Draft Law on Health Care Security released for public comments

Posted on March 28, 2018 by Vijayashankar Na

In the midst of the discussions on Privacy and Data Protection following the Cambridge Analytica controversy, the Ministry of Health and Family Welfare, Government of India has released the long pending draft of the Health Care sector law on Privacy and Information Security.

Earlier, a discussion on this had been started at Naavi.org under the title of Health Care Data Privacy and Security Act (HDPSA). Now the Act has been renamed as Digital Information Security in Health Care, Act (DISHA).

A copy of the draft is available here:

Public comments have been invited upto 21st April 2018 which may be sent to egov-mohfw@nic.in

Naavi.org will also provide its own comments in the next fortnight.

This law will be in addition to ITA 2008 and the proposed Privacy and Data Protection Act which the Srikrishna Committee is drafting. We also know that the TK Vishwanathan committee was also drafting an amendment to ITA 2008.

With the undue attention that Cambridge Analytica is getting, there is  complete chaos in the domain of Privacy and Data Protection and now this additional law will add further spice to the discussions.

Coinciding with this spur of activity GDPR is being implemented by many Indian companies for the deadline of 25th May 2018.

It is therefore a very active period for Privacy professionals in India. Hopefully we will be able to avoid overlapping legislations  and conflicts in different laws making the work of compliance difficult.

Naavi

Posted in Cyber Law | Leave a comment

BJP goes for Risk Mitigation and Congress goes for Risk Avoidance

Posted on March 27, 2018 by Vijayashankar Na

Suddenly politicians have become experts in data protection and how mobile apps may collect data without your consent. Mr Rahul Gandhi who once gave us the “Gyan” about “Jupiter Escape Velocity” is about to give us “Gyan” about “Privacy and Data Protection” and how consent should be obtained.

We have not forgotten the fact that his close aide Ms Ramya who manages RG’s twitter openly asked not long ago for Congress workers to open fake accounts and increase the social media foot print so that they could compete with Modi’s popularity on the social media. Congress also used some foreign Bots to post “Likes” and “retweets” so that the fake followers and fake re-tweets could create a “Fake News” in the social media so that every lie uttered gets magnified and is able to fool more number of dumb voters.

Unfortunately, in these efforts, RG forgets that it is his “Ivnarva” speech and “Vish….Vish…..” stumbling which is more popular in Karnataka in the social media than his more erudite utterances on Data Privacy.

Now Both Congress and BJP have started trading charges based on the privacy policies followed by both parties for their respective apps. It is funny that the spokespersons of political parties are suddenly talking like Privacy experts.

My sincere advice to them is to stop talking on this subject even if media tries to needle them. They should say that some experts are looking into whatever allegations are being made and corrective action would be taken as necessary.

The vulnerabilities of the Mobile Apps are known and even big companies have not addressed them adequately. I therefore donot expect political party apps to be more privacy compliant than the apps of the MNCs.

The Cambridge Analytica issue has become the focus of both the national and international media only because Donald Trump was connected to the incident as a beneficairy of the election campaign based on the profiling of people provided by Cambridge Analytica. The fact that the subsidiary of the same company could have been involved in managing the election campaigns of BJP, Congress and JDU in India brought the focus in India. Media would not have been interested if this was only an issue related to the privacy of the public.

What is actually disgusting is that some of the security professionals are joining hands with Rahul Gandhi and trying to spread disinformation. Some of them are even testifying against the Government in the Aadhaar issue. Perhaps they are doing it because they hate Mr Modi or because they have been bought by Congress and the Communists to defame Mr Modi.

It is disappointing to note that such professionals are also criticising the Namo App issue as if they agree with Mr Rahul Gandhi’s view that  Mr Modi is spying the Indian citizens through this App. Mr Rahul Gandhi’s intelligence level is known and no body is surprised at his utterances. But security professionals will come out as hypocrites if they donot understand that we cannot expect the PM to check the source code of the app or the privacy policy just because the App is named after him. He has to depend on technology specialists and if they have made a mistake, take suitable action.

These security professionals should also understand that the App is branded as “NaMo” because of the brand value atttached to the name of Mr Modi. It is not however the personal property of Mr Modi and must be considered as belonging to the Government. Government would have sub contracted the development and maintenance of the App and it is such an organization which is actually responsible for the Privacy policy being not followed etc.

Hence the talk of Mr Modi being responsible is incorrect and nothing different from celebrities being held accountable when the products they endorse fail.

