CCTV footages.. Whose property is it any way?

Posted on March 23, 2018 by Vijayashankar Na

Dr Pratap Reddy, Executive Chairman of Apollo Hosiptal has stated that  Apollo Hospital had turned off CCTV cameras placed in the ICU when the late Tamil Nadu Chief Minister J.Jayalalitha was undergoing treatment. (Refer report here).

In the light of a strong suspicion that Ms Jayalalitha could have been murdered by a political conspiracy, the action of Apollo Hospital in deliberately switching off the CCTV footage raises a question if Apollo Hospital and Dr Pratap Reddy should face criminal charges of abetting a murder? If there was a facility of CCTV in a hospital, there must be a reason. Mr Pratap Reddy should explain why CCTV was being run when every other ordinary patient was there without regard to their Privacy but only when Ms Jayalalitha was in the hospital, it was switched off.

Similar issues have come to the fore in the case of Sunanda Pushkar suspected murder case where CCTV footages at Hotel Leela Palace went missing. There are many other instances where either the Police have seized the CCTV device and later said that they did not find anything in the DVD or the private establishment which maintained the CCTV  itself said that the CCTV was not functioning when a VVIP crime took place right under its nose.

As a result, the ubiquotous CCTV they want and claim that it was not available when there is a VVIP pressure to suppress truth.

This incident highlights an important policy issue in the country about the Privacy implications of installing CCTVs in public and semi-public places. The Srikrishna Committee working on the new Data Protection law in the country needs to take this into consideration and make a specific provision to ensure that if CCTV with or without face recognition or Gait recognition capability is a tool of security for the community and is permitted to be installed in public places (and Semi-public places) without considering it as a “Privacy Breach”, then there has to be accountability for the footage captured.

We should not allow the CCTV footages to be selectively used  as evidence in some cases and selectively ignored in other cases without the owner being prima facie suspected of having erased evidence when he claims that the CCTV footage in a particular instance is not available. At least he should be made liable to provide proper explanation under the “Due Diligence” concept why in a specific instance the device was not functioning.

If any person provides a “Consent” (express or deemed) to be subjected to being monitored in a given situation, then the data collected about himself and his behaviour should be treated as the property of the data subject. He should have the right to ask for a copy if required. Privacy laws such as the GDPR provides a right to erasure, right to rectification and right for portability of personal data and the CCTV footage must be treated as “personal data” of the data subject. The CCTV data collector cannot be allowed arbitrarily to state that in some cases data is available and in some other cases it is not available.

This principle should be tested now by subjecting Apollo Hospital to a rigorous criminal investigation in respect of the suspected murder of J.Jayalalitha. Simultaneously, I draw the attention of the Justice Srikrishna committee to incorporate such provisions as necessary in the new Data protection act to make CCTV managers accountable to what they collect as data claiming exemption from general Privacy principles through either for  “National Security”  reasons or under the cover of a “Consent”.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Cambridge Analytica and Indian Cyber Laws

Posted on March 22, 2018 by Vijayashankar Na

The news report that Personal profiles of 50 million Face Book users was collected and unauthorizedly used to help Trump win an election has opened  a new debate on Privacy and Data Protection in India. BJP and Congress parties are fighting on TV to blame each other that they are also indulging in a similar misuse of personal data while the local subsidiary of Cambridge Analytica (CA) which is the firm accused of the misuse claims to have served both BJP and Congress in different elections.

Much of the debate that is happening in this connection appears to be dishonest and hypocritical and the bluff has to be called.

We must first recognize that the CA is supposed to have collected the data through an App which was voluntarily downloaded by users who gave a consent for the access of their personal information. The person who collected the information based on the consent provided used it as a data for some kind of research for targeted advertising. The research was bought by Trump’s campaign managers and hopefully he was benefited.

Just as in India anything done by Modi is objected to, the Anti Trump brigade is accusing as if US election was tampered because of the profiling of the consumer research company and the targeted advertising for which it was used. Even if the firm had done a “Psychological Profiling” from the data available, as long as the data was in the public domain or out of an informed consent, there is no breach of Privacy. There are FinTech companies who do data analytics for fixing credit limits and if data analytics is used to create innovative advertising, it is neither a surprise nor some thing to be scoffed at.

