Bitcoin is Digital Black Money… Is Fake news being promoted by Cogencis?

Posted on June 14, 2018 by Vijayashankar Na

In the last few days, Economic Times has been carrying on a campaign for legalization of Bitcoin. The article “U-turn on bitcoin? Government panel may allow cryptos with riders ” which does not carry the name of the reporter suggests,

“A panel formed by the government to look into crypto-currency does not seem to be in favour of banning it. Instead, it may suggest allowing crypto-currency with riders, ETNow reported quoting Cogencis. “

It is not clear why ETnow is spreading this news which could be a fake news planted by some interested Bitcoin holders.

ET bases its story on “Cogencis” which is a company co founded by one Mr Kalyanram Kodakalla having directors such as Paurush Roy, Vimal Agarwal, and Deepak Ghaisas. The company professes to be a “Trusted” global provider of Financial Data and Analytics. It has offices in Mumbai, Bangalore, Hyderabad, New Delhi  etc. (Refer www.cogencis.com)

I would like to request Cogencis to disclose what was the source of their information which should have been from the Ministry of Finance.

To an ordinary observer, it appears to be a Fake News planted for promoting the Bitcoins. It is unfortunate that Economic Times is trying to legitimize this fake news.

I request the Government of India to conduct an enquiry into how this news has been manufactured. In case there is any involvement of the officials of the Finance Ministry, they should be punished.

Let us remember that Bitcoin is Digital Black Money and the people who are supporting it include those who converted their black money during the demonetization time into Bitcoins. Additionally there are criminals and terrorists who have built up Bitcoin wealth and want a legitimate channel to bring it into the legacy currency system so that they can destabilize the economic progress of India.

There is no way any official who is himself not corrupt to support any move to legitimize Bitcoin. RBI has been opposing this move though it appears that  some of the officials in the Arun Jaitely Ministry are in favour.

It is now left for Mr Modi and Mr Amit Shah to show their commitment to Black money eradication by sticking on to the policy of  “Banning of Bitcoin”.

Let us hope that even if Ministry of Finance has been corrupted, PMO still remains uncorrupted. The proof of the pudding would be how Mr Mr Modi will react to the news doing the rounds now.

If Mr Arun Jaitely is honest, he should clarify if the news report is correct or is fake.

Naavi

Posted in Cyber Law | Tagged , , , , , | 1 Comment

Fraud and Breach Prevention Summit of ISMG at Bengaluru

Posted on June 12, 2018 by Vijayashankar Na

Information Security Media Group a global organization managing several media assets  (Refer: www.ismg.io) organized a two day event at Taj Vivanta, Bengaluru titled Fraud and Breach Prevention Summit, starting today the 12th June 2018. It will conclude tomorrow.

In a widely attended conference, several eminent Info security professionals shared their valuable thoughts on different subjects relevant to the Information Security practitioners through sessions through out day. The undersigned also participated in a discussion on “Aadhaar Security Conundrum”.

One of the interesting sessions during the day was a session on “Detecting and Fighting Fraud with Cognitive and Behavioural Biometrics” presented by Mr Tamaghna Basu, CTO neoEyed. Mr Basu shared some interesting thoughts of using behavioural biometrics such as the Key Board strokes, Gait recognition, Signature Analysis etc. Mr Basu showed how an analysis of how a person would enter a PIN or signature or password could be analyzed to develop a distinct pattern that can be used as an additional form of authentication that would be able to significantly reduce the forging of key strokes.

The solution briefly demonstrated by Mr Basu appears to have a good potential to be used by Banks and Financial institutions and deserves a serious trial.

Mr Vishal Salvi of Infosys delivered the key note address in which he presented useful perspective on the Changing Threat Landscape and how different aspects of Cyber Security such as the regulation, Controls etc are out of sync with the frequency of change of the threat scenario and why it is necessary to achieve a resonance between different aspects of Cyber Security so that there could be a quick adoption of controls to the changing threat scenarios. Mr Bharat Panchal of NPCI gave a thoughtful presentation on the status of payment systems in the Digital economy. There was also discussions on Block Chain technology for security and other subjects of interest which were widely appreciated by the audience.

The discussions will continue tomorrow.

