Is Media guilty of Tampering with the voter’s minds?

Posted on April 30, 2018 by Vijayashankar Na

There is one section of the media commenting on Cambridge Analytica which is strongly critical of the developments in the Cambridge Analytica incident that Digital marketing agencies are manipulating public opinion through campaigns designed by profiling the voters. In the context of the forthcoming election in Karnataka, it is being stated that some Digital marketing companies are engaged in an unethical activity of trying to change the mindset of the voters.

In these discussions, the media has been completely hypocritical and their bluff needs to be called. Every marketing activity in the world is changing the decision of the target audience to take a favourable decision about a product. Marketing per-se is therefore a legitimate activity. In Marketing or Advertising  however we make a distinction between “Ethical” and “Unethical” communication.

If the Advertiser is making false propositions through his advertisement, it is unethical and fraudulent and needs to be condemned. But if the advertiser is using a creative communication to make the target audience believe that the product being marketed is beneficial to him because it has some features , X,Y, Z, then it is perfectly legitimate.

Similarly, in the election advertising, what we the citizens as well as the Election commission has to see is whether the message used in the advertisement is true, false or utterly false and misleading.

As regards profiling, it is for the marketing agencies to use their own analysis of the data available to them to decide what communication is good for a given audience. If this is called “Profiling”, it is nothing but “Market Segmentation”.

Hence the objections to the profiling activities of Digital marketing Companies is misplaced since the same objections can be placed on every other advertisement including the advertisement for a chocolate or for IPL.

Another major objection I have for media talking about “Trying to manipulate the voter’s mind” through advertising by digital media marketers is to ask a question to these media gurus whether journalism is nothing but creating “opinions” and “Changing opinions”?.

Every media article is written with the objective of conveying an opinion. The days of “Factual Reporting” which was happening in Government controlled AIR and DD in the past is no longer there.

Most TV news today is about “Debates” in which different political parties speak to support their own political agenda and the Anchors provide opportunities for spokespersons to speak lies after lies in the interest of “Balancing” the debate. Depending on the Anchor’s own prejudice, they add to the lies. The entire debate is therefore only directed towards forming a public opinion and there is no ethics in TV journalism today.

In the Karnataka election, Rahul Gandhi speaks of “Being against Corruption” and “Being Religious”. Is there a greater joke than such statements?. The journalists of all hue and cry talk as if these statements deserve to be publicised in TV and not censored straight away by the anchor at the debate table.

If journalists want to complain about Digital Marketing and “Tampering with the voter’s mind” then they should first stop the false campaigns they make on TV debates with the hope that some of the audience will get converted.

But what these journalists donot understand is that public are intelligent and they can see through the statements of the politicians immediately. Most debates therefore are a waste of time and audience are either not listening or listen selectively.

I therefore urge that media should think of changing their debate style and eliminate all political spokespersons from the debate and stick to discussion of issues by professionals who can comment on the issue irrespective of whether it is advantageous to one political party or the other.

The election commission should see how they can regulate these debates in which false statements are made  deliberately and maliciously. These are worse than advertisements and should be stopped on ground of “Ethics” as well as “Fraud” on the voters.

Will the election commission be fair  Will the Journalists be honest in this respect?

Naavi

Posted in Cyber Law | Leave a comment

Workshop on Information Security at Jaipur

Posted on April 24, 2018 by Vijayashankar Na

Workshop on

“Information & Cyber Security

for Industry Leaders”

0900 hrs : 27 April 2018 : Hotel Clarks Amer,Jaipur

Confederation of Indian Industry-Rajasthan is organising the One Day Workshop on Information & Cyber Security for Industry Leaders onFriday, 27 April 2018 at Hotel Clarks AmerJLN Marg, Jaipur.

Overview

As you are aware managing an Industry no longer ends with Marketing, Technical Financial and Managerial aspects. There is an important ingredient of Information Technology in everything we do.

Along with the convenience that comes with the use of Information Technology, comes the risks of Cyber Crimes, Cyber Terrorism, Cyber WarsViruses, Trojans, Ransomware disturb our sleepHacking and Phishing can cause nightmares. Denial of Access can bring down our dream projects when we most want our systems to be in good shape.

