Aadhaar Judgement is welcome

Posted on September 26, 2018 by 98410spice

The much awaited Aadhaar judgement has finally been delivered.  It was feared that there was a genuine possibility of Aadhaar being declared unconstitutional. Going by the way the Court reacted to the Section 66A of ITA 2008, and the harsh views which Justice Chandrachud has been expressing in other cases, it was not unthinkable that the Court could have come to the drastic decision of scrapping the Aadhaar Act instead of “Reading Down” portions that needed modification.

It is welcome that the Court has tried to work along with the Government in addressing the concerns of the Privacy activists by providing its suggestions through reading down of specific provisions which should be the way the Court has to work in all cases rather than taking a confrontonist attitude. I therefore welcome the judgement.

The Privacy activists should be disappointed that they were not able to get the Aadhaar struck down though the political opponents and others are now taking a face saving position that they are happy that private companies cannot use the Aadhaar  number.

The Government has already brought in regulation by which use of Aadhaar had already been blocked by most of the Private sector by introducing what is called the “Virtual Aadhaar ID” which is not technically the Aadhaar ID but works for most of the requirements of the Private sector. May be to avoid the confusion, this Virtual Aadhaar ID can be called by a different name from now on such as “Temporary Identification Card”.

On the other hand, Government should be happy that PAN cards of at least at the time of filing of tax returns will have a link to the Aadhaar. Government is also happy that it can use the Aadhaar ID for its social benefit schemes ( perhaps with a rider that the scheme should be funded from the Consolidated Fund of India).

More on this can be commented only when the detailed judgement is available.

Naavi

The Aadhaar judgement (1448 pages) is here

Posted in Cyber Law | Tagged | 1 Comment

Cyber Security & Privacy – Technical and Legal Compliance.. Seminar at Mysore on 27th Sept

Posted on September 24, 2018 by 98410spice

CII Mysore has organized a one day seminar on “Cyber Security & Privacy – Technical and Legal Compliance”.

Venue: ILI Building, at the Infosys Campus (Entry through Gate 2)

Sri Shailendra Kumar Tyagi, Director, STPI, Dr Subramanyewara Rao, IPS, Commissioner of Police and several prominent industrialists from Mysore are expected to participate.

Naavi will be speaking on the “Indian Privacy Law” in the event.

Contact Mr T.U. Augistine, CII Mysore for more information.

Naavi

Posted in Cyber Law | Leave a comment

Privacy laws forcing “Blind Advertising” instead of Targeted advertising

Posted on September 23, 2018 by 98410spice

The Privacy laws as they are emerging led by GDPR are conspicuous by the huge penalties that may be imposed as “Administrative Fines” even when the data subjects have not suffered measurable financial losses.

These laws in general prescribe that personal data of target subjects should be collected only on the basis of an informed consent where the data collector has disclosed all the purposes for which the data may be used along with other information which may include the details of downstream processing that may occur.

One of the uses of personal data collected is for the purpose of marketing products online. Since Advertising whether online or offline is a communication exercise in which the Advertiser uses his communication skills to design creative messages that will have the maximum impact, market segmentation based on the likely profile of the audience is a age old practice.

Advertising industry cannot do an effective job if it does not know the audience. If Chocolate advertisement is directed at an audience which are senior citizens and diabetics, the advertiser would be wasting his client’s advertising spend. If a Banker tries to advertise his products meant for high networth individuals  to audience which may consist of  farmers and villagers obviously he would be considered a fool.

But the Privacy laws are driving the advertisers to resort to “Blind Advertising” rather than “Targeted Advertising”.

The law makers will immediately say that if you want to collect personal data and use it for advertising, then say so in the consent form then it will be fine with law. This would mean that every time any “Personal Data” is collected, the collector should be aware of all situations in which the data could be used in future and take an omnibus consent. Such consent has to also have a legal validity as a “Written Consent” and in countries where “Click Wrap” contracts is nothing more than an “Implied and Standard Form of Contract”, the consent will always be deficient.

The recent news report that the first notice under the UK Data Protection Law has been issued on a Canadian Analytics firm named Aggregate IQ (AIQ) that worked for “Vote Leave” campaign has brought to focus the plight of the advertising industry in this regard.

It is reported that the UK’s Information Commissioner, though the firm had collected the data before 25th May 2018 when the GDPR came into existence, it was concerned with the continued retention and processing of the data after the said date.

The firm was used for a “Pro Brexit” campaign successfully and therefore the political reasons behind the complaint is clearly visible.

Leaving the technicalities aside, there is a need for the public to debate whether the Privacy laws are being used unfairly to target genuine business needs and this has to be stopped forthwith for the industry to survive.

If Advertising industry is not allowed to be creative with  creative and targeted advertising campaigns, the damage is for the “marketing” activity and indirectly on the productivity of the industry.

It is time for the Marketing and Advertising industry to justify their existence and relevance if the Privacy Laws are not to destroy each of the marketing and advertising firms one by one with litigation by all and sundry.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Admissions open for Cyber Law Course from National Law School, Bangalore

Posted on September 22, 2018 by 98410spice

National Law School University of India (NLSUI) has released the admission notice for admission to the PG Diploma Course in Cyber Law and Cyber Law and Cyber Forensics (PGDCLCF).

This is a distance learning course with contact classes which will be held in Bangalore.

Details are available  here: 

The last date for admission is September 30, 2018. Extended date with late fee of Rs 500/- is October 15, 2018.

As a premier law education entity in the country, the course attracts senior IT professionals, Lawyers, Administrators and Law Enforcement persons each year.

