The process for authorization was detailed in the notification. What the MHA has now done is to exercise these powers to notify the agencies which can exercise the powers.

The powers are as per restrictions inherent in Section 69 (1) and are well within the constitutional provisions.

For immediate reference we quote the section 69(1).

“Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource”

It is prudent for responsible citizens to recognize that the powers are to be exercised under a process and are well within the provisions of Constitution and refrain from making a hue and cry about a routine notification.

Such powers of India has been there since long under Telegraph Act itself and is also present world over including USA and UK. The powers are essential for Governance and does not preclude action against people who misuse.

Section 69 itself contains an inbuilt provision for preventing misuse which may be invoked if concerned citizens have any issues.

Under Section 69(2), the law provides that the

“Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out shall be such as may be prescribed”.

In the event the procedures and safeguards are not followed even by a Government official, it would tantamount to “Unauthorized Access” and could be considered as an offence under Section 66 of ITA 2000/8 which has a punishment of upto 3 years.

Those who are today throwing tantrums on the TV and those members of the media who are raising the bogey of Privacy, Constitutional rights etc are either not adequately informed or are as usual raising a bogey to criticize the Government.

I will not be surprised if politicians raise ruckus in the Parliament and some activists also go to Supreme Court against the order.

Let’s understand the law as it is and respond without raising a needless false alarm.

Naavi

The MHA Notification
Section 69
Section 69 Rules of 2009

Articles on ITA 2008 written in 2008/9

Posted in Cyber Law | Tagged MHA order, sec 69, surveillance | 1 Comment

Securing the world against Rogue Robos

Posted on December 20, 2018 by 98410spice

Several Movies have captured the ugly face of Technology. Most of the time this is because technologists intoxicated with the power of technology often create monsters without knowing the consequences. With the growth of Artificial Intelligence and humanoid robots, the dangers are increasing everyday and we need to respond to this alarming situation.

A Scary incident has now been reported from a Lab in Japan. The incident reportedly occurred in August 2017 and a whistle blower has revealed it now. In this incident 29 humans were killed in a lab producing autonomous war robots. The four soldier robots went rogue and started shooting the humans. Out of these three were dis assembled physically by the workers while the fourth was smarter and was searching the satellite data base on how to re-arm itself.

Ultimately this also might have been dismantled but the fact remains that the dangerous phase of AI is now before us and if we continue to act intoxicated and donot learn from our mistakes, we are creating robot monsters which will destroy the humanity.

But some of the videos in the link Six scary things about AI raise concern about the capacity of the robots to think on their own and also express views about conflicts with the human race make everyone sit up and take notice of the possibility that the movie kind of situation may become a reality too soon for comfort. We may not be able to find a Rajnikant in real life to save us from the damages that rogue robots may create.

It is time that the international community takes some corrective action to ensure that “Artificial Intelligence Does not over ride the “Isaac Asimov Principles of Ethical Robotics“.

Japan was instrumental to the first atomic bomb being dropped and now it appears that it can be the source of the next great tragedy on the planet.

Imagine what could be the consequences of terrorists either acquiring these “Autonomous Military Robots” or hacking into some of them. If we donot have a security solution for such incidents, it is better we donot create these monsters.

Earlier Incidents

From January 25, 1979 when an accident at the Ford Factory claimed the first human life by a Robot to the reported death of 29 persons in a Japanese lab by a “Rogue Robot Soldier” being manufactured, there have been several accidents where Robots have claimed human lives.

Some of them are captured here.