In fact, when Congress lost power in 2014, it was guilty of deleting the Twitter handle of PMO before Mr Manmohan Singh demitted office as if he was personally the owner of the twitter handle and had to remove it when he demits office.

Now many are also criticizing the fact that the Privacy policy of NaMo app was modified after the controversy. In fact this is a matter to be appreciated that when a vulnerability was brought to the notice of the App owner, he is trying to correct it. This is the “Risk Mitigation” effort expected out of the owner. On the other hand, Congress removed its app altogether. This is also fine since this is a “Risk Avoidance” strategy and since Congress did not consider the App successful any way, it was a wise move to withdraw it.

Public should also remember that certain technical information of any app user or internet user such as the browser/mobile used etc is always tracked because this is essential for presenting the content in a proper manner. Hence processing the behaviour and preferences of the users to a certain extent is perfectly legitimate. If this back end processing is done online by a company abroad, the data may have to be sent there. In most cases this would be de-identified information and hence there is no privacy stake here. This is not “Stashing away data of Indian citizens abroad” like people stash away their black money abroad.

RG cannot understand this and hence he may say some thing like “Spying”, “Recording audio or video” etc and this has to be ignored. Even if BJP tries to pursue a defamation case, they may fail since Court may come to the conclusion that no body takes RG seriously and hence no “Defamation” can be attributed to his utterings.

But security professionals should be more responsible and not make lose comments. If they have suggestions to improve the App they should provide those suggestions.

The summary of this discussion is that while we wish that political parties are more careful in drafting the Privacy policy and Terms of use of the Apps we also wish the public should check if they want to give their consent to the sharing of their personal data before any app is installed. Beyond this, it is not correct to use terms such as “Spying” unless to exhibit one’s ignorance. It is OK for Rahul Gandhi and Ramya and not for security professionals.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

Smart Cities in India and ITA 2008

Posted on March 25, 2018 by Vijayashankar Na

When ITA 2000 was drafted, the concept of “Smart Cities”, “Driver less cars” or “Artificial intelligence” or “Humanoid Robots” were not very much in the realm of the vision of the law makers. The main objective was to provide facilitation of E Commerce.

In 2008 ITA 2000 was extended to provide some additional security against Cyber Crimes. At this time, the focus was on “Intermediary Liability” but still the vision was restricted to liability arising out of crimes occurring on E Commerce platforms and to what extent the owner of the platform should be held liable for the offences committed by third party users.

In the context of the Smart Cities, where there is a huge dependence of the infrastructure on “Automated Sensors” which collect data and pass it on to a central processor and the Central processor is programmed to take automated decisions based on the data input and send back operational instructions to decision enforcement mechanisms, there is a debate on whether ITA 2008 can address the new challenges thrown by the Smart city eco system.

In this process, we have legal queries on whether we are violating “Privacy” while our sensors collect information and whether mistakes committed by our “Central Processors” armed with Big data analytic capabilities using Artificial intelligence are punishable as cyber crimes, etc.

The recent Uber autonomous car accident in Arizona has highlighted the consequence of failures by the sensors or the processing systems.

Also, Big Data Analysis which takes raw data from some source and adds intelligence to it to make it more useful information for third parties has raised issues of “Ethics” as we see in the Cambridge Analytica case.

It is interesting to note that without any inclination of such possibilities, ITA 2000 provided that “An action by an automated system is attributable to the person who caused it to behave automatically”. By this one section, all actions of automated systems have been brought under legal scrutiny just as if some human was sitting there and operating the system though he might have used an algorithm as a tool. Such person could be the owner of the system like Uber in the Arizona case.

It is open to Uber to hold the software developer or the sensor manufacturer for their part of failure of the warranty depending on the contractual obligations. Under Section 79 of ITA 2000/8, read with Section 85,  criminal punishments can also be imposed on the intermediaries and their executives for the adverse action by the automated systems.

If therefore in a smart city, automated systems cause any accident, Indian law has some body to be held accountable.

As regards the Big Data analytics, current practice is to depend on the “Consent” obtained by the “Data Collector” who collects the personal data.

If the data collector adds value to the information then the right over the value addition is claimed by the person who added the value. This is recognized under the IPR.

The value added information is different from the raw data handed over by the data subject and hence the contract of data collection has to specify if the data subject permits creation of value over the raw data provided by him and whether he is entitled to any benefits there of. Otherwise he may not be able to object to the value creation.

Naavi has recommended earlier that personal data should be treated as a property and could be made transferable for a consideration with a royalty payable to the data subject if value is encashed by the data collector. However a proper mechanism does not exist for this purpose and hence the value adder is free to make profit on the basis of the raw data supplied by the data subject.

