Naavi’s Data Trust Score Model unleashed in the New year

At the dawn of the new year, India is on the threshold of a new “Data Protection Regime”. While the critics will continue to debate the Data Localization and the RTI related objections, the Government is likely to quietly go about its Governance duties by pushing through the bill currently titled “Personal Data Protection Act 2018”.

When the law eventually comes into operation, there will be a Data Protection Authority (DPA) which needs to provide several guidelines and rules of practice.

In the meantime, “We the Professionals shall adopt our own Data Protection Constitution of India” to protect the Data Sovereignty of our country, provide adequate “Data Security” for the e-Citizens of India and provide a Citizen’s model of Data Protection Regime that can make the work of the DPA easy. In order to ensure that the regulations eventually made by the DPA are complied voluntarily and without pain, there has to be a synchronization between what the Citizens perceive to be a reasonable self regulation and what the regulator eventually imposes.

Since it may take at least one more year for the DPA’s own regulations to be out with the public, Naavi.org with its associate activities such as Cyber Law College would try to put up its own methodologies which could be the thought starters.

In this journey towards a Responsible Data Protection Regime in India, Naavi presents the Data Trust Score model that he would be adopting for Data Audits conducted by him through Ujvala Consultants Pvt Ltd. This may be considered as a thought under development and would evolve over a period of time. Presently it is referred to as the “Naavi’s 5×5 Data Trust Score Model” (5×5 DTS)

What is Data Trust Score

Data Trust Score is a suggestion of the draft PDPA 2018 presented by Justice Sri Krishna Committee. Even if the concept is modified or even deleted when the draft becomes a law, the concept will always be relevant as a  rating of different organizations against how they adopt and implement the recommendations of PDPA 2018.

According to PDPA 2018, an annual “Data Audit” is mandatory for all organizations processing personal data and the data auditor may assign a rating in the form of “Data Trust Score” to the Data Fiduciary pursuant to such audit.

According to the Act, the DPA will specify the criteria for assigning a rating in the form of a Data Trust Score having regard to various factors such as

a) Clarity and Effectiveness of Notices under Section 8 (Collection of data)

b) Effectiveness of the measures adopted under Section 29 (Privacy by Design)

c) Transparency in relation to processing activities under Section 30(Transparency)

d) Security Safeguards adopted pursuant to Section 31 (Security Safeguards)

e) Instances of personal data Breach and response of the data fiduciary

Naavi’s Approach

Naavi has developed an approach to assigning a Data Score based on an assessment of  the requirements of compliance under 5 different base Foundation criteria on a scale of 5 namely A, B,C,D and E with A being at the top and E being at the bottom. C will be the minimum acceptable criteria for considering an organization compliant.

Naavi recognizes that “Compliance is a journey” over time and it is unfair to judge an organization as a snap shot. This is the fundamental weakness in many of the current rating mechanisms.

Naavi therefore considers rating of DTS over two levels. The first level is the snapshot at a particular point of time. The second level is the change over time with a minimum period of 3 years.

Just as in the financial analysis we use the Balance Sheet as a snap shot of the financial health of an organization and the Funds flow statement as a barometer of managerial prudence in funds management, the Level I and Level II DTS rating would capture the inherent strength of an organization in Data protection compliance.

For the Second level DTS to be evaluated, there has to be a minimum time span with annual data audits of atleast 3 consecutive periods to be available. It will therefore be a rating which can be released after next 3-5 years.

Level I DTS can however be a reality even now and continue when the DPA announces a formal criteria.

Five Foundation Domains

Naavi has clubbed all the requirements of PDPA into Five basic domains namely

  1. Commitment of the management
  2. Knowledge  of the Organizational manpower
  3. Controls for implementation
  4. Review mechanism for improvement
  5. Redressal mechanism for grievances for the Data Principals

On the vertical coordinates, the assessment on each of these principals is assessed on the scale of E to A from the bottom.

To reduce the DTS Score for a single parameter, a weightage of the evaluation on this 5×5 grid would be adopted. The weightage can be equal (20%) for all five domains and the vertical scale moving from 0-20, 21-40, 41-60, 61-80,and 81-100.

In due course, a view would be taken on whether the domain weightage can be changed from an equal 0.2 for each domain to a differential rating where say Commitment could be 25%, Knowledge could be 15%, Controls could be 30%, Review would be 10% and redressal 20% etc.