25th January 1979: Robert Williams killed in the Ford Factory at Flat Rock, Michigan. This was dubbed as an accident since the worker ignored a safety measure and accidentally switched on the machine while trying to repair it. (Refer here).
May 7, 2016: Joshua Brown killed in a self driving car accident when his Tesla failed to distinguish a Tractor trailer in front from the sorrounding bright sky and drove under the 18 wheel trailer and crashed. This was clearly a failure of the software and caused by the negligence of the developer and deficiency of testing.
2007: Nine South African Soldiers were killed and another 14 wounded after an anti aircraft weapon (Oerlikon GDF-005) started shooting by itself. It could be termed as a techno mechanical failure where the gun jammed and exploded before going berserk and firing 250 rounds. Software failure was not ruled out.
July 7, 2016: Police in Dallas used a robot to kill a dangerous killer who had killed several persons and hiding in a building by attaching a grenade to a robo and sending it to the garage where he was hiding and exploding it. The person killed was Micah Johnson but the use of the “Bomb Detecting Robot” to execute the human was perhaps a justified action of the police under the circumstances. (P.S: It would be interesting to know how the pseudo human rights activists and the Indian Judiciary would react if such action is taken in Kashmir by the Military)
9th December 1981: An accident at Kawasaki heavy industries killed Kenji Uranda, a 37 year old man who was trapped by the working arm of the robot when it was being repaired. (Refer here). This also can be identified as an accident caused by the negligence of the worker.
2015: A man was reportedly killed in Baunatal, Germany in the Volkswagen plant when he was grabbed by a robot and pinned against some metal sheets causing injuries to which he succumbed later. It was again classified as an accident caused by human error.
March 2017: A lady, 57 year old Wanda Holbrook was killed by a robot at Ventra lonia Mains Plant in Michigan where she worked as a maintenance specialist. In this incident a robot picked up a trailer part and dropped it on her skull. (Refer here). This could be a planned murder because there were unexplained multiple faulty maneuvers it carried out resulting in the death.
2009: 40 year old Anna Vital was killed by a robot at Golden State Foods in California, when a robo grabbed the worker like a box it was supposed to handle and crushed her to death while she went near it to correct an error….another accident by human negligence.
2015: 24 year old Ramji Lal working in a SKH Metals factory in Manesa India was stabbed to death by a robot. He had tried to correct the position of a metal piece which had been lifted by the robot when the moving arm hit him. The case was wrongly recorded as a case of electrocution and not as a “Death caused by a robot” perhaps to avoid the payment of compensation. (Refer here)
June 2016: Regina Elsea, a 20 year old was killed by a robot at Ajin USA, a South Korean owned plant in Alabama while trying to repai a faulty robot. Several safety violations by the unit to maximize profits were revealed during the enquiry.
July 2017: There was also an incident of a Robot suicide (Refer here) when a security robot in Washington drowned itself in a pond but the incident could be considered as an Accidental fall”.
May 2018: The Uber Car accident (Refer here) can be also added to the above list. In this incident Uber had deactivated the emergency braking system and relied on the human driver to act. The obstruction was detected 6 secs before the accident and the emergency brakes could have been deployed about 1.3 secs before the crash had it been active. But in this case the human driver was not alerted in time to act. (Refer here). This was both a technical error and human negligence.

It is estimated that prior to the current incident. over 61 deaths and injuries have been caused by industrial robots (Refer here).

Isaac Asimov laws

The legendary scientific fiction writer Isaac Asimov had in 1942 itself laid out three laws of robotics which was a guidance to be followed by all programmers. While some of the cases referred to above are clearly accidents, it is clear that there are errors caused by faulty programming in many of these cases.

The three laws which he wrote were as follows:

First Law – A robot may not injure a human being or, through inaction, allow a human being to come to harm.
Second Law – A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
Third Law – A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws

When Asimov wrote his fiction, I am not sure if he could visualize the full impact of the “Artificial Intelligence” as we find today and the nature of the society that abounds in financial greed and religious fanaticism. The current scenario appears far more dangerous than what Asimov could have envisioned.

It is time therefore for the Information Security Community to start thinking of the safeguards that we need to build to ensure that AI is not used indiscriminately by unethical and negligent software workers.

Naavi

Also Refer: Six scary things about AI

Posted in Cyber Law | Tagged Artificial Intelligence, Asimov, Ethics in AI, robo accidents | Leave a comment

Is Rs 1 Crore fine on Indian Bank a sufficient deterrant?