However, when the value addition processing of personal data leads to creation of any “Profile Data” which is used in such a manner as to defame the data subject it may be considered punishable whether or not there was a consent or whether the data was collected from the data subject or from a third party.

The “permission to transfer” and the “Conditionalities of such transfer” inherent in the consent determine whether the Data analytics becomes a “privacy issue” or not.

The damage created by an aggregator or processor of data to the data subject is not much different from the damage that may be created by a malicious person who may hack into CCTVs or other devices of another owner and use it for unauthorized surveillance or DDOS attacks. With Smart cities using CCTV and other monitoring devices in plenty, it is a fertile ground for misuse by hackers if the security is weak.  The legal implication of such damages (eg Dyn Attack) is determined under Section 43A of ITA 2008 which imposes “Reasonable Security Practices” on the owner of a device.

The data aggregators or value processors are however in the nature of “Intermediaries” and their liabilities will be determined with the application of the “Due Diligence” principles.

One Due Diligence aspect that can be considered when personal data is transferred to another person is to transfer the data along with the consent so that the down stream data processor is aware of the consent restrictions. But this again is not an established practice but can be considered.

Hence “Self imposed Ethical Standard” as due diligence is the only available means through which the down stream user of data can be expected to protect the privacy of a data subject with whom he does not have direct contractual contact.

Also, when data is transferred from one data collector to another data processor, if the data is pseudonomized, then the obligations of both the data collector as well as the down stream processor would be either absent or substantially reduced. This can happen in many instances of research but not when the processing intended to be used for marketing. But “Marketing” is almost always a category of use that is prohibited in any consent and hence can be considered as a “Presumption” unless the contrary is proved by an “Explicit Consent”.

When “Artificial Intelligence” is used in a Smart City scenario, the sensors (Including CCTVs equipped with face recognition or Gait recognition) are “machines” which collect the personal data. The “Privacy Breach” therefore is not evident unless the data is disclosed to a human being. As long as the data is being processed within the system, it is difficult to say if the “Privacy has been breached” though it could be a step towards eventual breach of privacy.

Again this is a grey area for law and we need to consider that just as we say “Privacy” is a right available only for “identifiable, living individuals”, we can define that a “Breach of Privacy” is recognized only when a “Living individual” accesses “identifiable personal data” without the consent of the data subject.

With such a definition, the Smart City processing can be largely relieved of the privacy obligations as any data which is collected can be filtered into “Suspect person’s personal Data” and “Non Suspect person’s personal data” with the non suspect person’s personal data being de-identified by the machine itself.

Only the “Suspect person’s personal data” may be escalated to human intervention and as long as the machine (or the person who owns its actions) can justify “Reasonable Doubt” as to why the data subject should be considered as a “Suspect”, Privacy breach may not be considered to have occurred.

Presently, these thoughts are being presented as an extension of the present laws. If this is universally accepted, then we may not need a separate Cyber law for Smart cities. If not, we may consider some amendments to ITA 2008 to add clarifications necessary to expand some of its provisions as may be required.

Naavi

 

 

Posted in Cyber Law | Leave a comment

CCTV footages.. Whose property is it any way?

Posted on March 23, 2018 by Vijayashankar Na

Dr Pratap Reddy, Executive Chairman of Apollo Hosiptal has stated that  Apollo Hospital had turned off CCTV cameras placed in the ICU when the late Tamil Nadu Chief Minister J.Jayalalitha was undergoing treatment. (Refer report here).

In the light of a strong suspicion that Ms Jayalalitha could have been murdered by a political conspiracy, the action of Apollo Hospital in deliberately switching off the CCTV footage raises a question if Apollo Hospital and Dr Pratap Reddy should face criminal charges of abetting a murder? If there was a facility of CCTV in a hospital, there must be a reason. Mr Pratap Reddy should explain why CCTV was being run when every other ordinary patient was there without regard to their Privacy but only when Ms Jayalalitha was in the hospital, it was switched off.

Similar issues have come to the fore in the case of Sunanda Pushkar suspected murder case where CCTV footages at Hotel Leela Palace went missing. There are many other instances where either the Police have seized the CCTV device and later said that they did not find anything in the DVD or the private establishment which maintained the CCTV  itself said that the CCTV was not functioning when a VVIP crime took place right under its nose.

As a result, the ubiquotous CCTV they want and claim that it was not available when there is a VVIP pressure to suppress truth.