In the beginning years, weightage has to be more on Commitment and Knowledge. In later years Commitment would be a hygiene factor, Knowledge would be high. Controls need to be modified from time to time because technology would change and hence greater attention would be required. Review would be a managerial discretion supported by the mandatory requirements and hence would also be a hygiene factor. Redressal will be the distinguishing factor between organizations which would be protecting data because of regulatory compulsion vs its own belief systems and hence may require to have a high weightage along with Controls.

The Second level weightage would depend on the trend of the score whether it is improving or declining or is being maintained.

A typical representation of how the assessment may look for two different organizations is shown in the accompanying picture above.

Certified Data Auditor

The suggested system above will be part of the “Certified Data Auditor” training that Cyber Law College would be undertaking in the coming days.

Comments are invited from the readers on the above concept.

I urge entities like the Foundation of Data Protection Professionals of India (FDPPI) to take this idea further and develop.

Naavi

P.S:  The word “Hygiene”has been used here as some thing which would become a mandatory need which has low positive value if it is there but will have negative value if it is not there. It is a term used in the motivational theory of Professor Herzberg.

Some additional clarifications based on comments received have been posted as a follow up.

2nd January 2019

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | 3 Comments

Shreya Singhal back again!

The last time Ms Sherya Singhal approached the honourable Supreme Court with a PIL to squash Section 66A of ITA 2000/8, she was successful. The Supreme Court obliged her petition and scrapped Section 66A of the Act.

In the process, she exposed the vulnerabilities of the Court in its inability to understand certain aspects of technology particularly when the Attorney General was also not interested in making a fair argument.

It was interesting that the then CJI himself commented at the time of the admission of the case “We were wondering why no body had challenged this so far”, indicating that the Court had pre-determined to a certain extent on what to do.

She also exposed the vulnerability of the system that if a Police Constable makes a wrong interpretation of law, instead of challenging his mistake, the law itself may be removed. The only requirement was to some how link the mistake to Fundamental Rights in the Constitution so that the highest court of the land starts seeing the issue with blinkered vision.

Just to clarify, Section 66A addressed the harmful effect of an electronic message sent through a communication device (Say an E Mail or SMS or even the WhatsApp Message) which could cause annoyance to the recipient. But the Court got convinced that any “Publishing” such as Face Book, Twitter or even a website also came within the purview of the Section though ITA 2000/8 had provided different sections such as Sections 67/67A/67B to address the adverse effects of “Publishing” of obscene information and left out the Defamation issues through electronic documents to be handled by IPC.

The Police in Palghar Facebook case as well as other instances such as Karti Chidambaram’s Twitter related complaint and some cartoonist’s cases involving websites, had booked the FIRs under Section 66A by mistake and this mistaken inclusion of Section 66A became the reason for the litigation that Section 66A violated the Constitutional right of Freedom of speech which reached all the way to the Supreme Court .

In a bid to exhibit its commitment to “Freedom of Expression”, the Court  interpreted the provisions of the section as causing a “Chilling Effect” and struck it down. The Court refused to read down the section and insisted that the section has to be removed though a large part of the section also addressed spamming, phishing, cyber bullying and cyber stalking.

Though later other benches of the same Court agreed that Section 66A should be re-introduced with changes, the Government did not make the move since it did not like to open up another debate on curbing of freedom of expression.

In the bargain, “Freedom to Abuse” became “Freedom of Expression”. This will in my opinion remain as one of the dark moments of Cyber Jurisprudence in India.

Now it is reported that Ms Shreya Singhal is likely to approach the Supreme Court this time with an objection to the recent Section 69 related order of the MHA and the Amendments to the Intermediary rules under Section 79.

Refer report here

It would be interesting to note that already two PILs have already been filed on the MHA order and this will be the third PIL. Considering that the last Section 66A Case started with the bench remarking that “We were waiting…” the comments that will come up now at the time of admission are worth watching.

Naavi

Refer Earlier Articles

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

Cyber Patrolling is the need of the hour

In the midst of the debate on Privacy as a fundamental Right, the Aadhaar usage by Private Sector etc., the MHA order on Section 69 of ITA 2000/8 designating 10 agencies as accredited agencies which the Competent authority may use for its requirement if any has raised a serious debate on the role of Law Enforcement in India.