This sort of data collection from public resources or from informed consent cannot be objected to just because we donot like Mr Trump winning.

If there is any real objection, one has to go into the fact of whether the “Informed Consent” was actually through a fraud and if so the data collector namely the British academic “Aleksandr Kogan” has to be brought to book.

Presently all Privacy Laws place faith on such consents. But if the Data Collector breaches the agreement and sells the data to another person who uses it for a purpose other than the purpose for which it was provided, it has to be objected to only on grounds of “Breach of Contract, Breach of trust” etc.

As regards the third party who bought to the data, data protection acts need to impose a “Due Diligence” obligation to disclose and get consent from the data vendor that the purchased data can be used for a specific purpose. Since “Advertising” is a legitimate purpose, if the data collector offers a data for advertising to an advertiser and the advertiser may  buy it under the premise that the data subject must have provided the necessary consent.

Is the secondary data user expected to check if the original consent provided to the data collector permits  such use or not is a matter yet to be clearly defined in law though it could be an ethical and moral issue. Also in many cases, even the buyer may not be aware how exactly he is going to use the data and how he can benefit from it. He may be simply buying it speculatively and discover some value added derivatives out of it which he may trade.

It is therefore hypocritical for us to express surprise that FB data could be used for profiling and profiled information can be used for advertising and such advertising could be for political campaigns. All this has to be expected in the era of Big Data anaytics and Artificial Inteligence.

In fact while the laws or privacy so far have missed the need to impose “Due Diligence” by the secondary user of personal data and this can be taken note of and included in the Indian Data Protection Laws, we can draw attention to Section 66B of the ITA 2008 which provides a possibility for “Stretching the legislative intent indicated in the section” to cover the misuse of data. Section 66B is actually meant for punishing the use of stolen computers and mobiles and uses the term “dishonestly receives and retains any stolen Computer Resources”. If we can consider data as a computer resource and the act of use of data for a purpose other than what it was meant as “Stealing”, then Section 66B can be stretched to the data misuse scenario though it is not recommended.

May be the Justice Srikrishna panel may include a clause that

“Any user of personal data shall exercise due diligence to ensure that the purpose for which it may be used is consistent with the consent provided”

Perhaps this is the lesson we can take out of this incident apart from what we have already discussed as to the need of an intermediary called “Data Trust” in the Data Protection environment.

Naavi

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Can Maharashtra Government Amend IT Act?

Posted on March 20, 2018 by Vijayashankar Na

A news report from UNI states that the Minister of State for Home (Urban) in Maharashtra, Mr Ranjit Patil has made a statement in the legislative Council of Maharashtra that “Maharashtra Government will amend Information Technology Act to regulate illegal online betting and curb debit and credit card frauds”.

The intention of the Minister to control a Crime committed through Internet is well appreciated. However, it is necessary to explore

a) Is the amendment of ITA 2000/8 required to take action against an online betting website?

b) Is the State Government empowered to amend ITA 2000?

If “Betting” is illegal, it is so whether it is done with paper or electronic documents or using digital communication. Prosecution of “Illegal betting” can always be launched under IPC using electronic evidence presented properly under Section 65B of Indian Evidence Act. Hence there is no need to amend ITA 2000/8 and the Government need not waste its time on this matter.

Further the powers of State Government are defined under Section 90 of ITA 2000 which states as under:

Section 90 Power of State Government to make rules

(1)The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.
(2)In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely –
(a)the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6;

(b)for matters specified in sub-section (2) of section 6;

(3)Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.

These powers are limited to “Making Rules” to carry out the provisions of the Act and does not extend to “Making New Law”.

If it is required to make any amendments, the amendments have to be proposed in the Parliament and passed as a central legislation. One example of such powers would be to carry out the requirements of Sections 6,6A,7,7A,8 or 9 of ITA 2000/8 which relate to E-Governance. Some powers under Sections 69 also may require rules to be made under local laws.

