We speak a lot about “SPAM” and need to prevent it. We also speak of Phishing and other forms of impersonation that arises because people can send out e-mails (and also hide their domain registration details) all in the name of “Privacy”.

Actually, “Hiding the originating IP address” which both Google and Microsoft as well as other service providers do actually is a boon to criminals to the extent that we can say that there is a “Conspiracy” to promote spam and help criminals.

Whenever law enforcement need to identify the source of an e-mail, they need to raise a CrPc notice and seek the information. Even then these “Privacy Protectors” who are themselves the biggest Privacy invaders try to frustrate the law enforcement by not providing the information until they are forced.

It is time for all Privacy protagonists to self introspect if this practice is actually protecting the “Privacy” and if so is it the “Privacy of the Criminal” that it is protecting while at the same time invading the privacy of an honest internet user.

If as a spam filtering mechanism we disable all incoming e-mails which donot allow the recipient to view the originating IP address then technically we can prevent spamming and perhaps even phishing. Unfortunately, this is not  practical at present since this would block almost all incoing e-mails.

We therefore need a solution where by the e-mail service providers like Google or Microsoft should enable an automatic process by which a “Recipient of an E-Mail” should be provided a direct request for originating IP option  so that at the click of a button, he should be able to get the Originating IP address.

The header information without originating IP address is of no use to the recipient and hence there should be some provision by which an “Expanded header with originating IP address” can be requested and immediately responded to by the ISPs.

This can also be enabled through a change of law making such a provision mandatory and I urge the Government of India to consider this change of law in the next amendment of ITA 2008.

Hopefully this will ease the burden on our law enforcement people and also reduce the need for the service providers to spend time attending to law enforcement demands.

Naavi

Today’s Kannada Prabha (Bangalore Edition) has carried an article as above. It is titled “Online Property Registration System: Confusion”. The article goes on to indicate that the Government of Karnataka has prepared itself for introducing a new system of property registration called “Easy Registration” in which part of the registration process is completed without the property owner presenting himself before the registrar.

A Complete English version of the circular is not available at this point of time and when available, the same will be posted here.

We had on September 19, 2015 posted an article titled “ Has Karnataka Legislature passed a faulty legislation and set to create a new Telgi ?“. In this article we had referred to an amendment that the Karnataka Government proposed for Indian Registration Act 1908 to enable registration of properties and Power of attorney documents without the presentation of the executant in front of the registrar.

We had highlighted that this was ultra vires the central Act namely Information Technology Act 2000 (ITA 2000/8) and hence cannot be passed.  There is no need to repeat this again here.

Subsequently we had also posted an article on August 11, 2017, titled Calling Attention of Dr Ponnuswamy Venugopal- AIADMK MP- on Proposed Amendment to Indian Registration Act 1908 ” where in we had indicated that the Parliament may also pass a bill which is ultra vires the ITA 2000/8.

The current article in Kannada Prabha under the credit line of Shivakumar Belitatte, appears to indicate that the Government has proceeded to act on this proposed amendments. I am not aware if the Government got the assent of the President for the proposed amendments. My request to the Government officials on this has remained unanswered and some body has to file an RTI to get the information.

Under the circumstances we proceed with the assumption that the Government is trying to introduce the system in defiance of the Central Government’s authority which has become a sort of political bravado some State Governments are trying to show as a part of their personal vendetta against the Prime Minister. Ms Mamata Bannerjee of West Bengal is in the forefront of such “Rogue States” opposing every action of the Central Government solely for the sake of opposing Mr Modi. Unfortunately, Karnataka Government run by Congress Party seems to be also following the footsteps of “Didi” and I would like to caution the IAS officers who advise the Government in this regard to show wisdom and courage to provide correct advise to the politicians who are blinded by their personal political agenda.

The purpose of this article is not to start a political debate on whether Karnataka is becoming a “Rogue State” like West Bengal. However, it is our duty to point out if any of the decisions proposed to be introduced by the Government has the danger of an adverse impact much beyond the immediate political obectives. This decision to introduce “Online Registration of Property documents without the physical presence of the registrant” is one such decision that has the potential impact of facilitating large scale frauds in the real estate transactions in the State and therefore needs to be guarded against.

I foresee the possibility of the real estate mafia to register benami properties and conduct land grab operations by initiating false and fraudulent property transfers without the knowledge of innocent property owners.