We expect Police, the CBI and NIA etc to protect us from petty crimes to terrorist activities. We also expect our defense forces to protect us even in internal security such as in Kashmir.  As Citizens we say that we pay taxes and it is the duty of the Government to protect us. We donot hesitate to take the Police apart for their inability to solve Cyber Crimes as well as other crimes.

But have we ever wondered if we the people of India are also responsible for the inefficiency of our law enforcement also because we have an indequate understanding of the concept of Human Rights and the Constitution of India and mis-apply them frequently to tie up the efficiency of our law enforcement?

After the recent Terror module busting in Delhi, it is time for all of us to take a sincere hard look at what we are doing and take a New Year Resolution that “Cyber Security is our Paramount Fundamental Right” as a citizen of India.

Imagine the shock and damage that was caused when there were 13 explosions on March 12, 1993 or when hundreds were trapped, killed mercilessly on 26th November 2008 in 8 attacks resulting in death of atleast 166 people besides the terrorists themselves.  Now if more than 100 mobile phones were recovered with many pipe bombs, at least one rocket launcher, many suicide vests etc in Delhi just before the next Republic Day, we shudder to think what might have happened if NIA had not been able to stop this major act of war against the country.

We are yet not sure if this was the only module that was preparing for the attack now or there were any others who may either go underground now or even attempt their own attack. We therefore cannot relax our vigil.

With most of our opposition political parties being sympathetic to the terrorists because all of them want to eliminate the Modi threat to their political existence, the terrorism in India will continue for some more time and will peak during the next election time. Had this terror act succeeded, these same political parties would have shouted that Modi is inefficient and should resign etc.

Considering that some of the political parties earlier conspired with terrorists like Ishrat Jahan to assassinate Mr Modi in Gujarat and cried when the Batla encounter took place, went to Pakistan and sought help for winning election against Mr Modi and kill him if possible, there is a common sense need for the intelligence agencies to monitor every activity of these politicians. If it is not being done, I would consider that the NIA is not doing its duty properly.

The problem with “We the People” is that we donot want the military to shoot down the Stone Pelters in Kashmir nor empower our intelligence agencies to monitor criminal activities. We donot mind rushing to Supreme Court for every administrative order of the Government even remotely connected with the word “Monitor”.

Even the Supreme Court has shown it can be naive enough to consider that an organization like UIDAI trying to scan published media reports by floating a tender is actually indulging in “Snooping”.  Some of our senior advocates who are interested in destabilizing Governance in the country are intelligent enough to convince the Supreme Court to wrongly interpret media report scanning as “Snooping”. Because all of us respect the Supreme Court and donot want to point out its mistakes, errors of judgement continue to happen.

Even now, after the MHA issued a routine order on Section 69 of ITA 2000/8, a PIL has been lodged in the Supreme Court against the order. It is likely that the honourable Supreme Court will spend hours on discussing this proposal and arguments will be made that Mr Modi is an “Insecure dictator” and there is an “Undeclared emergency” etc. Whatever may be the final decision of the Court, the media will pick up these arguments and stray questions raised by judges during the trial and project as if the Supreme Court has agreed with the petitioners. The lie peddlers in the political dispensation will then keep repeating it hundred times and try to create a perception of a “Police State” being present in India all for winning the next elections so that the corruption can reign in the country once again.

Whatever else may happen or not, the law enforcement  would be so demoralized that they would start hesitating to continue their routine policing duties.

In the Physical world, “Patrolling” is part of the law enforcement. We want our police to beat the streets and if they find any suspicious movements, stop and question people. Except that we want then to be polite, we are not opposed to this night patrolling. We want Police to ensure that searches are conducted for Narcotics or other illegal activities whenever there is a reasonable suspicion even if this means questioning a seemingly innocent person.

But when it comes to watching for suspicious movements in Cyber Space, suddenly we raise bogies of “Privacy” and try to prevent any reasonable monitoring activities.

This is not to support a blanket surveillance of citizens though in exceptional circumstances like Kashmir, even this is justified. We must appreciate that Sri Lanka was able to eliminate the LTTE only because they had a strict approach to security which is absent in India. We need to learn lessons from the Sri Lankan experience and ensure that the Urban Naxalites and Terror sympathizers who keep debating in TV are mercilessly stopped from spreading lies. Many of these debates are promoting terrorism and sedition and it is not enough if we take action against one Zakir Naik but the many Zakir naik clones who appear daily on our TV debates.