In this scenario, disruptive changes all around us, it has become necessary for leaders of the Organisations to understand what are the risks that we encounter when we use Information Technology to drive our business and how we manage the Information risks that arise out the emerging digital industry scenario.

Objective

This workshop aims to address the need of Organisation to understand the “Information Security Risks” and how the CEOs need to brace themselves to meet the Risks as a part of their responsibilities on managerial perspective of Information Security.

Topics to be Covered

   -Development of a Framework for Digital Security for SMEs on a collaborative model.

-Managing the challenge of motivating the employees towards building a better Information Security Culture

– Over view of the emerging Industry 4.0 scenario

-Overview of the Cyber Crimes, Cyber Terrorism and Cyber Wars that affect the industrial management.

-Frauds in Banking

-Export-Import

-Phishing

-Virtual Impersonation

-Overview of Management of Digital Properties like Domain Names and Intellectual Property Rights in Digital Properties.

-Concept of Cyber Security in industrial environment and the multiple dimensions of information security namely the Technical, Legal and Behavioural aspects.

-Cyber Laws as applicable in India and the need for ITA 2008 compliance as part of the Corporate Governance.

 -Concept of Digital Signatures, Encryption and Cyber Insurance as tools of Information Security.

 -Any other matter of relevance to Information Security in the managerial context.

Topics will be supported by Case study presentation, Group activity, Video presentation & power point presentations

Faculty

The workshop will be conducted by Na Vijayashankar, (Naavi) Information Assurance Expert from Bengaluru and a pioneer in Cyber Laws in India, in India

 [Contact Mr Tushar Shroff, CII, Jaipur for more information]

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

Will emerging Privacy Laws be a threat to the society?

Posted on April 22, 2018 by Vijayashankar Na

The “Privacy laws” as they are emerging in the world are more intended to protect the community of those who want to hide their identity and commit crimes against the society than protect the honest citizens from Governmental surveillance or spamming by commercial advertisers.

The risk in Government surveillance is not so much from the fact that the Government of the day knows too much about its citizens in a Privacy Un-protected world but some political elements would misuse the information for personal gain and for harassing the honest citizens.

If in US we are against Donald Trump, we would not like the US Government to know what is my political affiliation and what underground work I am doing to ensure that Mr Trump does not win the next election. In India, if I am Black Money holder, I would like to do everything to ensure that Aadhaar is not linked to my Bank accounts and argue that such an attempt is privacy invasion. If Congress was in power, I would have been comfortable since I could hold any amount of black money as long as I take care of the politicians.

Most privacy activists may take a public stand as if they are the guardians of democracy but beneath their desire for absolute Privacy Protection, there is an ulterior motive to being able to continue their activities which the society may not like.

We need to give up this hypocrisy and admit that what we need is a protection against misuse of information by politicians for which checks and balances should be built rather than preventing Big Data Processing for profiling of certain activities.

Now with the advent of “Right To Erasure”, GDPR holds out a great threat to the society by erasing vital information that is actually intelligence about potential terrorist activities.

I donot foresee any possibility of a terrorist to give consent in any form to let his activities be monitored either by Google or Face Book or the law enforcement. Whether a terrorist has made a recce trip to survey his target or is trying to campaign for radicalization of innocent friends on the Face Book etc become unavailable for intelligence gathering. Terror sleeper cells will therefore consider 25th May 2018 as a day of “Freedom from Oppression from Counter terrorist activities”.

It is to be expected that terror organizations operating from the EU zone will have an umbrella of protection from surveillance. Some of their activities may be directed towards the non EU countries and hence EU may become a haven for terrorists from which global terror activities would be planned and executed.

However, in due course, as terrorists take shelter in EU, it would be the EU countries themselves which would be affected most and in the coming two decades we can see EU countries being radicalized one by one.

I am not sure that EU regulators have taken adequate precautions in the direction of making GDPR immune from being misused by terrorists. Though National Security is a ground under which security agencies can cut free from GDPR regulations, in practice the restrictions would severely affect the capability of the security agencies to identify potential threats.

This sentiment has also been expressed by US homeland security officials I hope Indian authorities also flag this issue and ensure that Indian interests are fully protected in the context of EU countries becoming too rigid in the implementation of GDPR.