Naavi

 

 

Posted in Cyber Law | Tagged , | Leave a comment

ITA 2000/8 will remain the supreme Data Protection Law of India

Posted on June 11, 2018 by Vijayashankar Na

One of the confusions that is prevailing in the domain of Privacy and Data protection is whether the two terms “Privacy Protection” and “Data Protection” are same.

A time has come to distinguish the two concepts since this confusion should not percolate into the Indian Data Protection legislation as and when the Justice Srikrishna Committee comes up with its recommendations.

Let’s put things in the right perspective. “Privacy” is a right that is recognized as a fundamental right of an Indian Citizen. This is a concept that arises from human rights domain. This has nothing to do with data or computers though data can be a means of Privacy breach and therefore relevant to Privacy Protection.

India at present does not have any specific Privacy Protection legislation. In 2006 a draft bill was presented in the Loksabha and it lapsed subsequently. On the other hand ITA 2000 has been present since 17th October 2000 and was strengthened by the amendments of 2008 (effective from 27th October 2009) and it inter-alia protects “Data that is related to Privacy Protection”.

Despite the Puttaswamy judgement, “Privacy Protection” remains an elusive concept since “Privacy is a mental state of a person to experience the feeling of being left alone as he desires” and this cannot be identified and protected by external agencies who handle the “Information Privacy”.

It is for this reason that an individual feels happy to voluntarily share his personal intimate information on his Face book timeline with his friends without feeling loss of privacy but objects to it being viewed by some body else whom he has not authorized.

In such cases it is the “Unauthorized access to personal data” that is considered as Privacy Breach and not the fact that it was first shared with one set of persons.

Data Protection on the other hand relates to efforts to protect data from unauthorized access, modification and access and must be considered different from Privacy Protection irrespective of what kind of data it is. What the Puttaswamy judgment called as “Information Privacy” is within the scope of Data Protection.

“Data” is information in binary form which is generated, processed, stored and transmitted using devices which we call as “Computers” which includes other similar devices such as mobiles and also as per the definition of ITA2000/8 also includes peripherals attached to a computer. There are specific provisions in ITA 2000/8 which protect data. This is the current “Data Protection Law of India”.

ITA 2000/8 distinguishes “Personal Data”, “Sensitive Personal Data” but does not restrict itself to only protecting such “Personal Data”. Protection of Data under ITA 2000/8 extends to a”Any Data” and penalizes any action when data is used maliciously for causing wrongful loss to some person. For example, when some  non personal data  is deleted without the permission of the owner of the data or the owner of the system holding the data, it is recognized as an offence.  If this data had been “personal” or “Sensitive personal”, then also the same law (Section 43 and 66) would be available as a protection of the data.

Thus the Data Protection under ITA 2000/8 is at a level higher than the protection which the data protection laws now being drafted are designed to provide.

We can still debate if we need to augment the “Adjudication” system of dispute resolution with a “Data Commissioner” or “Director CERT-IN” has to be augmented with a “Supervisory Authority”, whether the compensation under Section 43 (which is unlimited) has to be quantified at some terrifying level such as Rs 1000 crores, etc…

….But we cannot say that ITA 2000/8 does not provide data protection.

The Compliance officers under ITA 2000/8 work for ITA 2008 compliance with the Information Security Managers to ensure practice of “Reasonable Security Practice” under Section 43A or “Due Diligence” under Section 79. They are the current “Data Protection Officers” in India.

As compared to this role of a “ITA 2008 compliance officer”, the role of a “Privacy Officer” could be considered as restricted to be a “Watch dog for Privacy Protection of Customer Data processed by a Company”. Under GDPR the role of a DPO is restricted to this aspect where the Data Subject’s Rights are protected in the Data Processing environment.

The proposed Indian Data Protection Act should therefore recognize that what it needs to  protect is a sub set of data already being protected under ITA 2000/8 and cannot be in conflict with the provisions of ITA 2000/8. Similarly the role of Data Protection Officers under Indian Data Protection Act (proposed) is a subset of responsibilities of ITA 2008 compliance officials and cannot be in conflict.