If Cyber Patrolling is a necessity, then patrolling the e-mail communications, the Messaging etc becomes inevitable.

We must understand that there needs to be an empowerment for such patrolling which is what Section 69 of ITA 2000/8 does. The recent MHA order restricts the use of powers conferred under Section 69 to the competent authority to only 10 agencies with several safeguards to ensure that there is accountability. If any of the law enforcement agencies donot follow the safeguards there is provision to punish them also.

It is completely unacceptable that the MHA order is being interpreted as the agencies being asked to start monitoring from tomorrow every computer in the country. This is not intended and even these agencies must appreciate that their powers only flow through a written order from the competent authority and not otherwise.

We may need to re-iterate these limitations but other than such re-iteration, there is no reason to panic and create fear that every citizen will be monitored and black mailed into voting for the ruling party during the next elections.

Now that the PIL will be before the Supreme Court and the Supreme Court is aware of the kind of terrorist threats that emerge from our general population, I expect that the Court will not interfere in curtailing the powers of the law enforcement by passing any adverse remark on the MHA order. If this happens, we must regret that even the Supreme Court has lost its sense of balance between “Rights of Citizens” and “Duties of the Law Enforcement”.

I firmly believe that “Right to Security” both in physical space and Cyber space is also “Right to Liberty and Right to peaceful living” and hence it cannot be subordinated to the false sense of Privacy.

The honourable Supreme Court need to realize this and also firmly assert it in its rejection of the petition against the MHA order.

We the People of India therefore urge the honorable Supreme Court to dismiss the PIL of Advocate M L Sharma questioning the MHA order even at the stage of its admission.

Our constitution does not say that we have to provide Right to Privacy over dead bodies. If we have the Right to Privacy it is only because we are alive and secure. Hence Security supersedes other so called fundamental rights when there is a conflict. In trying to strike a balance, the Court cannot interpret that Right to Privacy of suspected criminals is to be kept over and above the right to security of we the people.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | Leave a comment

Busted Terror Module busts the Snooping Argument

With the NIA unearthing what appears to be one of the biggest terror plots which could have hit the country on January 26th, it appears that the arguments against the right of the Government to carry on Cyber Patrolling duties should fizzle out.

To bust such a module one can visualize that a vigilance had been mounted for a long time on social media such as WhatsApp and Telegram besides e-mail, mobile and other CCTV footage etc.

Hopefully the opposition to Section 69 and the MHA notification will now be relegated to the background.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

New Intermediary Guidelines… Legitimate and Well within the rights of the Government

[This is in continuation of the Previous Article]

Some times “Experts” also go wrong. Particularly when they look at every Government notification with the colored glasses borrowed from the Political opponents. Today’s Economic Times highlights  “Plan to tweak IT rules may widen rift between govt, social media companies” and quotes many experts to support the headline. The ET Bureau credits the article to two journalists Surabhi Agarwal, Megha Mandavia but makes extensive quotes from several experts to say that the recent draft Guidelines under Section 79 released for public comments by  MEITY will widen the rift between the Social Media Companies and the Government.

Probably, it is not the Social Media Companies themselves but the Indian media which is painting a scary picture whenever the Government wants to do something good for the society. The media has not come to terms with the Modi Government which unlike the non performing Government of UPA is rolling out one decision after another in quick succession unnerving the political opponents and the media which supports them for their own vested interests.

The same media cried from the roof tops that the draft bill on Personal Data Protection which advocated “Data Localization” will have negative effect on the industry. But today we find that Ctrls plans to invest Rs 2000 crores in new Tier-4 Data Centers in Hyderabad, Chennai and Mumbai, to expand their current infrastructure. Even Microsoft and  Amazon are reportedly expanding their data center infrastructure in India. The Market based industry will therefore look at the economic benefits and adapt to the changing requirements though some journalists in India keep raising their voices against such developmental measures to nurture their own constituencies.