Indian Context

In case any citizen of EU is acting in a manner which could be detrimental to the interests of India, we need to assert that ITA 2008 provides the legal power to ensure that “Data Retention” norms and power of “Interception”, “Right to demand Traffic Data” etc may be exercised by the Indian authorities.

I therefore urge the Indian Government to issue an advisory that all Companies having an establishment in India or engaged in the monitoring of any activities in India are required to be compliant with ITA 2000/8 whether they are compliant with other regulations or not.

In order to ensure that business interests of outsourced operations is not affected, a system of “Special Data Processing Zones” on the lines of STPI are set up so that data entering into such zones are insulated and adequate protection measures are available to ensure that there is no mix up of “International Data Flow” with the “Local Data Flow”.

Government may consider a “Special EU Data Processing Zone” which is GDPR compliant but ensure that data flow in and out happens through a special gateway which can be secured as per the provisions of GDPR but also protecting the Indian interests.

Probably this concept needs further exploration but there is need for Privacy and Security Professionals in India to sit together and find a proper means of working that does not allow Privacy laws of EU or US or Singapore or Australia does not hurt Indian interests.

Naavi

Also Refer

Europe’s data protection law may have severe implications for India’s IT industry

Posted in Cyber Law | Leave a comment

Last Date For submission of Public Comments on DISHA 2018

Posted on April 21, 2018 by Vijayashankar Na

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India.

The IT industry is in the midst of discussion on GDPR and how it will impact Indian Companies. At the same time, the Srikrishna Panel is also due to submit its recommendations on the General  Data Protection law in India.

Behind all these developments, there is already ITA 2000/8 which defines Personal Data, Sensitive Personal Data, the responsibilities of protecting the Confidentiality, Integrity and Availability of “Data”, “Personal Data” and “Sensitive Personal Data”, defines penalties, the dispute resolution mechanism etc.

Unfortunately each Ministry of the Government wants to have a separate law for itself addressing Data Protection in its own domain.  This multiplicity of laws is unlikely to benefit the people and will increase the cost of Administration enormously.

Today is the last day for submission of comments by the Public on DISHA 2018 or the “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi  has provided his own immediate views on the proposed 45 section draft legislation in the form of the following articles.

  1. DISHA 2018- Proposed Health Information Security Act in India
  2. Consequences of Health Data Breach under DISHA 2018
  3. Data is a Property owned by the Data subject under DISHA 2018
  4. New Regulatory Agencies under DISHA 2018

There are also some articles posted on www.privacy.ind.in on GDPR and Srikrishna Panel 

Readers may peruse these articles and send their own comments to the Health Ministry on DISHA 2018.

It is our firm belief that “Data Protection” requires a comprehensive regulation for multiple sectors and there has to be an “Umbrella Law” that is supported by “Sectoral Security Standards”. ITA 2000/8 already has the concept of “Reasonable Security Practice” with flexibility for sectoral regulators to define their own standards.

It is therefore redundant to have multiple Data Protection Legislations leading to multiple Data Protection Authorities, Officers, Committees, Chairpersons etc. Such sectoral laws will be unproductive and create conflicts.

If Mr Modi Government believes in Minimal Governance and Best use of technology, there is a need to complete re-think on the approach to such sectoral laws, sectoral CERTs etc. These suggestions are created by Bureaucrats who think all legislations are for the benefit of creating new organizations and bloating up the Government expenditure and the law is only an excuse.

Public donot relish such approach. These laws only increase the cost of administration and also create corruption centers in the country. They donot bring proportionate benefit to the public.

I look forward to the right thinking persons in the Modi Government to give a thought to the above comment and proceed with such duplicate legislations.

At a time Mr Modi is considering the National Health Mission which is a huge political and financial investment, having an efficient organization to back it up in terms of legislation and authorities is considered necessary. But what we need to consider is whether “Medical Data” is also “Data” which is already addressed by the ITA 2000/8 and Data Protection Act (Srikrishna panel) and whether we can merge these proposed legislations into one existing legislation which should ideally be the “Information Technology Act 2000 as amended in 2008 and to be further amended in 2018”.