In the past some States did pass laws for Cyber Cafes under the local Police Acts but now there is a separate Cyber Cafe regulation under ITA 2000/8 itself. Some State Governments have used its powers to designate “Protected Systems” under Section 70 though it is considered prudent that the notification under Section 70 should be from the Central Government.

I hope that the Maharashtra Government takes note of the limitations to State Powers under ITA 2000/8 and does not pass any legislation which may not stand the test of law if challenged. if not challenged, such “Ultra Vires” legislation create  problems in future when convictions are challenged under the unconstitutionality of the laws.

What Maharashtra Government can do

If the State Government of Maharashtra has to take steps in strengthening the Cyber Crime system in the State, they need to focus on improving their Cyber Crime Policing system which requires urgent attention.

I have brought to the attention of the Maharashtra Police through these columns one instance where  the Cyber Crime Police Station in BKC, Mumbai failed to undertake investigation of a simple complaint made by a multi national company which required urgent action to trace the IP address from which some offending e-mails were being sent. Neither the officials in charge of Cyber Crime Police Station nor the Police in the jurisdictional police station to which the case was transferred took any action to resolve the case. The top officials of the State police also failed to respond to the request from the undersigned and the case went dead.

There is no use in trying to amend the laws and introduce unnecessary new provisions just to claim that the Government is taking some action. There is need to ensure that Police in the Cyber Crime police stations and the Jurisdictional police stations are properly trained both in the skills required for resolving Cyber Crimes and also the attitude required to help victims of Cyber Crimes without corruption. This will atleast ensure that current laws would be properly implemented.

I have made some suggestion in my earlier article titled How to Relieve Cyber Police in India of needless burden and make them more focused  to improve the Cyber Crime investigation at the base level of IP address resolution. If  Maharashtra Government is interested in improving Cyber Crime handling in the State, I request them to consider the suggestion made here to ensure that Cyber Crime Complaints are resolved more efficiently than at present. This is well within the powers of the State Government.

I appeal  to the  CM of Maharashtra, besides the Minister of State, Mr Ranjit Patil to consider the suggestion made.

Naavi

Posted in Cyber Law | Leave a comment

Autonomous Car Accident opens debate on legal responsibility

Posted on March 20, 2018 by Vijayashankar Na

An unfortunate but historic event occurred in Arizona on 19th March 2018 when a Self Driving Uber Car hit and killed a woman crossing the street in Arizona. (Refer Reuter article here).

The pedestrian who lost her life was a 49 year old lady by name Elaine Herzberg. It appears that there were no passengers in the vehicle but a driver was behind the wheels though the car was under auto pilot mode. The vehicle is said to be going at a speed of 40mph at the time of the accident (Refer abcnews.com).

This may not the first accident of a driver less car but is considered as the first accident of such a car resulting in a fatality. Uber has rendered its apology (Refer guradian) and statistics are out to say that accidents do happen even in manually driven cars. It has also suspended operation of its autonomous cars across USA and sent a team to investigate the cause.

According to one statement, the driver could have technically over ridden the auto mode. This raises several legal issues on fixing of responsibility for the accident. Was it the inability of the manual driver behind the wheels that caused the accident? or Was it the AI driving the vehicle? If so, is Uber responsible for the accident? If Uber has bought the software from a software company, was it responsible for the accident?

There has to be a forensic investigation of what went wrong since there could be several independent components of the car such as navigation, brakes, the sensors etc which had to act in coordination and failure could have occurred in any of these parts. Functionality of each of these parts could be the responsibility of different companies who were sub contractors of Uber.

Will the current Cyber Laws be able to meet such requirements? is the first question that crosses our mind. In India an “Automated” activity is attributed to the person who “Caused” the system to behave automatically.

In this case, the Car behaved maliciously because the sensor failed to detect the obstacle and instruct the brake system and/or the brake system failed to react in time. The person who was responsible for the sensor, internal communication and brake systems as well as the aggregate owner namley Uber have direct and vicarious liabilities. Each will declare their “Due Diligence” and try to shift the blame to another. May be there will be need for Section 65B certificate of evidence countered by a Section 79A accredited Digital Evidence Examiner for a Court to consider the liability.