The WhatsApp and other social media companies will also adapt to the changing needs since they realize that Modi Government does not budge for such arm twisting tactics executed through the pliant media. The conclusion drawn by ET therefore is not correct. We soon will have  WhatsApp India, FaceBook India and Twitter India to start operating from locations within the country not only subjecting themselves to the Indian laws but also creating new employment and business opportunities in the eco system. There will be some negotiations between the Government and these companies not only on the regulations but also on taxation and other matters and these are business negotiations that happen all the time between MNC s and the local Government. Despite the strict  “Local Partnership only” policies of the Gulf countries, most international companies have set up shop there. Similarly, the foreign Social media owners will also find a way to operate in India. Hence there will be “No Rift” and even if it arises, it is the right of our Government to do what is good for our citizens and it should not yield to the media pressure.

There will be the community of politician advocates who raise the bogey of “Constitution” and try to make the Supreme Court dictate terms with the Governance of the day. But I think the Court will refuse to be made a pawn in the hands of the politicians working for building their 2019 election campaigns through the Supreme Court.

What Experts Say and Why they are wrong

In many instances, experts are misquoted by journalists who publish quotes in parts and out of context to derive their own meanings. Hence all the quotes attributed to the experts in the article may not be true. However, for the sake of clarity to the public we need to comment on these attributed quotes and record our views.

Quote 1: removing content within 24 hours for reasons such as maintaining public order or defamation may be deemed as infringing upon freedom of expression and invite legal scrutiny.

Comment: This comment refers to rule 8 (proposed) which states as follows.

The intermediary upon receiving actual knowledge in the form of a court order, or on being notified by the appropriate Government or its agency under section 79(3)(b) of Act shall remove or disable access to that unlawful acts relatable to Article 19(2) of the Constitution of India such as

in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, on its computer resource without vitiating the evidence in any manner,

as far as possible immediately, but in no case later than twenty-four hours in accordance with sub-rule (6) of Rule 3.

Further the intermediary shall preserve such information and associated records for at least ninety days one hundred and eighty days for investigation purposes, or for such longer period as may be required by the court or by government agencies who are lawfully authorised.

It is clear from the above that the removal of content only arises when it is lawful and in tune with the constitutional rights. Hence there is no infringement of the freedom of speech. Legal scrutiny is possible because celebrity advocates may move the Court and the Court may be obliged to admit the petitions. But it is unlikely that an honest Court will interfere in such routine rules. Such interference itself will be unconstitutional.

Quote 2: “There is vagueness of rules. They (meaning tech companies including cab aggregators, e-commerce companies, hotel aggregators etc)  don’t know whether they  are supposed to help intercept or provide a backdoor…”

Law remains vague as long as tech companies fail to either understand themselves or consult an appropriate person for clarification. Law Can never be a “Check list” which a clerk can tick boxes as some tech companies desire.

Vagueness therefore is inherent in any law and it is the responsibility of the judiciary to clarify when required.

(In fact, we may recall that Justice Chelmeshwar in his part of the judgement on Privacy went along to say that even what is written or not written in the Constitution is not sacrosanct and the Court has a right to read words and meanings into the law. I admit that I disagree with this view and also hold the Court inconsistent since the same Judges refused to read down Section 66A and went about scrapping it. But his words are a judge’s view on the sanctity of the written law).

Quote 3: Rule 9,  mandates companies to “deploy technology based automated tools” for removing “access to unlawful information or content,” ….”it may be against the Constitution”

Comment: I recall the landmark Yahoo Nazi Memorabalia case in which the French Court ruled that Yahoo shall block French web users from its auction sites which sell Nazi memorabilia using appropriate technical measures failing which they have to pay a daily fine of 100,000 francs.

During the trial, Yahoo!’s lawyers argued that blocking the site from French web surfers would be technically impossible. “The internet has no borders, and there is no effective means of preventing its users from travelling where they like”…they said.

In  its ruling, the Paris court said that it is technically possible for Yahoo! France, the company’s local subsidiary, to block at least 90% of French users from the sites in question and ordered Yahoo! to find ways to block French users from its Nazi auction sites.

The arguments that there is technical difficulty and we would not do what the Indian law makers desire is a rogue response which should be politely brushed aside.

Quote 3: WhatsApp can  refuse to build technology that will trace messages, leading to a “prolonged tussle” with the government.