We can then have  one State level Adjudication Authority, One Central Level Adjudication Authority for Data in general and one Data Protection Authority supported by sectoral standard committees and sectoral CERTs.

If this basic concept is accepted, we may have to re work on DISHA 2018 and substitute it with one chapter on Health Data Security in ITA 2000/8 (with some changes in Adjudication and Appellate Tribunal aspects of ITA 2008 which could be as suggested under DISHA 2018).

I hope a reasonable thought is given in this direction also.

Naavi

 

Posted in Cyber Law | Tagged | Leave a comment

New Regulatory Agencies under DISHA 2018

Posted on April 21, 2018 by Vijayashankar Na

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject

 Any new legislation brings with it a proposal for creating new regulatory authorities and new executive positions for influential Delhi bureaucrats often unmindful of the costs involved and the inefficiency which the multiplicity of regulatory authorities breed. DISHA 2018 is not an exception to this. In the light of the action taken in the last budget to abolish some Tribunals such as the Cyber Appellate Tribunal, at some point of time, the authorities created by one law may get abolished for some reason or the other. Some times authorities get created but there will be no activity.We have seen this happen with the Adjudicating authorities under ITA 2000.

Despite this experience, DISHA 2018 also tries to create many authorities for regulation of the proposed act.

The first such authority is the National Electronic Health Authority of India (NeHA). A Chairman assisted by a board of representatives from different ministries and some ex-officio members would constitute NeHA.

NeHA will be assisted by a “National Executive Committee”  with more members from the Bureaucrats.

These  regulatory body will be supported by the “State Electronic Health Authority” and  “State Executive Committee” creating more jobs for bureaucrats in all the States and Union Territories.

These bodies will then appoint there own staff, invest in Building, Cars, Hefty Salaries and Pensions all at the expense of the tax payer’s money increasing the cost of living.

Whether these regulatory bodies are aware of IT, aware of IT Security, aware of Data Protection etc., will be the last consideration.

Adjudicators

Similarly, for Dispute resolution, State and Central Adjudicating authorities have been proposed.

For breach of digital health data by a clinical establishment or any entity an aggrieved person or owner may complain to the State Adjudicatory Authority

For breach of digital health data by a health information exchange or State Electronic Health Authority or the National Electronic Health Authority of India, an aggrieved person or owner may complain to the Central Adjudicatory Authority

The Adjudicating authorities will be a multi member body and consist of a Chairperson and two other members which is welcome since our experience with the Adjudicating Authorities under ITA 2000 had thrown up the need for such multi member body. Central Adjudicating authority will also be the appeal authority against the orders of the State Adjudicating authorities.

Appeal from the Central Adjudicating authority will go to the High Court.

Otherwise the Adjudicating authorities will be like in the case of ITA 2000, authorities which will not be required to be bound by Civil Procedure Code.

No specific compensatory limit is also indicated in the proposed Act.

However, no civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which the Central Adjudicatory Authority or the State Adjudicatory Authority is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

We need to await the detailed procedural notification at a later stage for more details on the functioning of the Adjudicating authorities and the appointment of people for the different positions in the Adjudicating authorities.

If two successive Governments at the Center were unable to find a Chair Person to the Cyber Appellate Tribunal since 2011 and the Ministry of Mr Arun Jaitely decided to merge the tribunal as a solution with another Tribunal unmindful of the consequences on the society, we need to observe how the proposed Adjudicating authorities under this Act would be set up.

If there was lack of work for Cyber Appellate Tribunal under ITA 2000, will there be sufficient work with these tribunals? or can these tribunals can also handle the ITA 2000 complaints, will be questions to which answers may be expected from the Government.

Naavi

Posted in Cyber Law | Leave a comment

Data is a Property owned by the Data subject under DISHA 2018

Posted on April 21, 2018 by Vijayashankar Na

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject

DISHA 2018 brings in an important concept to the Data Protection legislation for the first time by declaring that “Data is the Property of the Data Subject”.