This incident highlights an important policy issue in the country about the Privacy implications of installing CCTVs in public and semi-public places. The Srikrishna Committee working on the new Data Protection law in the country needs to take this into consideration and make a specific provision to ensure that if CCTV with or without face recognition or Gait recognition capability is a tool of security for the community and is permitted to be installed in public places (and Semi-public places) without considering it as a “Privacy Breach”, then there has to be accountability for the footage captured.

We should not allow the CCTV footages to be selectively used  as evidence in some cases and selectively ignored in other cases without the owner being prima facie suspected of having erased evidence when he claims that the CCTV footage in a particular instance is not available. At least he should be made liable to provide proper explanation under the “Due Diligence” concept why in a specific instance the device was not functioning.

If any person provides a “Consent” (express or deemed) to be subjected to being monitored in a given situation, then the data collected about himself and his behaviour should be treated as the property of the data subject. He should have the right to ask for a copy if required. Privacy laws such as the GDPR provides a right to erasure, right to rectification and right for portability of personal data and the CCTV footage must be treated as “personal data” of the data subject. The CCTV data collector cannot be allowed arbitrarily to state that in some cases data is available and in some other cases it is not available.

This principle should be tested now by subjecting Apollo Hospital to a rigorous criminal investigation in respect of the suspected murder of J.Jayalalitha. Simultaneously, I draw the attention of the Justice Srikrishna committee to incorporate such provisions as necessary in the new Data protection act to make CCTV managers accountable to what they collect as data claiming exemption from general Privacy principles through either for  “National Security”  reasons or under the cover of a “Consent”.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Cambridge Analytica and Indian Cyber Laws

Posted on March 22, 2018 by Vijayashankar Na

The news report that Personal profiles of 50 million Face Book users was collected and unauthorizedly used to help Trump win an election has opened  a new debate on Privacy and Data Protection in India. BJP and Congress parties are fighting on TV to blame each other that they are also indulging in a similar misuse of personal data while the local subsidiary of Cambridge Analytica (CA) which is the firm accused of the misuse claims to have served both BJP and Congress in different elections.

Much of the debate that is happening in this connection appears to be dishonest and hypocritical and the bluff has to be called.

We must first recognize that the CA is supposed to have collected the data through an App which was voluntarily downloaded by users who gave a consent for the access of their personal information. The person who collected the information based on the consent provided used it as a data for some kind of research for targeted advertising. The research was bought by Trump’s campaign managers and hopefully he was benefited.

Just as in India anything done by Modi is objected to, the Anti Trump brigade is accusing as if US election was tampered because of the profiling of the consumer research company and the targeted advertising for which it was used. Even if the firm had done a “Psychological Profiling” from the data available, as long as the data was in the public domain or out of an informed consent, there is no breach of Privacy. There are FinTech companies who do data analytics for fixing credit limits and if data analytics is used to create innovative advertising, it is neither a surprise nor some thing to be scoffed at.

This sort of data collection from public resources or from informed consent cannot be objected to just because we donot like Mr Trump winning.

If there is any real objection, one has to go into the fact of whether the “Informed Consent” was actually through a fraud and if so the data collector namely the British academic “Aleksandr Kogan” has to be brought to book.

Presently all Privacy Laws place faith on such consents. But if the Data Collector breaches the agreement and sells the data to another person who uses it for a purpose other than the purpose for which it was provided, it has to be objected to only on grounds of “Breach of Contract, Breach of trust” etc.

As regards the third party who bought to the data, data protection acts need to impose a “Due Diligence” obligation to disclose and get consent from the data vendor that the purchased data can be used for a specific purpose. Since “Advertising” is a legitimate purpose, if the data collector offers a data for advertising to an advertiser and the advertiser may  buy it under the premise that the data subject must have provided the necessary consent.

Is the secondary data user expected to check if the original consent provided to the data collector permits  such use or not is a matter yet to be clearly defined in law though it could be an ethical and moral issue. Also in many cases, even the buyer may not be aware how exactly he is going to use the data and how he can benefit from it. He may be simply buying it speculatively and discover some value added derivatives out of it which he may trade.

It is therefore hypocritical for us to express surprise that FB data could be used for profiling and profiled information can be used for advertising and such advertising could be for political campaigns. All this has to be expected in the era of Big Data anaytics and Artificial Inteligence.