Whatever the law may say, if this accident had occurred in India the first attempt of any person who may be held responsible is to ensure that the evidence is tampered with. The Police as they do in the case of other cases where CCTV footage is seized will try to take control of the car with its internal data and the fate of the case would depend on whether they would faithfully preserve and produce the data to the Court. In all probability the politicians will try to intervene and ensure that the reputation of its favoured people is not damaged. They may some how prove that all the forensic data was corrupted and is not available or produce select data to prove that the person behind the driving wheel had the manual control at the time of the accident and was responsible for the accident and not the “Car Company”.

I am sure that Arizona Police will be more objective and try to scientifically analyze the causes for the accident and contribute to the development of the science behind the creation of driver less cars. In that context, we can consider this as an “Accident” and look at the statistics and proceed to learn from the accident and proceed.

But one important requirement in such cases is to ensure that the “Evidence” does not get destroyed or is left to the whims and fancies of one agency ..even the Police. Also in a more violent accident the physical damage to the vehicle can destroy the evidence also.

Hence there has to be a “Black Box” that is not tamperable capturing encrypted data which can be decrypted only by a reliable authority. Also good part of the data should be transferred in real time out of the control of the Car owner to a remote location to be opened only under judicial intervention.

Securing the evidence in such cases is very important for the development of secure driverless cars for the future.

Naavi

Also Read:

Self Driving Cars attacked in California

NewYork Times Report

USA Today Report

Heavy.com report

No Signs of slowing..says Police

 

Posted in Cyber Law | Tagged , , , , | 1 Comment

Where do I start my GDPR compliance?

Posted on March 17, 2018 by Vijayashankar Na

Many organizations in India are now concerned about the need to be compliant with GDPR before the deadline of 25th May 2018. They must be receiving many e-mails from their business partners abroad with the query “Are You GDPR Compliant”?. There is therefore a scramble in the industry circles about how to be GDPR compliant in quick time.

Any compliance program is a “Journey”. It is not completed in a day. In any compliance journey it is always tough to make the beginning. Once begun, the task is half done. The same applies to GDPR compliance also. Start your GDPR compliance and you would be able to say “I am in the process of achieving GDPR Compliance”.

The first milestone to achieve is “We are GDPR Ready”. This GDPR readiness is important for all data processors who are now negotiating a data processing contract with a EU GDPR sensitive business partner who is constrained to ask the question about your GDPR readiness before starting the business dialogue with you. Before GDPR sensitive data comes into the systems and it is operated in a compliance regime for some time, it is not possible to test the real GDPR compliance of any organization.

Hence, before the actual processing of GDPR sensitive data commences and it is observed for a certain period, it is difficult to jump to the conclusion that any organization is “GDPR Compliant”. If they have instituted all measures required for compliance, the organization may however declare themselves to be “GDPR Compliance Ready” and nothing more.

Indian Companies who are Data Processors need to understand that their main obligation is with the Data Controller who hands over the “Personal Data” which comes under the material scope of the GDPR (Article 2.1) under a “Processing Contract”. The main liability for GDPR compliance is for the Data Controller and not the Indian Business Associate. (Unless the Indian Company is more than a mere Business Associate for data processing but indulges in direct collection of relevant data.).

The First question which any Indian company has to ask a controller is therefore,

Do you have a GDPR Compliance Check list for a non EU data processor? If so, please share it with us and we will make necessary arrangements. Otherwise, we are “Ready” to understand what could be your requirements and how it can be met at our end.

I will not be surprised if many of the Data Controllers think that EU GDPR is also applicable to extra territorial jurisdictions like India and India does not have any other local laws which may be in conflict. They may therefore presume that you are as much aware as them about GDPR and there is no need for them to tell you how to be GDPR compliant.

If you have such a client, then you can tell them,

“Yes, we are aware of GDPR and if you want, we can think on your behalf and implement GDPR for you. But this will be a GDPR consultancy contract and different from the Data Processing contract and will be charged separately”

Do Indian Companies have the negotiating strength to say as suggested?…. Each company needs to ask itself.