Comment: The requirement of the Government under Section 79 to track “Fake News” as a crime after its detection is only for tracing the origin of the message and hence may not need decryption. The decryption would be to prevent offensive messages being circulated, which is under Section 69 of ITA 2000. In the end-to-end encryption originating from the user’s device there is some apparent logic to the argument that WhatsApp may not be able to decrypt.

However, since the encryption algorithm is provided by WhatsApp and it has all the details of the user’s mobile at the time of installation, it is difficult to believe that it cannot recreate the decryption key or is already not storing a copy of the decryption key under its control or cannot do so if it wishes to do.

I therefore donot buy the argument that it is not possible to decrypt the message though I reiterate that the Government has not so far put up this demand as a blanket requirement. Under Section 69, it is only when the competent authority has reasons to ask for the information that the power would be exercised.

I presume that WhatsApp is already under amicable discussion with the Government. On the other hand the problem could be more with Google which has been hiding the e-mail sender’s IP address under the false impression that it is required for the protection of privacy and refusing the information even when the recipient of the message himself is demanding the information. This is an example of deliberate attempt not to cooperate with the law enforcement authorities which has forced the Government of legal measures to drag the foreign companies into the Indian jurisdiction.

In summary I welcome the Government move and agree with some of the experts who have stated that this could result in better tax compliance by the international agencies. There is in my opinion no legal hassle and it is extremely unlikely that the Supreme Court will even admit a petition to block the Government notification if it is finalized on the terms now indicated.

Naavi

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | 2 Comments

Proactive technology tools to identify violation..new intermediary rules

[This is in continuation of the previous article on the topic]

Continuing our discussion on the new Intermediary guideline, one other aspect that is attracting attention in the media is the proposed Rule no 9 which states as follows:

“The Intermediary shall deploy technology based automated tools or appropriate
mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content”

“Identification” is often discussed in the WhatsApp context as the “Origin” of a message. One of the main concerns of the society in recent days have been the “Forwarding” of messages through the social media leading to fake news generation and incitement of unrest in the society.

The Government has therefore been insisting that messages should be hashed and WhatsApp has to maintain a hash tag with every message.

However, what is of relevance is only the identity of the sender since hash can easily be changed with just an addition of a comma or space.

In the WhatsApp scenario the identity is always linked to the mobile and therefore unless the Mobile Service Provider has not failed in the KYC, identity of the sender is available for the investigating agencies. Whats App also works in “Groups” and hence forwarding from one group to another occurs through the WhatsApp server which knows the identity of both groups and therefore the members of both groups. Hence it is not difficult to tag the messages going into and out of the WhatsApp server with an identity information in a header to be created (outside the boundary of the encrypted message) that can also distinguish between a message sent by a member to other members of the same group and a message sent from one group to another. The header is relevant in inter-group transfers and WhatsApp can enable the header view in its menu such as “Message Info”.

Intermediaries like Google actually try to hide the identity information through a “Proxy” and by interfering in the identification of the message delivery system fail the test of “Intermediary” as discussed in our first article of this series. Gmail is therefore liable for Reasonable Security Practice under Section 43A and cannot claim exemption under Section 79 under the “Due Diligence” clause.

WhatsApp on the other hand does not hide the sender’s identity though many of the users create a profile name and picture which could be misleading. But their mobile number is still available for scrutiny and the Admin is supposed to know the users. It would be better if WhatsApp disables “Join through a Link” and restrict membership of a group only through an invitation from the admin.

While designing the automatic tools, the intermediaries may also as part of the due diligence, introduce measures to identify spoofing by comparing the identity of the sending  device with the name as displayed and as resolved from its IP address. This is routinely done in the E Mail scenario and there is no reason why this should not be extended to other cases. It would be the responsibility of each ISP to check the identity of the previous ISP with the IP address as is visible and resolved.

Another aspect that has frequently pointed out the negligence of the intermediaries is in not naming the “Grievance Officer”.  At least now, we hope the intermediaries will start this practice.

To summarize, except for the “Need to have a local subsidiary” there is no other major change between the previous version of the guideline and this. There are clarifications which were relevant and some mandates which were anyway part of the interpretation of the due diligence.

We suppose that the intermediaries co-operate with the Government in implementing the guidelines since Intermediaries are the key to Cyber Crime prevention and cannot be allowed to be tools of commission of Cyber Crimes.

(Comments are welcome)

Naavi

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | 1 Comment