Further ITA 2000/8 does not exclude data of citizens of other countries from its jurisdiction when they are processed in India. Hence any adverse impact on such data is also within the provisions of ITA 2000/8. Hence the role of ITA 2008 compliance officers encompass the roles of DPOs as envisaged in EU GDPR or UPDPA or German DPA.

The industry should therefore realize that a “ITA Compliance Official” is having a larger role than the DPOs under the data protection laws both existing and forthcoming including laws such as GDPR or UK DPA.

ITA 2000/8, it will therefore remain the supreme Data Protection law in India atleast for the time being.

Naavi

Posted in Cyber Law | Leave a comment

Data Protection Professionals.. Don’t Get Sandwiched between the regulator and the boss

Posted on June 10, 2018 by Vijayashankar Na

Data Protection Industry is closely related to the Information Security industry on the one hand and the Legal Compliance industry on the other hand.

This industry includes of Data Controllers and Data Processors as envisaged in Data Protection laws such as GDPR but is not limited to this segment alone. Data Protection is required not only for protecting the Privacy of Citizens under the Privacy Protection Objective, but also because Data is an essential raw material of business. Hence We protect data both for the reason of preventing Privacy Breach as well as Cyber Crimes and for protecting business interests.

Different Laws are made for prevention of Cyber Crimes and for the Protection of Privacy Rights of individuals and therefore “Compliance” applies to both segments of activity. Cyber Crime prevention laws have been in existence for some time and have not been in conflict with the business requirements. Hence compliance did not have any conflict either for a Company or for the Compliance managers.

Privacy Protection Laws on the other hand ignore the needs of the business not only for Business Data Protection but also the interests of the Business Development itself except within  narrow boundaries. In many cases the law inhibits business development and justifies it in the larger interest of protecting rights of Privacy. Cyber Security is also a secondary objective for most of the Data Protection Laws.

Cyber Crime prevention laws do not ignore Privacy Rights but address both protection of business data as well as personal data to the extent that there is a measurable “Loss” suffered by a Citizen.

Data Protection Laws cannot completely over rule the Cyber Security requirements and hence “Legitimate Interest of the Business”, “Law Enforcement Requirements” , “Legal Defense requirements”, “Vital Interests of other individuals” and ” Public Interest” are provided as exceptions in the law.

However, recognizing the availability of “Exceptions” and applying it in a given scenario where multiple interpretations exist is a difficult proposition for operating Data Protection Professionals. The Business would like to err on the safer side and that “Safe” option is often a business hurdle.

Conflicts will therefore arise when a Data Protection Professional (DPP) tries to balance the Privacy Protection requirements of a data subject along with the legitimate interests of the Data Processing industry. The conflict management will require utmost skill for the DPPs which is a skill to manage not only the technical aspects, but also the legal issues  and the managerial concerns involved.

Under GDPR it is envisaged that the DPO is answerable to the Supervisory Authority while working under the salary/financial consideration of the Data Controller/Data Processor. This sort of relationship where there is an inherent conflict is new to the IT professionals. It is a kind of relationship which Chartered Accountants and Company Secretaries tries to manage but not always with success.

It with a recognition of this difficulty, and not letting the DPPs sandwiched between their responsibilities to their bosses vs responsibilities that  Naavi has promoted the idea that there is a need for an Indian Association of Data Protection Professionals (IADPP) and along with like-minded individuals is finalizing the formation of a suitable organization.

Explore this idea and contribute by becoming a member of this community today.

Naavi

 

Posted in Cyber Law | Tagged , , , | Leave a comment

IADPP, a proposed organization for Data Protection Professionals

Posted on June 9, 2018 by Vijayashankar Na

The concept of “Data Protection” has gained a larger than life importance in India in recent days with the advent of GDPR, impending advent of Indian Data Protection Act and the DISHA2018. Though GDPR is not directly applicable in India, being a country with a large stake in data processing, most IT companies in India have been working towards GDPR compliance as if it is directly applicable to them. A few of these companies have already designated Data Protection Officers (DPO) under GDPR though they had earlier ignored creation of an “ITA 2008 compliance officer” as was mandatory under ITA 2000/8 which is the current Data Protection Law in India.

If we observe the developments around the world, each country seem to be drafting a law called “Data Protection Law” or “Privacy Protection Law” which is supplementing the “Computer Abuse Act” or “Computer Crime Act” and other legislation which were meant earlier to address the issue of “Cyber Crime”.