Under the proposed Clause 31 of the Act, it is stated:

(1) The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised;
(2) A clinical establishment or Health Information Exchange shall hold such digital health care data referred to in sub-section (1) above in trust for the owner;
(3) Any other entity who is in custody of any digital health data shall remain the custodian of such data, and shall be duty bound to protect the privacy,confidentiality and security of such data;
(4) Notwithstanding anything stated in the above sub-sections (1) to (3), the medium of storage and transmission of digital health data shall be owned by the clinical establishment or health information exchange, as the case may be.

Under Section 3(e) Digital Health Data is defined as follows:

(e) ‘Digital Health Data’ means an electronic record of health related information about an individual and shall include the following:

(i) Information concerning the physical or mental health of the individual;
(ii) Information concerning any health service provided to the individual;
(iii) Information concerning the donation by the individual of any body part or any bodily substance;
(iv) Information derived from the testing or examination of a body part or bodily substance of the individual;
(v) Information that is collected in the course of providing health services to the individual; or
(vi) Information relating to details of the clinical establishment accessed by the individual.

It is interesting to note that the “Ownership” is limited to the Digital Health Data and may not extend to the “Personal Data”.

The implication of this provision is that a patient can demand that any health data collected about himself is his property and must be handed over to him. Being a “Property”, the legal heirs will also have a right if the patient is not alive.

This definition should have effect on cases such as J Jayalalitha’s health records which now become the property of the legal heirs of jayalalitha. The Hospitals cannot hide the data under non existent “privacy” considerations of a deceased individual.

The rights of the owner of digital health data is defined under Section 28 as under:

(1) An owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act.

(2) An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of this Act.

(3) An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data.

(4) An owner shall have the right to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed, subject to the exceptions provided in Section 33 of the Act.

(5) An owner of the digital health data shall have the right that the digital health data collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;

(6) An owner of the digital health data shall have the right to know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed;

(7) The owner of the digital health data shall have a right to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;

(8) The owner of the digital health data shall have, subject to sub-section (1) to (3) above:

(a) The right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;

(b) The right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;

(c) The right to be notified every time their digital health data is accessed by any clinical establishment within the meaning of Section 34 of the Act;

(d) The right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;

(e) The right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;

(f) The right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data;

(g) The right to seek compensation for damages caused by a breach of digital health data.

There is a streak of GDPR in the above provisions. What attracts notice is Section 28(f) which states that a person has the right not to be refused health service if they refuse to consent to generation, collection, storage or transmission or disclosure of their health data.

How is it possible for a health establishment to provide health service without say conducting a blood examination is a matter that will be intriguing for the hospitals if the consent is refused.

In order to protect the rights of the Digital Health Data Subject, the principles of purposeful collection (Section 29), Lawful collection (Section 30), Secured storage (Section 32), Secured Transmission (Section 33), Access provision (Section 34), Recitification option (Section 36) etc.

Section 35 imposes all the liabilities under Information Security Management because it states

35. Duty to maintain privacy and confidentiality of digital health data

(1) A clinical establishment, health information exchange, State Electronic Health Authority and the National Electronic Health Authority, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner;

(2) Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

(3) The privacy, confidentiality and security of digital health data shall be ensured by taking all necessary physical, administrative and technical measures, that may be prescribed or specified, to ensure that the digital health data, collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to the above provisions, a clinical establishment or health information exchange shall ensure through regular training and oversight that their personnel comply with the security protocols and procedures as may be prescribed or specified under this act.
(5) A clinical establishment, or a health information exchange, shall provide notice immediately, and in all circumstances not later than three working days to the owner, in such manner as may be prescribed under this Act, in case of any breach or serious breach of such digital health data.

It is clear from the above that the Clinical establishments will have a tough time for complying with DISHA 2018 almost on the lines of GDPR.

Since DISHA is applicable to “Clinical Establishments” which definition [Section 3(i)] includes

-a hospital, maternity home, nursing home,

-dispensary, clinic, sanatorium or an institution by whatever name called offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicines  or

-a place established  in connection with the diagnosis where pathological, bacteriological, genetic, radiological, chemical, biological investigations or other diagnostic or investigative services with the aid of laboratory or other medical equipment are usually carried on

the impact of what it proposes as security is far reaching.

(Discussions will continue)

Naavi

Posted in Cyber Law | Tagged | 2 Comments