The urgency for introducing the online registration which is illegal at this point of time and ultra vires the powers of the State Government could have been felt because some of the properties of influential people are benami holdings and with the pressure on black money elimination, the benami properties need to be converted into other forms or sold off. The online registration system will be helpful for this purpose.

Along with the Benami property holders taking advantage of the system, there will be Cyber Criminals who will devise new forms of attack where by the properties of innocent citizens would be transferred without their knowledge. Some of this could be the properties of NRIs who may not know what is happening here or properties of deceased persons or properties which are in legal dispute.

As a result, all real estate property holders will be exposed to a Cyber Crime Risk which will render holding of property in Karnataka more risky than in other places. Those IT employees working abroad and holding locked flats in Bangalore may find that new flat owners could have been created overnight and properties sold off.

According to the news paper report referred to above, some of the senior officials have objected to the system but it appears that the political leadership has over ruled them.

I wish the IT Secretary and the Law Secretary stand up and resist this ill advised move.

Those in the public service who will read this and the local media should take up this matter with the High Court and ensure that the move is stayed with immediate effect.

I hope the CM of Karnataka realize that this move is very dangerous and will create an irreversible situation as was created by the incident of fake Stamp papers created by Mr Telgi because of which many property documents today are in use though the stamp papers used in the documentation are fake.

My friendly advise to the Chief Minister of Karnataka is that his political fortunes are better secured by not pushing through this “Online Registration System for Immovable Properties” and he should not succumb to the pressures from outside despite the need to raise funds from real estate operators to fight the next elections.

I also take this opportunity to call the attention of the Central Government to ensure that the move is stopped along with the bill in the Parliament which is under consideration.

Naavi

It was heartening to note today that Times of India front news page carried a news of a successful Cyber Crime prevention operation in which Skimming in 5 ATMs were detected before any customer reported a loss. Normally Banks realize that skimmers are placed on their ATMs only after scores of frauds are reported. Some times the skimmers might have even been removed and moved to another ATM before anybody has recognized that a Skimmer was in deed in operation.

We should therefore congratulate Kotak Bank for having identified the skimmer and reported it to the Police quickly.

Once the skimmers were reported, it was perhaps the connectivity that enabled the Police to zero in on the foreigners from Romania who are supposed to have planted them. According to the report the accused came on a tourist Visa and used the age-old practice of fixing the skimmer on the Card slot and a Camera some where to record the Pin entry.

What however surprises most is that in the days of CCTV cameras and ATM guards, how is it possible for some body to walk in, fix the skimmer and the camera, spray paint the edges and go back without being observed. It is simply not possible except when the Bankers are not vigilant and implemented the “Reasonable Security Practices” under Section 43A of ITA 2000/8.

Have the Police filed a case against the Bank?… Obviously no.

Though most Bank frauds occur because of the negligence of the Banks, (It may not be the case with Kotak Bank in this case), Police have always been reluctant to call them to account. This only has encouraged them to continue “Reckless Banking” motivated by the greed for more profits and putting the customers always at risk.

After the Corporation Bank ATM incident, Bangalore Police had sent a mandate that all Banks should provide security guards at the ATM. Banks promptly told RBI that they want to be compensated for the increased cost of such security and started charging money for withdrawals on which today we even pay GST and enrich the Governments both at the center and the state.

Have the Bangalore Police questioned the banks if these ATMs were guarded properly? Whether the CCTVs were functioning? Whether the CCTV footage was being monitored?… We don’t know.

The report goes on to say that thousands of customer data might have been captured and sent out of the country. Had the Police not acted fast, there would have been a catastrophic attack on the Indian Banking system.

What do we all them?… it is called Cyber Terrorism because it strikes terror in the minds of ATM users as a category of our population.

But have the Police booked a case as “Cyber Terrorism”?…. Obviously no.

Police may  look at this case only as an unconfirmed  “Attempt” and since “No Loss” has been reported, it may pass out as a “Petty case of trespass into the ATM area”.

Since the arrests might have been made because the CCTV footage might have caught the suspects, or because the skimmer’s were programmed to send the information to an IP address/Mobile number which was accessed by the accused, the charges that may be pressed may be as some not so serious offences. Also it may not be easy to fix the arrested persons to the satisfaction of the Court to the attempted or successful “unauthorized access” under Section 66 of ITA 2000/8

Since the accused are foreign nationals, going by the way the Italian Marines who were accused of murder in Kerala was handled, these accused will be very soon (if not already) out of jail and moving out of the country.