GDPR imposes liability mainly on the Data Controller and expects them to implement the Compliance requirements at the design stage of the process. It is only the Data Controller who knows what for the data is being collected and how it needs to be processed. It is only the Data Controller who has access to the drafting of the “Informed Consent” and getting it from the Data Subject. The Data Processor is not directly involved in determining the purpose of collection and the processing requirements.

There may be an exceptional case where the Data Controller has the right to determine how the data has to be collected but engages a sub contractor to create and manage a website or a system through which the data is collected after providing the necessary disclosures and obtaining the consent. In such a case, the Data Processor is himself the “Data Collector”. But still it is the responsibility of the Data Controller to specify in the service contract how the Data Collector cum Data Processor collects and processes the data.

Hence the “Data Processing Engagement Contract” becomes the key to start GDPR compliance and will be the starting point for compliance in India. Either the Data Controller has to come up with one such document or say, we donot have a detailed agreement on how the GDPR compliance is required to be done but please consider the GDPR document as part of this agreement. Interpret it in your context and be compliant.

An Indian company keen on the business may jump at such an opportunity with or without charging extra fees for consultancy. However in such cases the responsibility to interpret GDPR clauses shifts to the Indian company. We all know that legal interpretations are always daisy. There may be differences  in interpretation and the interpretation of the Indian company may not be agreed upon by the EU company when a dispute actually arises.

Hence in such cases, it is necessary for the local company to conduct a GDPR Impact analysis in the context of what is envisaged in the contract and develop a written document that is sent to the principal for his information and confirmation. In this document, the obligations that the local company takes and the obligations it does not want to take or cannot take because of conflict with the local laws can be specified.

Once this “GDPR Impact Assessment and Implementation Plan” is documented in a contractually agreeable manner, the Indian company can go ahead and implement the requirements from the technical perspective, test it to the extent possible and if everything goes well call itself “GDPR Compliant”.

The principal has the right to inspect the implementation plan, run his own tests and be satisfied beyond the claims of the local company at any time either before starting the processing contract or later.

Since there is a cost to “Getting GDPR Ready”, if the Data Controller imposes a condition that “You should be GDPR ready before …. and I will inspect and have the right to reject”, the local company should either take the cost of getting GDPR ready as a cost of business promotion or collect it separately as additional preparatory cost.

I presume that wise Indian companies have already adopted these measures.

Naavi

Posted in Cyber Law | Leave a comment

If India was in EU, Aadhaar would have been exempted from GDPR.. Supreme Court needs to ponder..

Posted on March 17, 2018 by Vijayashankar Na

Currently GDPR and Aadhaar are both hot subjects for discussion amongst professionals whether they are Privacy activists, Information Security professionals or Lawyers.

GDPR is at one end of the spectrum often looked upon by Privacy activists as the ultimate in Privacy Protection legislation. Aadhaar on the other hand is at the other end of the spectrum often looked upon as the greatest villain in Privacy breach in India.

The Supreme Court of India continues to hear the petition of Privacy Activists who are more concerned about the political damage they can create on the Government by attacking Aadhaar than any public good.

There appear to be some foreign technical persons calling themselves “Ethical Hackers” who are camping in India to hack into Aadhaar data and prove that Aadhaar is the epitome of Privacy invasion in India. It is not clear where motivation comes to these persons and whether they are motivated by their commitment to the Privacy of the Indian Citizen or committed to the political advantages that can accrue to Black Money owners in India if the present intentions of the Government to link Aadhaar to Mobile and Bank accounts is frustrated through intervention from the Supreme Court

We the Indians are aware that even Supreme Court is having its own agenda and many times takes decisions which are “TRP oriented”. The Privacy judgement, the Scrapping of Section 66A are examples of decisions where the Court has shown its inclination to come to conclusions based on the public perception that can be created about the “Progressive Views of the Judiciary”.

In this context it is essential for us to examine how does GDPR try to address the issues of Privacy in the context of Public interest, National Security and Journalistic freedom.

Chapter IX of GDPR  refers to “Provisions Related to Specific Data Processing Situations” and sets in the rules regarding processing of personal data in the context of Right to Freedom of Expression and other issues including “Processing of National Identification Number”.