Posted on December 12, 2018 by 98410spice

The Reserve Bank of India in a press release dated December 11, 2018 imposed a monetary penalty of Rs 1 crore on Indian Bank for non compliance of its directions under the Cyber Security Framework of 2016 and the Master directions on Frauds reporting.

RBI has in the process clarified that

“This action is based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers.”

Considering that in the past RBI has been content with fines of Rs 5 lakhs and Rs 10 lakhs for failures in KYC, the imposition of a penalty of Rs 1 crore appear eye-popping.

It is certainly a departure from the past in the fact that the fine is relatively significant and it is for “Non Compliance” of an order related to “Cyber Security”.

One of the complaints we always had about Banks is that they donot take the RBI’s instructions seriously and RBI is content in just sending circulars but not imposing its decisions on the Banks. We have often pointed out that Banks like ICICI Bank and SBI are so powerful when it comes to policy making by RBI that often it is the Banks which dictate the terms to RBI rather than the other way round, through the combined strength of the Banks through the IBA.

It is therefore refreshing to note that this time RBI appear to say that it is serious that its directions are taken seriously.

Many of the Banks openly declare that they would provide only such security as is “Commercially Feasible” and make security a trade off with its own profits. This fine therefore does raise the bar a little higher than what it was earlier.

However, will this be a sufficient deterrent?… In our opinion, not necessarily…for the large Banks. Afterall this fine of Rs 1 crore will be an indirect burden on the public since the Bank will factor it in its service charges or simply let it be borne by the shareholders.

When the ATM security was in public discussion a few year’s back, Banks started charging extra money per transaction to cover the security guard’s cost etc., but soon the charges remained while the services promised never happened. The same thing will happen now and Banks will pay off the monetary fine from their profits and except for a small ripple, continue to function the way they do now.

If real improvements are to be brought in the service of the Banks, a part of such burden should be imposed on the officials who were negligent in implementing the security guidelines. Such responsibilities need to be imposed even on the Board of Directors, the CMD as well as the CISO. The fine can be in the form of a percentage of their salary to be recovered say for about a year so that every month they are reminded of their dereliction of duties. Even the Board of Directors need to be imposed a penalty in the form of an individual fine out of the sitting fees or remuneration.

I hope the RBI will take note of this suggestion for the future.

Naavi

Posted in Cyber Law | Tagged cyber security framework, fine, Indian Bank, RBI | Leave a comment

“Tweets are not Facts”….” WhatsApp” is not “Whats up”

Posted on November 30, 2018 by 98410spice

Speaking in the context of the Rafael deal the French Ambassador has reportedly made a comment “Look at Facts…not the Tweets”. This was as much an advise to the traditional media which is sensationalizing the social media posts of Congress whose political ambitions has made the Tweets as a tool of spreading disinformation. The obliging media picks up anything and everything thrown at them and convert it into a political narrative.

It could be Rafael or RBI Board meeting, the CBI internal politics or even the quality of currency notes. Media is capable of converting it into an anti Modi narrative and keep shouting.

In this unfortunate situation, the innovative technical tools such as Twitter or Whats App have become more tools of creating false narratives and defaming people. The politicians should be credited with the successful corruption of an innocent tool created by the Internet to give “Voice to the Ordinary people”.

Today, even the owners of these business are carried away by the increased use that these false posts create and think they are generating more revenue like the TV media that goes after TRP at any cost. But in the long run this trend is eroding the credibility of the system and as soon as the election fever is over, the backlash will hurt these services to the extent that in due course they will be extinct.

In the interest of survival of these social media vehicles, it is necessary that they donot mis-interpret “Free Speech” as “Freedom to spreading falsehood”. If they do, they will be digging their own grave.

It is therefore time for the society to think and implement such measures that would enhance the “Trust” in these social media usage.

Though it looks ridiculous to many, there is a valid argument for the creation of “KYC based identified accounts in Twitter and WhatsApp and an Ethical declaration to be open to being banished for deliberate false postings”.