In fact while the laws or privacy so far have missed the need to impose “Due Diligence” by the secondary user of personal data and this can be taken note of and included in the Indian Data Protection Laws, we can draw attention to Section 66B of the ITA 2008 which provides a possibility for “Stretching the legislative intent indicated in the section” to cover the misuse of data. Section 66B is actually meant for punishing the use of stolen computers and mobiles and uses the term “dishonestly receives and retains any stolen Computer Resources”. If we can consider data as a computer resource and the act of use of data for a purpose other than what it was meant as “Stealing”, then Section 66B can be stretched to the data misuse scenario though it is not recommended.

May be the Justice Srikrishna panel may include a clause that

“Any user of personal data shall exercise due diligence to ensure that the purpose for which it may be used is consistent with the consent provided”

Perhaps this is the lesson we can take out of this incident apart from what we have already discussed as to the need of an intermediary called “Data Trust” in the Data Protection environment.

Naavi

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Can Maharashtra Government Amend IT Act?

Posted on March 20, 2018 by Vijayashankar Na

A news report from UNI states that the Minister of State for Home (Urban) in Maharashtra, Mr Ranjit Patil has made a statement in the legislative Council of Maharashtra that “Maharashtra Government will amend Information Technology Act to regulate illegal online betting and curb debit and credit card frauds”.

The intention of the Minister to control a Crime committed through Internet is well appreciated. However, it is necessary to explore

a) Is the amendment of ITA 2000/8 required to take action against an online betting website?

b) Is the State Government empowered to amend ITA 2000?

If “Betting” is illegal, it is so whether it is done with paper or electronic documents or using digital communication. Prosecution of “Illegal betting” can always be launched under IPC using electronic evidence presented properly under Section 65B of Indian Evidence Act. Hence there is no need to amend ITA 2000/8 and the Government need not waste its time on this matter.

Further the powers of State Government are defined under Section 90 of ITA 2000 which states as under:

Section 90 Power of State Government to make rules

(1)The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.
(2)In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely –
(a)the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6;

(b)for matters specified in sub-section (2) of section 6;

(3)Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.

These powers are limited to “Making Rules” to carry out the provisions of the Act and does not extend to “Making New Law”.

If it is required to make any amendments, the amendments have to be proposed in the Parliament and passed as a central legislation. One example of such powers would be to carry out the requirements of Sections 6,6A,7,7A,8 or 9 of ITA 2000/8 which relate to E-Governance. Some powers under Sections 69 also may require rules to be made under local laws.

In the past some States did pass laws for Cyber Cafes under the local Police Acts but now there is a separate Cyber Cafe regulation under ITA 2000/8 itself. Some State Governments have used its powers to designate “Protected Systems” under Section 70 though it is considered prudent that the notification under Section 70 should be from the Central Government.

I hope that the Maharashtra Government takes note of the limitations to State Powers under ITA 2000/8 and does not pass any legislation which may not stand the test of law if challenged. if not challenged, such “Ultra Vires” legislation create  problems in future when convictions are challenged under the unconstitutionality of the laws.

What Maharashtra Government can do

If the State Government of Maharashtra has to take steps in strengthening the Cyber Crime system in the State, they need to focus on improving their Cyber Crime Policing system which requires urgent attention.

I have brought to the attention of the Maharashtra Police through these columns one instance where  the Cyber Crime Police Station in BKC, Mumbai failed to undertake investigation of a simple complaint made by a multi national company which required urgent action to trace the IP address from which some offending e-mails were being sent. Neither the officials in charge of Cyber Crime Police Station nor the Police in the jurisdictional police station to which the case was transferred took any action to resolve the case. The top officials of the State police also failed to respond to the request from the undersigned and the case went dead.

There is no use in trying to amend the laws and introduce unnecessary new provisions just to claim that the Government is taking some action. There is need to ensure that Police in the Cyber Crime police stations and the Jurisdictional police stations are properly trained both in the skills required for resolving Cyber Crimes and also the attitude required to help victims of Cyber Crimes without corruption. This will atleast ensure that current laws would be properly implemented.

I have made some suggestion in my earlier article titled How to Relieve Cyber Police in India of needless burden and make them more focused  to improve the Cyber Crime investigation at the base level of IP address resolution. If  Maharashtra Government is interested in improving Cyber Crime handling in the State, I request them to consider the suggestion made here to ensure that Cyber Crime Complaints are resolved more efficiently than at present. This is well within the powers of the State Government.

I appeal  to the  CM of Maharashtra, besides the Minister of State, Mr Ranjit Patil to consider the suggestion made.

Naavi

Posted in Cyber Law | Leave a comment