Article 85 of GDPR  leaves it to member states to reconcile by law the right to protection of personal data pursuant to GDPR with the right to freedom of expression and information including processing for journalistic purposes and the purposes of academic, artistic and literary purposes.

Article 86 refers to personal data in official documents held by a public authority or a private body for the purpose of carrying out an activity in the public interest which may be disclosed under a Right to Information kind of law.

As one can appreciate, the canvas to define exclusion under Article 85 and 86 is fairly wide and if we take this as a guide for the Indian context where we are waiting for our own Data Protection law, there is enough scope to consider that our existing laws including the Right to Information Act can be considered as an automatic exclusion to GDPR.

Article 87 is interesting since it directly relates to a situation similar to Aadhaar. It states as under:

Article 87: Processing of the national identification number

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

This article provides complete rights to member states to over rule GDPR when it comes to processing of national Identification Number or any other identifier of general application. Obviously, “Appropriate safeguards” are prescribed.

This article provides guidelines both to Indian Companies who are often over reacting to the GDPR  by imposing on themselves non existing restrictions on to what extent the local regulations may over ride GDPR and yet it can be considered as “GDPR Compliance”.

If the member states of EU themselves have the freedom to enact laws that may over ride EU, it is obvious that an independent sovereign country like India where in most cases, the GDPR application is through the contracts between the Data Controller in EU and a Data Processor in India, the local laws such as Information Technology Act 2000/8 will have paramount priority over and above GDPR.

I therefore caution Indian Companies that in their eagerness to be GDPR compliant, they should not ignore the need to be ITA 2008 compliant.

We need to build GDPR Compliance within the parameters of ITA 2008 compliance. Fortunately, ITA 2008 is eminently designed for such requirement since Section 43A and definition of “Reasonable Security Practice” accommodates such contracts as defining the security requirements for compliance. The only difference would be that the remedy may have to be sought under ITA 2000/8 read along with international treaties and laws applicable to international contracts. GDPR cannot be super imposed in derogation of these other remedial options.

The second aspect we need to take note from Article 87 is that even the rigorous GDPR regulation on Privacy provides for an exception of National Identification Number in the EU member countries. Hence the Indian Data Protection Act can also exempt the processing of Aadhaar data from the restrictions.

The Supreme Court should therefore take cognizance of this fact and donot make the mistake that they committed in scrapping of Section  66A of ITA 2008 while ruling on Aadhaar.

Linking of Aadhaar to Bank accounts and to Mobile is a requirement of public interest to prevent Black Money, Benami transactions as well as Terrorism and Crimes and the right of the Government to use the National Identification Number such as Aadhaar for such purposes cannot be curtailed by the Court without taking on the blame that the decision is meant to please the silent majority of anti nationals who advocate that Aadhaar has to be scrapped.

The above support for Aadhaar is however not in derogation of the requirement that there has to be adequate safeguards to secure the Aadhaar usage in a manner that it cannot be misused to commit crimes. It is in this context that the “Virtual Aadhaar” becomes most important as a security measure so that at least in the future “Stored Biometric Attacks” through the Aadhaar user agencies does not occur.

My support for Aadhaar above also does not mean that Aadhaar authorities are taking all steps that are necessary for securing the infrastructure of Aadhaar and that they are not arrogant and not dismissive of the risks.

It is however considered that Aadhaar linking to Financial information and identity of individuals to several activities is essential to build a Safe India and no legal hurdle should be placed to prevent this honest effort of the Government. The security concerns are however real but can be addressed if UIDAI makes full efforts in this regard.

The first thing UIDAI needs to check is the progress of the Virtual Aadhaar implementation. The system should be in trial operation by 1st of April and in mandatory operation by 1st of July.

While some data security organizations in India are busy conducting surveys on our GDPR preparedness, UIDAI itself or other data security organizations should focus also on conducting a survey on our preparedness for implementation of Virtual Aadhaar as an identity to replace Aadhaar identity by Banks and Mobile operators.

Naavi

Posted in Cyber Law | Tagged , , , , | 1 Comment