Now if “Breach of Privacy” is declared as an “Offence” under the current Cyber Crime legislation, it would have been sufficient to address the issue of preventing breach of privacy through information misuse. However, the current tendency is to draft Data Protection laws which are elaborate and completely eclipse the current Cyber Crime laws, create multitude of regulatory authorities.

Since a Data Processing company in India would deal with business from multiple countries, they need to grapple with the data protection laws of multiple countries and this creates a complex business management issue.

In the midst of these complexities, professionals who are designated as DPOs or otherwise handle compliance responsibilities will shoulder fiduciary responsibilities and are expected to protect the interests of the Privacy Protection of individuals while working within the business organizations which have a legitimate interest in harnessing the personal data of the same individuals.

Hence all DPOs will have an inherent conflict of interest to manage the human right aspect of the individual with the commercial interests of the organization.

Wading through the maze of these laws require a continuous self education. In the process of such self education, nothing works better than “Peer to Peer exchange of thoughts”.

Recognizing the need for such a P2P platform for Data Protection Professionals, Naavi has proposed the creation of “Indian Association of Data Protection Professionals” (IADPP) as a body of Data Protection Professionals, by Data Protection Professionals and for Data Protection Professionals.

The concept is in its preliminary stage and is being expressed in detail through www.iadpp.in .

It is envisaged that Naavi will be a catalyst in the process of creation of this organization and it will be democratically managed by the members. There will be no commercial interest of Naavi in the management of this organization.

I invite all professionals who are directly or indirectly involved in “Data Protection” to participate in the creation of this body.

Kindly peruse www.iadpp.in for more information which will be updated there. Since Naavi is located in Bangalore, initial activities will be centered in Bangalore but it is desired that this will soon extend across India.

Please provide your honest feedback and contribute to take this idea forward.

Naavi

Posted in Cyber Law | Leave a comment

GDPR should not be a license for “Masked Cyber Stone Pelters” to disturb global peace

Posted on June 4, 2018 by Vijayashankar Na

The recent fight between ICANN with the German judiciary on what is the “legitimate interest” in ICANN collecting and making available to public the domain name registration details is an indication of the war that is going on between EU and US for economic supremacy on the global platform. EU wants to snatch away the advantage that US enjoys as a global IT player.  In this war, EU is trying to use GDPR as an instrument to make US business bow before the EU authorities. In this fight, the EU Administrators and Courts will stand with the interpretation of GDPR which favours EU. This bias is visible in the case of ICANN issue.

We must understand that ICANN already has a contract under which the registrars have obtained the license and running the commercial activity. Now GDPR is being interpreted as a superimposing law that invalidates the earlier contract. If GDPR has to be brought into domain name contracts, then the existing contracts will have to be revised or ICANN should cancel the registrar licenses of all those who fail to adhere to the contractual terms.

Already Domain Name registrations are often done under unverified e-mail addresses and are used for committing many crimes including phishing and fake news distribution. There is an urgent need to build a trust worthy internet and prevent the misuse of the liberties that enable easy registration of domain named under fake e-mail addresses or e-mails registered with service providers who are dark web constituents untouchable by the international law. Now GDPR is giving legitimacy to such dark web activities and reducing the law enforcement powers of global authorities.

If a EU Citizen books a domain name and hosts a website which is delivering content to people outside EU, then it is an activity outside the EU law making jurisdiction. There is no reason that the world should accept an anonymous registration of a website from a EU registrar. 

The objective of GDPR is protecting the Privacy Right of an EU Citizen. It cannot be an instrument of launching a Cyber War on non EU Citizens through the websites registered by EU registrars. If EU wants to have a system of domain name registrations allowing secrecy of the registrant, they are welcome to create a closed Internet system in which no information goes out of EU borders.  It can be a dark web within the current dark web which non EU countries should be able to block off.

The provision of registrant details and its preservation by registrars is an essential aspect of Cyber Security and EU authorities have displayed a blind faith in Privacy and ignored the adverse effect of the legislation if it is interpreted as it is sought to be interpreted now.

Currently the disputing registrar in EU is taking a stand that they will not collect the admin contact and technical contact details and no registrant details are to be made available under WhoIs search because such details are not required for delivering the service.

