Naavi.org

On the occasion of the “Teacher’s Day” today, it is appropriate to spare a few thoughts on the role of “Teaching” in the Digital Era.

“Teaching” essentially involves “Knowledge Transfer” and it may happen either within the four walls of what we call a “School” or “College” or through any other interaction. Today, web is naturally one of the greatest “Knowledge Transfer Medium” with “Google” as one of the prominent tools of knowledge transfer.

In order to retain its status as a respected teacher, being  the “Most Accessed Search Engine”, Google needs to ensure that it’s revenue objectives donot cloud its performance.

Advertising as a Diversion

One of the areas where Google’s weakness comes through is in it’s “Advertising policies on the Search results”. The top of the search page ads  confuse the public with advertisements misleading the search engine users.

For example, if I do a “Full Site Search” from the Google tool on Naavi.org with the key word “OPPO”, the top results are all advertisements from OPPO where as my specific article on “Oppo taking over Police Stations in India” does not come up, though it does come up in the other search engine I use on the website.

“Google Site Search” therefore misleads visitors to the site with wrong results and fails as an honest “Teacher”.

I have in the past even pointed out many ads from Google Ad server which are linked to Pornographic websites (Mostly on the mobile) showing again a failure to filter such ads. “Poisoned Search Results” were once a very prominent means of injecting viruses though it has been controlled significantly at present.

Though the Search Engine is making its efforts to improve its performance and perhaps is still the best search engine by a large margin, just as a “Teacher” never stops learning and improving, Google should continue to improve it’s performance by not letting its revenue objectives cloud its performance.

Having worked in the Advertising industry myself, I am not against Google generating revenue out of advertisements but there is a difference between presenting advertisements in the side columns or even on the top with a distinctive format rather than making it look like an “Advertorial”.

I hope this “Ethics” of advertising is not forgotten by Google in the days to come…. so that we can salute Google as one of the best Teachers of the Netizens on the Teacher’s day.

Naavi.org as a Teacher

While reflecting on the activities of naavi.org, it seems that Naavi.org has been critical of many organizations both in the private sector and the public sector on specific occasions. In all such occasions, it is essential for visitors to remember that we may be trying to make a particular point though some times we may not be efficient in putting things across diplomatically. Some times the titles could be deliberately made provocative, taking the liberty of journalistic freedom. I hope those who feel hurt will look at things in the right perspective and excuse me if I have made any mistake.

One of the principles I have tried to maintain in such cases is to provide an opportunity to the organization criticized to use the same platform to post a counter. In fact way back in December 2001, this principle was espoused as a recommended strategy to counter rogue sites such as dalitstan.org. The principle also applies to other sites including naavi.org.

This suggestion may go counter to “Right to Erase” but needs to be examined by others in greater detail when we see complaints about mouthshut.com or glassdoor.com.

Similarly Naavi.org has been advocating “Regulated Anonymity” as a solution to resolving the fight between Privacy and Security which is counter to the principle of “Anonymity” which is so dear to many.

Naavi.org as a teacher therefore has several contrarian views to express and has always invited visitors to respond even with counter views if any. Though in many cases, we have invited responses from different Government agencies (a search with the key word “respond” indicates the innumerable such occasions), most of the Government agencies prefer to remain silent in the wake of criticisms. Private Sector either remains silent or some times shoots out a notice but very few take criticisms positively.

Just as old teachers some time say… “I scolded you when you were a student and see what a good citizen you have now become?”… perhaps in times to come some of the organizations which we have criticized may acknowledge that the criticisms were well meant. It could be in the case of Bitcoins or Cyber Insurance or Bank frauds or Police mistakes or even mistakes by Judiciary. May be the content of this site will be available for back reference to check if this reflection becomes true.

Such acknowledgements will bring true satisfaction to any teacher and also to Naavi.org and would be the compensation for all the efforts we are making today.