Twitter has the system of “Verified” accounts but it is not being implemented properly. Twitter’s approvals are biased and genuine accounts are often denied the “Verified Tag” without any reason. There is a need for introducing a new system of “Identified Social Media Postings”. The Face Book and WhatsApp should join this consortium.

Probably these business entities will not see the value of such “Identified Accounts”. I therefore call for a new Start Up business in India which runs an “Identity Service” to issue “Verified Tokens” to users of Social media so that there is more responsibility for social media users.

Of course this is not a solution for the Political parties posting false narratives for political gain but still, it would go a long way in establishing a “Responsible use of technology”.

Naavi

Posted in Cyber Law | Leave a comment

UK DPA strikes at Uber: Delivers a lesson in Password construction

Posted on November 28, 2018 by 98410spice

Uber has been fined by the UK DPA for UK sterling 385000/- (Approx Rs 3.5 crores) for failing to protect its customer’s data during a breach.

Refer report here

The breach occurred in November 2016 when GDPR notification was in place and UK was part of EU. It involved a Cyber attack on a US server of Uber maintained by Amazon Cloud service which was compromised and about 2.7 million accounts of UK citizens with names, email addresses and cell phone numbers of the users having been potentially accessed.

In US, Uber had reached an agreement with all the 50 states to pay a compensation of $140 million (approx Rs 1017 crores) for the same breach.

The ICO’s notice indicates that the attackers acquired the credentials for access to the cloud server by accessing a private repository of codes on GitHub by a trial and error based method akin to a brute force attack on a combination of user name and password. (Credential Stuffing).

Uber paid a ransom to the attackers amounting to US $100000, which they treated as a “Bug Bounty” payment and then introduced additional security to change the keys.

From the incident it appears that the user name and passwords used by 12 Uber employees on the GitHub which was available in a code in plain text was first accessed and the combination tried on the Amazon cloud server. Since the same username-password combination was used by the employees on the Amazon account, the attackers were able to access the cloud server.

The decision may appear erudite but it must be debated whether this incident indicted a “Negligence” on the part of Uber and if so, the extent of such “Negligence”. Was the security otherwise used was “Reasonable”.

Once a breach has happened, any amount of security appears inadequate. The regulator has to ideally put itself in the shoes of the Company and evaluate whether under the circumstances in which the storage was designed, the security was adequate. The regulator should avoid penalizing the business entity with the benefit of hindsight and demonstrate its power to penalize.

Further to take objection to how Uber treated the payment to the attackers whether it was “Bug Bounty” or “Ransom” was perhaps beyond the scope of the authority of ICO. It could have avoided treading into this domain which could have been an accounting necessity. It could have been dictated by the insurance coverage needs. The procedure for bug bounty not having been adopted is an matter which is of no concern to ICO.

It appears that ICO exceeded its boundaries in this respect which may be indicative of a bias with which the decision of penalty could have been arrived at.

It is also strange to observe that ICO has placed a disincentive on the Company’s right to appeal (by offering a discount if appeal is not resorted to) which may not be entirely legal.

This was a case fit for a nominal fine meant to flag a kind of attack against which companies need to guard against.

The lesson to be drawn from the incident is that “Users should not use the same user ID- Password Combination” across different services.

This will now become a new paragraph in the Password policy of every organization.

Naavi

Posted in Cyber Law | Leave a comment

Ask Vishy, the personal AI-assistant of Naavi for all your information on Naavi.org
Naavi
IICA Qualified Independent Director
Google Map to Reach Naavi
DGPIN: 4PJ-7T8-FK8P: 12.94018310,77.55421020
Plus Code : WHR3+3P
Bing_site_search
Google_site_search

Search for:
Recent Posts
Archives
Archives
Archives by Date
June 2025

M T W T F S S

1

2 3 4 5 6 7 8

9 10 11 12 13 14 15

16 17 18 19 20 21 22

23 24 25 26 27 28 29

30

« May

Naavi

IICA Qualified Independent Director

Bing_site_search

Google_site_search

Recent Posts

Archives

Archives by Date

Meta