Persons interested may avail the opportunity.

Naavi

Posted in Cyber Law | Leave a comment

Data is the New Oil, Attempt to create Economic Colonies using Data Mining is a reality

Posted on September 22, 2018 by 98410spice

I draw the attention of readers to an interesting article titled “American Data Miners are modern avatars of British East India Company”   . 

This article also has relevance to the lobbying that many International companies are presently attempting to change some of the provisions of the PDPA 2018 (Proposed Personal Data Protection Act).  Many vested interests have been even organizing seminars with the ulterior intention of mobilizing public opinion against the move of the Government which only says “One Serving Copy of personal data collected from India should be held in India”.

It is however noted that there are many  experts  who are vocally opposing the moves of these companies and we see heated debates in the seminar halls and WhatsApp group supporting the Government’s move.

Naavi.org considers that the provisions of PDPA 2018 has taken into consideration the views of the industry and accommodated the international players sufficiently. It has at the same time tried to safeguard the Indian interests both from the national security perspective as well as a need to give a boost to the Indian data storage eco system.

Just as the Y2K gave a boost to the Indian IT industry, the move of the Government has substantial economic significance and hence has to be pursued. It has the potential to create more data centers in India with associated activities including development of the professional work force with specialization in Data Protection.

Referring to the “East India Company” reference made in the article in mynation.com, we need to highlight that Naavi.org has several times in the past during discussions on Copyright and IPR indicated that the IPR regulatory regime is being used to create economic powers to ride over India. Now we see a similar attempt through the International Data Protection Regulations.

In our earlier article “Data Processors in India should avoid entering into unenforceable contracts which may be termed “Fraudulent” we had highighted how the “Standard Contractual Clauses” used in EU recommendations is an attempt to over ride Indian law. Sensing such attempts, we had recommended during the deliberations of the Srikrishna Committee that Indian Companies should be protected from international assault through data protection laws by creating an “Umbrella of Protection” so that no penal action be launched against Indian Companies under GDPR or similar laws except through the Indian Data Protection Authority. (Refer: “Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights“).

It is unfortunate that even during the East India Company days, India has been exploited by foreign agencies through obliging locals who could be bribed by various means to support the long term exploitation goals of the foreign interests ignoring the interests of the nation.

Even today, the same threat continues to haunt us and is also reflecting in the commercial aspects related to data localization or data protection in general.

Recognizing the need for Indian Data Protection Professionals to keep the interests of the nation on top of their minds, the Foundation of Data Protection Professionals in India (FDPPI) has adopted as its objective, of building  an empowered community of  Data Protection Professionals who contribute to the development of a Secure Information Society in India taking the national interests into consideration.

I hope the long term benefit of having an organization that focuses on Data Protection without neglecting the national interests would be appreciated by the community and translates into an active participation in the activities of the Foundation.

Naavi

Also refer:

India: The Debate – Data Localization And Its Efficacy

How localization of data will affect firms, consumers

 

Posted in Cyber Law | Tagged , | Leave a comment

Controller of Certifying Authorities can improve security of Digital Signatures

Posted on September 17, 2018 by 98410spice

Digital Signatures are the legally recognized means of authentication of electronic documents in India. Though many companies including Banks ignore that Password is not the legally acceptable authentication, it is being widely used for many authentications including the financial transactions. While some Banks have started offering digital signing options for Banking transactions, most of them are banking only on the OTP system to secure the authentication.

The e-KYC system used by Banks is also dependent completely on the security of the OTP system and even though e-KYC can be used for e-Signing which is legally equivalent to digital signature, is still not secure enough beyond what OTP provides.

Most Banks use OTP only on mobiles and the OTP message is sent through an unencrypted SMS message. In such cases, if there is a compromise of mobile through SMS reading apps, or when the customer is subjected to a Voice based phishing, the OTP will be compromised and could lead to frauds.

While it is necessary that Banks need to anticipate such risks of compromise at the user device level and initiate the security measures which overcome OTP compromise risks or  bear the responsibility for the fraud losses, we can independently look at one measure which the Controller of Certifying Authorities (CCA) can initiate to improve the reliability of the Digital Signature system.

The CCA should take a leaf out of UIDAI in this regard where some measures have been initiated which appear to be also good for the CCA to introduce.

Firstly, just as UIDAI uses a system of biometric lock, CCA can through the Certifying Authorities provide an option to the digital signature user to lock and unlock his digital signature through the repository maintained by the parent Certifying Authority (CA).

Secondly the usage of every digital signing incident where a verification call is made on the repository could be logged with useful meta data and made available to the digital certificate subscriber. This also has been done by UIDAI though the information logged is sketchy and could be improved.

If such a facility is available, the application developers may also use a “Verification Call” as a mandatory requirement before a digital signature is applied in any usage scenario.

Probably in the case of offline digital signing there could be an issue but such situations can still be logged with a post signing verification whenever the digitally signatory is connected on the internet.

When such verification calls are made, there could be practical issues including privacy issues to be considered but the concerns can be handled since we are verifying through a secure connection between the digital signer and the CA.

I hope the CCA would consider some of these measures as a part of its rule making power until such time that the ITA 2008 itself can incorporate such measures as part of the law.

I look forward to suggestions from security experts in this regard. The request has already been made on the CCA and I am awaiting the response.

P.S: This suggestion arose due to a query from Mr Uday Gupta, one of the readers of an article on this site on digital signatures and I thank him  for raising this issue.

Naavi

 

 

 

Posted in Cyber Law | Tagged , | Leave a comment