Regards to Dr S. Radhakrishnan for having enabled us to reflect on our “Teaching activities of the year…

Naavi

In continuation of our earlier discussions I am posting here some photographs :

As we can observe, all Police stations in Ramanagara sport the OPPO brand so prominently that it appears that the Police Station belongs to OPPO. In the case of the Women’s Police Station, even the word “Ramanagara” is absent.

We can also observe that in the case of the Town police station, there is also an earlier Airtel sponsored board which at least relatively shows more prominence to the Police Station.

There is no doubt that any marketing manager would be happy to have their brand displayed so prominently across different police stations which create a hugely positive impression in the minds of people who also see OPPO brand name across many of the mobile shops in Ramanagara. Even simple hoardings in prominent places in Ramanagara should cost lakhs of rupees per year on the high way at least. Association with Police is completely misleading as if OPPO belongs to Government.

This is plain cheating and not marketing.

Obviously the decision has been taken by some body who either does not understand marketing or has been suitably impressed by the marketing manager of OPPO.

When people are fighting against Chinese military aggression and dumping of its products, this OPPO invasion is unacceptable.

I wish suitable action is taken to remove all sponsor names in the Police Station name boards including Airtel boards which are also found in Bangalore.

I urge the High Court of Karnataka to suo moto take up the issue and take action or some PIL advocate take up the cause.

Naavi

Yesterday, while travelling from Mysore to Bangalore, I was surprised to see “OPPO Police Station” in Ramanagara on the highway. For a moment,  I was confused if China has taken over India and Oppo has been given charge of internal security!

May be Karnataka Home Minister and DGP can explain.

Some time back, in Bangalore, we have seen Police Station Name boards in the name of Airtel. But to see the name boards in the name of a Chinese Company indicates that our administrators have not considering the impact of such blind acceptance of commercial sponsorship of even sensitive matters such as internal security in India.

If this trend continues, we need not be surprised if Police uniforms carry Oppo or Vivo brands just like our Cricketers. May be even our Ministers may paint Huawei on their cars.

This trend must stop and stop immediately.

Acceptance of sponsorship of foreign commercial organization’s money for routine maintenance of administrative machinery of the Government is another form of “Corruption”. If Police are obliged to companies for even putting up of their name boards, then how will they take up a complaint against these companies lodged by any citizen of India?

It is necessary that all Government agencies should follow a principle where by corporate sponsorships doesn’t compromise on the constitutional obligations of the Government agencies.

On the other hand if these companies want to sponsor some event such as educating the masses on Cyber crime issues etc, it should be fine. But in such cases also the public should be promptly notified that

“This event is commercially sponsored by ……. Government undertakes not to compromise its principles in favour of the sponsors by virtue of this sponsorpship”.

In the meantime, I urge my friends in the media to file an RTI and find out what is the consideration paid by OPPO to host a board “OPPO POLICE STATION” in the Bangalore Mysore highway as rent per day and what is the normal market value of a hoarding in the same area and arrive at the opportunity loss suffered by the Government.

If OPPO has simply spent a few thousand rupees to get the Board organized, I would like to replace the board with “Naavi Police Station” and donate a board twice the size of the current board.

At least “Naavi” brand is associated with fighting Cyber Crimes unlike OPPO which as a Chinese Company is suspected that it may have a back door in its software.

Will the Government of Karnataka clarify? Will the Media question the prudence of who ever took this bizarre decision?

Naavi

We have been discussing the “Limited Liability” Circular of RBI which was first issued in draft form on August 11, 2016 and confirmed on July 6 2017.

However, recently when one of the customers of SBI Cards from Chennai, (a respectable employee of a MNC software company) who had lost money on a fraudulent credit card transaction, requested them to redress his grievance under the provisions of this circular, SBI Card replied to them that they are not aware of the existence of such a circular.

In an email reply from ceo@sbicard.com dated 1st September 2017, signed by one Jaspreet Kaur, SBI Card replied

“…we are not in receipt of any communication from RBI regarding limited liability clause. “

The Bank has provided the IP addresses from which the fraudulent transactions have been made which indicate transactions somewhere in Jharkhand while the customer is in Chennai.

This indicates that SBI card authentication system has not implemented “Adaptive Authentication” to identify an unusual transaction, as is required under various cyber Security guidelines issued by RBI from time to time.

Obviously, if Jaspreet Kaur does not know even the important Limited Liability circular, we may presume that she must be not only ignorant but incapable of understanding what is “Adaptive Authentication”.

Employing such inefficient persons with an authority to reply under an e-mail “Ceo@sbicard.com” indicates the complete lack of competence of SBI Cards to handle the responsibility of credit cards.

We also are surprised that this fraudulent transaction being a credit card transaction in which a payment has been made to a merchant, a “Charge Back” option has not been exercised by SBI Cards.

The concerned merchant is the beneficiary of a fraudulent transaction and therefore is part of a “Money Laundering” exercise. Hence SBI Card should not have hesitated to allow a charge back immediately.

SBI Cards should make a public statement if the Card holder who is also a customer of the Bank is not as much important as the Merchant who may also be a customer of either SBI itself or some other Bank.

If SBI/SBICards was aware of the Limited liability circular, they should have introduced a grievance redressal mechanism as well as indicated a policy for determination of the liabilities under various conditions. No such policy has so far been published by SBI even after two months since the circular was issued.

The casual handling of the complaint by Ms Jaspreet Kaur indicates the possibility of her being an accomplice in the fraud.

I wish Police in Chennai register a case against SBI Card as an organization and Ms Jaspreet Kaur as an individual who by her “negligence” and “an attempt to shield a fraudster” become an accomplice to the fraudulent transaction.

I also do not think that Ms Jaspreet kaur could be the CEO of SBI Card. If she is not the designated CEO of SBI Cards, her using the e-mail CEO@SBIcards.com is an attempt to cheat the customer with misrepresentation and possible unauthorized use of a senior executive’s e-mail ID which are offences under Section 66C and 66D of ITA 2008. These are cognizable offences and Chennai police should make use of this provision in pursuing the complaint.

I call upon the Chairman of SBI to also initiate an internal enquiry on the complaint and ensure that customer complaints are handled with more responsibility.

I also request RBI to also pull up SBI for not ensuring that its executives are not properly informed about the RBI Circular and if no satisfactory explanation is available, suspend the Credit Card license of SBI Cards.

I am looking forward to immediate response from some responsible person in SBI and request him to redress the grievance of this customer. (Ref: Interaction ID : 123634897427)

It is a general observation that  a large number of frauds happen in the credit card system of SBI Cards, much more than in other Banks. The reason is apparent that the SBI cards is being managed by incompetent persons who may be hand in glove with the fraudsters. There is a need for an in depth enquiry by CBI on the functioning of SBI Cards so that customers may not be subject to a “SBI Risk”.

Naavi

IAPP had organized a half day session at IIIT Bangalore in which the Privacy issues surrounding Aaadhaar was discussed in the light of the recent Supreme Court judgement. A summary of thoughts shared by the undersigned in the meet is reproduced here.

The reference to the Nine member Bench of Supreme Court was made during the discussion in the smaller bench on the Constitutional validity of Aadhaar in which one point brought out by the Government was that Privacy is not a fundamental right. Sensing the danger of the argument being held valid on account of the two earlier judgments of the Supreme Court namely the M.P.Singh and Kharak Singh judgments, one of which was from a 8 member bench, the CJI quickly set up the Nine member bench which in double quick time came up with its massive judgement and cleared the path for the smaller bench to proceed with the Aadhaar hearing under the specific consideration that Privacy is a Fundamental right.

Once this issue is settled, the Government will have to justify the Aadhaar Act under one of the “Reasonable Restriction” clauses under Article 19(2).

In this context, the issues before us are to understand

a) Does Aadhaar per-se violate Privacy?

b) Does the mandating of Aadhaar for social benefits violate Privacy?

c)Does Linking of Aadhaar to PAN violate Privacy?

d) Does leaking of Aadhaar Data through e-hospital app violate privacy

e) Does leaking of Aadhaar data through biometric device violate Privacy?

f) Once biometric is compromised, is there a way out to put the clock back?

We must recognize that Aadhaar was perceived as a data base of demographic and biometric data linked to a random number. This number was supposed to be held confidential by the owner and presented with his biometric to those agencies which needed to verify any particular parameter associated with the Aaadhaar such as the name,address, father’s name, data of birth etc. The query was supposed to be always answered in binary Yes or No and aadhaar data was not supposed to travel on the internet.

However in its implementation, Aadhaar is now used as an ID card and any authorized person who seeks information is allowed to download the entire aadhaar information on his systems where the data along with the Aadhaar number resides. The query is answered not only with the biometric but also on OTP over the registered mobile. There are also authorized APIs that lift the data from the Aadhaar server and populate forms at the User end. e-Hospital application was one such application which was at the center of the recent suspected data breach.

Similarly, wherever biometric devices are used, the biometric has to be captured and then transmitted to the Aadhaar server for authentication. Though the transmission is encrypted, it is possible for a copy of the encrypted bio metric to be stored at the device end as was. This was detected in one instance where E Mudhra and Axis bank had sent stored biometric for authentication and UIDAI had filed a criminal complaint.

Since the devices would be under the control of the intermediaries, even if UIDAI ensures an audit of the devices before it is approved, there is a possibility of them being tampered with subsequently.

The current generation of biometric devices and the technology adopted for referring the captured biometric to the UIDAI server does not seem to be secure enough to prevent storage of biometric and this could be a Privacy threat.

Thus in most cases Privacy information leakage occurs at the user end and not at the UIDAI end.  Hence what is required by UIDAI to ensure is a process by which users take the responsibility for leakage of Aadhaar data.

Currently this is determined by the provisions of ITA 2000/8 under Section 79 and 43A along with other provisions.

The issue of Aadhaar and Privacy should therefore be seen in the context of how the Aadhaar intermediaries obtain the consent of the Aadhaar users and whether it satisfies the internationally accepted principles of disclosure, minimal usage, security, limited period retention etc.

Some of the legal luminaries do consider that “Consent” being a “Contract”, it cannot be used to circumvent the abrogation of “Fundamental Rights”. In view of this, the consents need to be carefully drafted to avoid litigations.

Compliance therefore becomes a challenge to the companies who need to use “Data” as the raw material for their business.

If Aaadhar related privacy issues are to be tackled there is need to relook at the technology by which Aadhaar data base is accessed by the intermediaries who provide various services using Aadhaar as an ID. Government also should stop treating Aadhaar as an ID card which can be shared at various usage points to be photocopied and used.

If before the Aadhaar hearing comes up again in the Supreme Court, the Government issues a policy guideline on how Aadhaar data base is to be used, it may strengthen the argument to defend the Aadhaar system, Otherwise there could be a danger of impossible restrictions being imposed by the Court which may need change of many of the use cases which is under contemplation.

Naavi

A high profile Privacy Summit had been organized at Taj West End by CCAI (Corporate Counsel Association of India) along with IAPP in which several issues of Privacy were discussed in the emerging technology environment.

The undersigned participating in one of the sessions on presented his views on the relationship between Cyber Security and Cyber Insurance.

A Summary of thoughts presented in this connection are reproduced here:

Cyber Insurance has two parts namely the First Party Coverage and Third party coverage.

The first party coverage refers to the costs incurred by the insured after a breach on invoking DRP/BCP, Payment of Regulatory Fines, Cost of audit and assessment of the breach, forensic investigation of the breach, litigation, ransom payments data breach notification cost etc. These are all costs incurred by the Company for which reimbursement is sought.

The third party coverage refers to the loss suffered by customers (including public) arising out of the breach at the insured facilities. This depends on the claims made by the outsiders. Consequent to the recent Privacy judgement, it is expected that the litigation in this domain may increase and as a result even the cost of cost of cyber insurance may also increase.

Cyber Security Risk Management includes four elements namely Mitigation, Avoidance, Absorption and Transfer (Insurance). While Mitigation is the responsibility of the IS team, Avoidance is a business decision and Absorption is a management decision. Risk Transfer through Cyber Insurance is a decision in which all the stake holders namely the Information Security, Business and Management  should all take together.

In many companies, the decision on Cyber Insurance may be taken at the CFO level as a budgetary provision.

Ideally, Cyber Security personnel should be involved both at the time of taking of a Cyber Insurance policy as well as at the time when Claim is preferred.

When a Claim is preferred the Insurance Company will naturally contest to say

-Breach was caused out of negligence

-Breach was caused by insiders or other reasons not covered under the policy

-Breach occurred long time back and was not detected in time and was not plugged in time to reduce the damage

-At the time of taking the policy, the risk was known and not disclosed.

-Coverage is limited to part of the loss only, because the insured is a co-insurer in part because the assets were undervalued at the time of underwriting

–Policy has sub limits and hence not payable in full, etc.

No Insurance company will be/can be magnanimous as to say…I will ignore all your follies and pay whatever you ask.

At the same time, the Company needs to defend

-It was not negligent

-Root cause of loss is within the risks covered

-Assets are fully valued at the time of the underwriting

-Breach was detected in time and acted upon

-Reasonable action is taken to legally defend the claims against the company and pursue claims against the persons causing the breach, So that Insurance company can step into the shoes of the insurer and pursue its claim against the end beneficiaries of the breach etc.

Company has to all provide evidence that reasonable Security practice is in existence today, yesterday and through out the life of the policy.

All this can be done only by the Information Security team and not by the CFO. It is for this reason that the Information Security team should be at the center of a decision on Cyber Insurance all the time.

There are some challenges in the Cyber Insurance including lack of adequate metrix to measure the security posture of an organization so that a “Risk based Premium” is determined beyond the usual claims of “I am ISO 27001/PCI-DSS compliant” etc.

Challenges are also noticed since normally it takes a time for breaches to be identified and addressed.

It is also not easy for the Information Security professionals to clearly understand the different limitations in the Cyber Insurance contract and since Insurance contracts are contracts of “Utmost Faith” and can be voided by the Insurance company if it can prove that the insured had not shared all relevant information at the time of making his proposal. It is also a challenge to value the assets insured so that the Insurance Company does not limit the claims on the grounds of “Under valuation of Assets”.

As regards the response to a breach when identified, a Company needs to have a clear policy based on the obligations under the Cyber Insurance contract to decide if the breach has to be reported (even when there is no claim preferred) and for all the actions required to be taken such as filing of a Police Complaint, conducting internal forensic assessment, etc.

It is also necessary for the Company to avoid mis-communication to the public and press which can cause more harm to the reputation of the company and increase the losses under claim.

In view of the complications involved in a Cyber Insurance Contract and the high stakes involved, there  is therefore a need to obtain appropriate consultation from experts before a Cyber Insurance contract is purchased by an entity.

During the discussions the difficulty of the Insurance companies to assess the Cyber Risk and link it to the Premium was also discussed due to lack of information on cyber crimes in general. The Insurance companies are therefore forced to base their premium fixation on the cost of re-insurance. This has prevented the Cyber Insurance companies from providing appropriate credit to the security measures taken by the insured to reduce the Cyber Risks and more effort is required in this direction so that investments made on Cyber Security should reduce the cost of insurance at least to some extent.

Naavi