So, apart from today’s headlines, all the creditable action of the Police may not end up with a lasting deterrence.

Have the Customers filed a case against the Bank for compromising their “Sensitive personal data”? … Again the answer should be a resounding No.

All our Privacy Lawyers are more interested in politically sensitive cases such as when a politician’s  Twitter is hacked  but not when an ordinary Bank customer’s data is compromised because of the negligence of the Bank.

It is of course not practical for an individual Bank customer to file complaints since even when there is some wrongful loss suffered, it is difficult to convince the Police to register an FIR or take up investigation after filing of an FIR. When it is only a loss of “Personal Data”, despite the noise people make on the Supreme Court judgement, there will be no PIL that may be filed … unless this article motivates some public-spirited lawyer in India.

The ITA 2000/8 has made a provision where by when the community interest is adversely affected by a contravention of ITA 2000/8, the Adjudicator of Karnataka can take suo-moto action on behalf of the public.

But, Will the Adjudicator of Karnataka take any action?….. Most probably No

More importantly, the Karnataka Adjudicator (as an office) has to first come out of the false narrative it has built around it that it is not empowered to take up a complaint against a Bank under Section 43 before we can expect it to even consider the suggestion of a suo moto action against banks.

[P.S: Why do I say that the Adjudicator of Karnataka is not interested in coming to the help of the community against a Bank?… and after all, who is the Adjudicator of Karnataka?… I am too tiered of discussing this issue …those interested may search this site for “Adjudicator” and find out.]

In the light of the above, it is now open to senior Police officials like Mr Pratap Reddy, Kishore Chandra and ably assisted by officers like Sharat to take such action which will really leave some long term impact on Cyber Security atleast as it surrounds ATMs.

My brief suggestions in this regard are listed below and is addressed not only to the Police but also to the Banks and RBI.

1. All ATMs should restrict the entry through a biometric lock which collects anonymous biometric information which remains de-identified until it is investigated under a reported crime.
2. All ATMs should be locked and released only after a “Face Recognition” is registered.. again as a de-identified information which also remains de-identified until it comes under investigation for a reported crime.
3. The biometric and face recognition information should be sent to a secure encrypted storage which is not under the control of the Bank..could be under the control of RBI, under  the principles of “Regulated Anonymity” that has been explained serveral times here. The essence of the principle is that the information is held in an encrypted form som where but the decryption and disclosure control  rests not with the collector and user but with a group of controllers. In many of the recent incidents we always have the problem of CCTV footage being erased when the authority responsible for storing the footage itself is a suspect of a crime or negligence.
4. All ATMs should be under the surveillance of a designated Bank official who gets the feed of the ATM room and watches for any irregularity. When the Face recognition camera fails to capture the image, the ATM should not function at all. When the surveillance camera does not function, it should be the responsibility of the officer to lock the ATM until the camera is restored. Emergencies can be handled through the help line requests that are to be diverted to a senior responsible Bank officer.
5. All ATMs should be checked physically for Skimmers, Key Loggers, unauthorized PIN hole cameras, Attempt to disengage the CCTVs etc, unexplained power outages etc so that any attempt to fraud can be quickly identified and reported. The officer in charge should file a mandatory security audit report every day ensuring the “Physical Safety of the ATM”.
6. The current case should be booked under Section 66F of ITA 2008 (Cyber Terrorism) as an attempt to attack a group of Bank customers and thereby destabilize the Indian economy. The arrested persons should be denied bail, passports seized and trial taken up by a special Court for speedy disposal.
7. The Adjudicator also should move a suomoto action against the Bank and fine them a hefty sum which should be set aside as a “Cyber Security Awareness Creation Fund” and used for educating the customers of Banks on Cyber security.
8. CERT-IN should move RBI and the Banks to ensure that sufficient investment is set aside to improve the security of ATMs on the lines suggested above or better.
9. Banks who have not yet acted on the RBI’s limited liability circular should be penalized for deliberate failure to follow regulatory agency’s mandate.
10. All foreigners coming into Bangalore need to be tracked  for identifying potential fraudsters for which our VISA system should be enforced with greater vigilance.

If the Police and  Banks together try to keep a focus on the Bank customer who is the most affected party in this incident, then this success will not end up as a one day news headline point but some thing that will improve the security of the Banking system in India.

Will it happen?….

…Hope is eternal and we continue to hope that atleast a few of the above security measures would be taken up by the relevant agencies.

Naavi

Global Bitcoin prices that had skyrocketed to Us$5000 about 15 days back, has suddenly fallen to around US$3500 now. In Indian currency the rate which struck a high of Rs 353519 has now fallen to around Rs 230000/-.

One of the reasons quoted for this sudden fall is the action taken by China first to ban ICO s (Initial Coin Offerings where pre-mined coins are offered at a price as an investment) and now possibly moving to close the Bitcoin exchanges by end of the month. ( Refer here)

Many investors in India who were fooled by the game being played by the Finance Ministry and invested in Bitcoins must have been caught in this volatility and lost money. In the bargain, some must have also made money. The exchanges would have made their money from both the losing investors and gaining speculators.

These exchanges could have therefore rewarded the officials with hard cash in Indian currencies and perhaps more of bitcoins, for not taking any action to ban Bitcoin and continue to adopt a strange policy called “Observing” .

This is a case fit for CBI investigation of possible corruption by all those who are involved in the decision not to ban Bitcoin all these days and particularly after the public consultation process was launched through MyGov.in and yet no action was initiated allowing the stake holders to spread all sorts of rumours that India is likely to legalize Bitcoins etc.

It is tragic that Mr Jaitely and Mr Modi are turning a blind eye to this scam of “Delaying decision on Bitcoin” engaged in by the Finance Ministry. The situation is similar to decisions that Bureaucrats and politicians engage in when a large tract of real estate property is under consideration for either being “Declared as a Green Zone” or “To be denotified”. The delay in the decision making is a fertile ground to promote speculation and only those who are very very close to the decision makers will make money and every one else lose. This is exactly what is happening now in the decision on “Whether Bitcoin has to be banned, legalized or Observed”?.

We have pointed out earlier that  if Bitcoin is legalized in India there could be a 50% increase in floating currency leading to inflationary pressures of unimaginable magnitude. We had also pointed out that China had a large holding of Bitcoins and could destabilize Indian economy by its manipulations of Bitcoin pricing.

The current indications confirm the control that China exercises on Bitcoin pricing and its ability to move the price easily from around $2000 to $ 5000.

However, one may wonder why China with its own Bitcoin wealth should do anything that reduces the price of Bitcoin.

One reason is that the ICO phenomenon showed how corrupt techie mafia could simply create wealth for themselves using the gullibility of public who are enamoured by the concept of “Regulation Free, Tax Free, Anonymous currency” and jumped into buying anything called a “Crypto Currency”. This could perhaps be the biggest ever financial scam in the Globe. China may not be interested in a Cryptocurrency calamity that brings down the value of all Crypto currencies to “Zero”.

Another point to be noted is that there were many other foolish and perhaps more corrupt regulators around the world who had legalized Bitcoins and allowed for conversion of Bitcoins into legit fiat currencies.

Possibly China would have made use of this opportunity to convert its Bitcoin wealth to Swiss Francs or Japanese yen and may be sitting pretty and would not mind a fall in the value of Bitcoins.

We should also recognize that Bitcoin has been freely converted into many other AltCoins for quite some time and hence the Bitcoin is today indistinguishable from other Altcoins and all Crypto Currencies belong to one large kitty which are part of the global Crypto currency scam.

It will not take much time for the skeletons to tumble down in the international markets and the Crypto currency dream will be shattered.

In that event, even those Banks in India  who might have already got some stake in the Bitcoin holdings could face the adverse effect of this scam affecting to a small extent the Indian Banking industry. Hopefully, this damage will be small and will be off set by the strengthening of the rupee against currencies like Yen and Swiss Franc, Canadian dollars and also perhaps the US dollars due to the larger impact on those currencies with the bursting of the Crypto currency bubble.

As for as India is concerned, the ball has now moved from Mr Arun Jaitely to Mr Narendra Modi himself. RBI has failed to take a decision in-spite of the Supreme Court’s prompting. Finance Ministry officials including SEBI appear to be on the wrong side of the decision.

Mr Arun Jaitely is either sympathetic to Bitcoin or is simply unable to take control of vested interests who are on the side of the Bitcoin Exchanges operating in India.

The last hope now rests with Mr Modi. If Mr Modi does not want to defeat his own Black Money drive allowing conversion of Black money into Bitcoins, he should act now to “Demonetize Crypto Currencies” forthwith. It is already late and any further delay will start throwing shadows on the BJP’s own credibility to root out black money in India.

Hence the question: Dear Mr Modi, Can you see how China can manipulate Bitcoin Wealth?..Why Your Government is blind?

Naavi

P.S: Today, one more article is found at : https://cointelegraph.com/news/indias-central-bank-considering-creating-digital-rupee-dislikes-bitcoin where the possibility of an Indian Crypto is being hinted.

I have already suggested this. However, it should be ensured that no conversion is provided from existing Bitcoins to the official crypto currency if it comes through.

Otherwise, the scam continues.

Further whether it should be an ICO or a real minable crypto currency, needs to be discussed.

As we all know though the first Sec 65B certificate was produced to a Court way back in 2004, it was only after the P.K.Basheer case that the world of law enforcement has taken note of the law as was framed with effect from 17th October 2000. Subsequently, there is a rush to find out the correct form in which the certificate may be given.

I am aware that just as electronic documents were admitted and trials completed before Basheer judgement without Sec 65B certificate, now after the judgement, certificates not in the correct format are being accepted by Courts and trials are going on.

When I tried to quickly look around to see what is the format being used, I find that most advocates simply want to file an “Affidavit” stating that the “hard copies of documents presented are identical to the electronic document” etc.

Two samples of such affidavits one by the party in litigation and the other by the advocate are given below for reference.

Without meaning any disrespect to anybody who may be using such affidavits, I would like to state that this is not the correct form of producing the certificate.

I am sure I have explained in detail the Section 65B certification in many of the earlier articles all of which have been also collated in the articles link at www.ceac.in.

It is necessary for me to make just one additional point here on what I think will be the impact of the advocate submitting the certificate. As in the case of the certificate submitted by the litigant, this will also be a self serving evidence which will start on the back foot from the credibility point of view.

Apart from this, if an advocate stands in the shoes of the certifier, I think  he would be a deemed witness in his own case.

The reason is that the object of the Sec 65B certification is to assist the Court in viewing the binary document readable by a computer device in a more human readable format and to freeze the document as was present at a point of time. Though at the admission stage, the certifier need not necessarily be also a witness on stand, if the certificate is challenged, he may have to stand as a witness and subject himself to a cross examination. At least in the case of the litigant he takes the stand as a plaintiff or a defendant and his views become part of the submission to  the Court. But in the case of the advocate it would be an anomoly.

It is preferable therefore that a trusted third party submits the certificate and his credibility becomes part of the weightage given to the evidence.

Further by design, the above formats of affidavits can be used on an existing print out. But stamping an existing print out  as “Section 65B certified” is not what is envisaged in the section.

I hope these teething troubles will be sorted out in time. However, in all sensitive cases where the evidence is critical, I strongly suggest that litigants and advocates donot take the risk of producing such “Affidavitized Section 65B Certificates” which may be challenged by the opposing parties either immediately during the trial or if necessary again on appeal.

Naavi

P.S: Response to some queries on suggested format, I would like to state as follows:

One standard format fitting all requirements is not possible for Section 65B IEA. It depends on the type of electronic document to be certified.
The first document I certified was in 2004 in the case of Suhas Katti which was a Yahoo e-group message. There could be web pages, face book postings, e-mails, server logs, computer documents, WhatsApp Messages, encrypted blackberry messages, and even audio and video recordings, including CCTV footages. Each requires a different process to be converted into “Computer Output” under section 65B. Just like a Digital Signature, which includes both the person signign and the content he is signing, a Sec 65B certificate includes both the process and the assurances given by the certifier and hence it will be different on a case to case basis except perhaps one paragraph.
Hence kindly donot look for a standard format that can be used in all cases… naavi 

Our honorable Minister of IT Mr Ravi Shankar Prasad has stated that India will create a Global bench mark with its Data Protection Act which is being drafted now.

While we welcome the goal set by the Minister, it is time to discuss how India should approach creating the Global Bench Mark. The proposed Act will be based on the report of the Justice Srikrishna Committee which will actually draft the contours of the Act to which the Government will just add some structure.

Since Justice Srikrishna comes from the judicial background and we are fresh with the 9 member Supreme Court bench decision that “Privacy is a Fundamental Right”, it would be reasonable to speculate that the proposed “Data Protection Act” will operationalize the “Informational Privacy” as discussed in the judgement.

After the judgement, there is already a discussion on whether mobile information is subject to Privacy and whether Police can seize mobiles etc. There is therefore an apprehension that if the law is not properly drafted, there would be serious hindrance on the capability of Police in particular to carry out investigations. Criminals and Suspects will quickly jump to Courts and bring stay and by the time Police are able to get the stay vacated, the electronic evidence might have been irrevocably erased.

The proposed act will note that “Privacy” is equivalent to “Right to Control personal Information in data form” and hence protection of Personal information is the objective of the Data Protection Act.

Will the Act therefore focus only on protecting “Data that contains the personal information”? or will it extend its scope to all types of data including those which constitute say Copyright, Domain Names, Patents?, Will it also extend to corporate information such as financial data, marketing data or HR data? Will it also extend to log records? telephone conversations? …are all matters that this act will perhaps try to address.

This means that the Act should define what is “Data that has to be protected”? and then proceed to classify them into “personal” and “sensitive personal”, “other” etc.

The Act needs to also define who owns “Data” and whether “Data” is a property? and how the Data can be used by who soever owns?

When Data gets aggregated, value gets added and there is always a question whether this value addition belongs to the data subject or the data processor or the data controller who actually instructs the data processor to process the data in a particular manner. Under the Copyright law, the data base administrator gets the copyright on the aggregation part and therefore it recognizes different property rights between the raw data supplier who is the data subject and the entity which adds value which is the data processor or any other entity that uses the raw data .

If Copyright law recognizes copyright on data base creator, then similar principle has to be used in the data protection law also recognizing that the nature of property changes from the data subject to the data processor.

Once we recognize that “Data” is a “Commodity” and different values can be ascribed to it in different stages of its life time, we need to recognize it as a property which can also be traded.

Recently a store in London was reported to be accepting “Personal Data” as payment in exchange for goods. 

The “Data Dollar Store” appears to value the data you present and allow you to trade them. In a way it is a “barter” system . From the initial reports, it appears they may accept some photographs etc as “Personal Data with value”.

Of course if you offer “Digital Money”, perhaps they may not refuse since this also is “Data”… but the concept is interesting particularly for people who can create valuable personal data instances.

Coming back to our discussion on Data Protection Act, there are some practical problems that the authors of the law will encounter. Since the Supreme Court has not really defined “Privacy” but went on a wild discussion on what one eats or where one travels etc is all “Privacy”, the Zomatos and Make My Trips will be dealing with “Privacy Sensitive Information”. If therefore Government makes any law that tells how such companies need to collect information and deal with it, such a law may be questioned as a violation of a Fundamental Right not being saved by the exceptions of national security etc.

We realize that if we take this extreme view, then there can be no e-commerce without some form of personal data being shared with the service provider. Currently, accepted privacy principle is that one can collect personal information as long as it is necessary to provide the service offered and a “Consent” is provided by the data subject in the form of a “Deemed Contract”. The only discussion is on the quality of disclosure and ethics of the collector in collecting only the minimal required information and using it only for the purpose it is required.

But can the Government make a law stating that “The Fundamental Right of Privacy can be infringed by any individual if he has taken a consent in the form of undigitally signed web/mobile based acceptance forming a deemed contract in which the data subject’s rights are agreed to be infringed”. Will it be a “Contract for a consideration that is legally untenable”?

If we take a stand that this is a globally accepted principle and there is nothing wrong in the data subject entering into a contract with another person saying that he can make use of the personal data and he is not pressing his fundamental right, then we are automatically accepting that “Data is a commodity that can be transferred for consideration”.

Will Justice Srikrishna committee be having sufficient courage to say that “Personal Data” is a “Property of the Data Subject” and he can sell it for a price which includes agreement to use the services offered by a service provider?. If they do, then Government will not have any problem with its Aadhaar per-se or mandatory linking of Aadhaar with PAN or mobile number etc.

But If they do, they may be standing against the spirit of the 9 member Supreme Court judgement.

If the Srikrishna committee hesitates and continues to carry over the uncertainty on the definition of Privacy from the Judgement to the committee’s findings, the problem gets transferred to the Meity in drafting the law.

The Government can simply define the law as a “Law to protect the Confidentiality, Integrity and Availability” of Information and make it more as Cyber Security law than anything else. It will of course create the office of the Data Commissioner. It  may also introduce licensing of data processing and other regulations and in the process may make the life of E Commerce entities such as the Zomatos and Make My Trips miserable.

In the end, the law will be an extension of ITA 2008 and will not add much to the domain of “Privacy Protection”.

In all probability, this is what is going to happen and we will continue to keep worrying about the definition of Privacy and  without understanding its nature try to protect it in data form.

Considering the futility of such an exercise, I would like the Government to accept that given the wide definition of “Privacy Right” as ascribed by the Supreme Court, it is not possible to make a law that protects the unknown and omnipresent. 

Instead, the Government may focus on how the Citizens can be compensated when a “Data Breach” occurs and go onto define “Data Breach” and its consequences.

The definition of “Data” can apply to any information in electronic form and “Breach” is defined as any action which is a violation of a contractual agreement.

If we take this approach we need not define what is “Data that is Personal Information”, “Data that is Sensitive personal information” and “Data that is neither a personal information or a sensitive personal information.”.

If the  Supreme Court can use a strategy to define the “Privacy Right” without defining “Privacy”, Government may be able to create a “Data Protection Law” without treading on the difficulty of defining “Data which is Personal information that forms part of the Privacy Rights”.

The existing law in ITA 2000/8 and the rules there under, are sufficient to carry on the market activities since it already provides a definition of personal Information as well as Sensitive personal information in addition to the larger set called “Data”.

The new law can state that any person can enter into a contract with his data as a commodity and bring the data protection requirements under the Indian Contract Act read along with ITA 2000/8.

The new law can also enable and empower any business that may be set up to buy, sell, process or exchange data under a contractual agreement with the data subject or a personal data custodian to whom the data subject has transferred his personal data.

This will define the “Data Trading” concept and provide clarity to companies in Data Analytics and Big Data activities. It will also prevent the IoT industry from being stumped with the new Privacy debate since any information collected by the IoT device is likely to be considered as “Personal Data”. Though IoT data is linked to the device ID, along with the purchase and installation information, it is linked to the personal data of the owner and his location and hence will become a part of the “Privacy Right”. The CCTV captures will also be legally protected if a person walks into a mall and is being photographed by the CCTV system in exchange of the benefit of walking through the premises.

Additionally innovative companies may set up business to de-identify a data set and create value there on before they are actually sold for a profit which they can share with the data subject at the time of re-identification.

Some company may also set up a “Regulated Anonymity” system where it will absorb the identity and provide a proxy ID to the user with which he can do all transactions on the internet. The business can even run an  “Identity Gateway” where the identity such as Aadhaar or PAN etc can be pseudonomized without adversely affecting any service or security requirements of the Government while at the same time protecting the critical identity data from unknown threats.

It is to be recognized however that these intermediaries are still vulnerable to an Equifax type of attack on their systems which could compromise the customer data if they donot implement appropriate security measures.

In such a eco-system, the so called “Data Protection Law” may change its objective from “Protecting Data” to “Protecting the Citizens from  the consequences of a Data Breach” where Data breach is defined as an unauthorized data access in contravention of the data sharing contract.

Such consequences will of course expand on what ITA 2008 now says as “Intermediary Responsibilities”, “Civil Liabilities” and “Cyber Crimes” but with a better implementation mechanism.

The new law can additionally define a system of “Leasing of Personal Data” different from “Selling of Personal Data” to meet temporary requirements. This would automatically incorporate a right some where nearing the “Right to Data Erasure” as referred to in GDPR since data leased cannot be used beyond the lease period. It will automatically terminate the rights of the data processor and shift the onus on him to get the contract renewed much better than the current “Opt-In” system.

The new law can also talk of “Fundamental Duties” of a citizen as a “Data Subject” and uphold his fundamental rights to decide how he can use his personal data including monetizing the personal data as if it is a property that belongs to him. If there after a challenge is mounted on the law in the Supreme Court and it  has to take objection to this law, they have to object to the provision that defines the fundamental duty and fundamental right of a citizen to deal with his own data property. Hence the law may be protected against a legal challenge.

In this context, it would be better to call this law not as “Data Protection Law of India” but as “Data Breach Protection Law of India”.

Naavi