Domain Name Registration is a Commercial Activity

Registering a domain name is not a fundamental right of a person in which the Privacy right is embedded. It is a commercial decision that a person takes so that the content of the website can be used for some benefit either directly as in an E Commerce Website or indirectly through advertisement generation or brand building.

Hence when an individual books a domain name there is no fundamental right of privacy under which the domain name registrant should be allowed to hide himself and use the services. If this argument is extended, no Government should collect details of promoters and directors of a company because the personal details of the promoters and directors gets recorded and made available to a number of reasons to a number of authorities.

Hence the decision of the German Court was incorrect and there is no reason why GDPR should impinge on activities such as IP address displays on E Mails and WhoIs data in case of domain names.

In fact providing the contact details and ownership particulars of a website is a necessary disclosure under law in India. Hiding the IP address of the sender of an e-mail by email service providers such as Google is an open assistance to criminal activities. Present remedies such as contacting a relationship manager by Police through a notice is causing delay in investigations and impeding Cyber Crime prevention.

The demand of GDPR on the ICANN activities is a symptom of a larger malaise where criminals who want to hide are taking over the current transparent systems of administration and in the long run will seriously damage the law enforcement. As a result Cyber Crimes will increase, Cyber Terrorists will use EU as their base to launch attacks on the world.

Hence we should oppose the move of the German Court and demand from ICANN that all domain name registrations from EU registrars should be immediately transferred to other registrars for which a new “Domain Name Transfer Auction” can be arranged by ICANN to redistribute the domain names presently under the control of EU registrars to other registrars.

The EU registrars may exit from the business and develop an internal EU only internet system where they can introduce anonymous domain name registrations similar to the numbered Swiss Bank system. Just as the Swiss authorities benefited from the global black money, now EU can benefit from the darkweb activities which can effectively run as EU-Internet.

If we donot take a firm stand on this, gradually EU registrars may take over the business from the registrars from the rest of the world since there is a majority community who would like to hide and throw stones at others. If these masked stone pelters keep working along with the genuine domain name registrants, then there will be no value for honest web operators.

Remedy in India

While there is an economic fight going on between US and EU which is using GDPR as a weapon, India is being caught in the cross fire since a good part of Indian IT business provides services to US companies who in turn provide services to EU. Indian companies also have a part of their business with EU directly. Under both categories, GDPR is trying to impose itself as if it is the law applicable in India.

There is also the impending Indian Data Protection Act (IDPA) and the pressure of the Aadhaar related demands on Privacy protection which is clouding the judgement of many experts.

Media as usual does not understand the real issues and is only interested in TRP based reporting.

If therefore IDPA becomes a replica of GDPR like what UK has shamelessly done in drafting UK DPA, there will be many in the media patting Justice Srikrishna and his team to say “Wow, India is as great as EU in drafting Privacy law” .

But the law makers should put the interest of the country ahead of the temporary headlines in news papers that may praise them while drafting the Indian DPA.

Some time back there was discussion in India that websites have to be registered with the Government. Now to move into the GDPR suggested regime of “Anonymously registered domain names” is a step which would be a significant departure from the earlier thinking.

The Ministry of Home Affairs, in the Central Government is responsible for maintenance of Law and Order in the country along with the State Governments. It is clear that Cyber Crimes is a matter of increasing concern to the MHO not only because there is an increasing digital push to the commercial activities but also because the mis-application of certain laws such as privacy laws.

I urge the MHO to be aggressive and take up with the Justice Srikrishna Committee that under no circumstance, Cyber Security should be compromised in drafting the Privacy Law. The Supreme Court should also take a stand in the interest of the security of the county rather than a misplaced importance on anonymous Cyber transactions for protecting Privacy.

I am sure there are enough experts in India who are so committed to Privacy that they would not mind “Masked cyber stone pelters” being protected  in the garb of human rights while those who get hit are not considered to having any human rights. They would all hail GDPR and push Indian authorities to adopt a “Cyber Criminal Friendly Indian Data Protection Act”.

But I fondly hope that Justice Srikrishna would resist such pressure and suggest a law that is fair on honest people and donot err on the unsafe side.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment