Naavi.org

As a part of the “Reasonable Security Practices” under Section 43A of ITA 2000/8, Government of India has released draft rules called “Information Technology (Security of Prepaid Payment Instruments) Rules, 2017” for public comments.

A copy of the draft rules is available here: 

(P.S: The draft has since been removed from the website of MeitY. A copy is now available here)

The comments may be sent to Shri Prafulla Kumar. Scientist-G, at pkumar@meity.gov.in  before 20th March 2017.

Summary of recommendations with our immediate comments :

1. The Central Government may further specify by notification security standards to be adopted by e-PPI (electronic Prepaid Instrument) issuers. It is also possible that the Government  may also designate some other security standard. (Comment: Will some ISO standards be imported?.. Will a new set of standard based on PCI DSS be developed? …)
2. e-PPI issures need to develop an IS policy in tune with these rules and any further IS guidelines that may be issued.(Comment: Will there be an audit? or a Self Declaration?..)
3. Privacy Policy and Terms and Conditions for use to be published on the website and mobile applications. (Comment: This is also required under Section 79 of ITA 2000/8)
4.  Grievance Redressal officer need to be designated, contact details disclosed. (Comment: This is also required under Section 79 of ITA 2000/8. Additionally, the process of Grievance redressal needs to be developed and incorporated by reference in the terms and privacy policy. Perhaps it is time for these companies to use ODR as described in www.odrglobal.in)
5. The e-PPI issuers shall mandate its sub contractors who handle authentication data to have necessary security measures in place to protect such data. (Comment: Always considered as required security policy)
6. End to End Encryption needs to be ensured to safeguard the data exchange in the application. (Comment: Some e-PPI issuers might have introduced such encryption. But most have not. Hence this will be one of the key areas of change to be incorporated by the operators. A welcome move)
7. Every e-PPI issuer shall have adequate processes to trace the transactions.  (Comment: Some e-PPI issuers might have introduced such measures. But most have not. Hence this will be another key areas of change to be incorporated by the operators. A welcome move)
8. e-PPI needs to retain the data related to payments for periods as may be specified. (Comment:. This is reiteration of Section 67C of ITA 2000/8. Again, no specific period is mentioned. But the retention period has to be “reasonable”. Considering that there is a law of limitation that provides an option to raise civil disputes within a period of 3 years, the minimum period of retention cannot be less than 3 years. It would be a best practice to retain it for atleast 6 years in such format where it is not dependent on any application. Such information has to be securely archieved. Most 3-PPIs donot have a proper Data Retention Policy and will need to put it in place now.  It would be better if the minimum period of 6 years is also designated with the additional words “Six years or as otherwise may be required under law”. This will be another area of compliance that operators need to take a relook.)
9. The e-PPI issuers need to adopt an incident management policy that includes a data breach notification policy. This will require reporting of incidents to CERT-IN as per the policy already in place. Some new specific guidelines may be issued by CERT-IN specifically for e-PPI operators in due course.(Comment: Most e-PPI issuers are presently ignoring the current requirements of CERT-IN. They need to take this more seriously now)
10. e-PPI issueres are also required to take measures to educate the users of their services to use the services in a secure manner. (Comment:This will require some action and cost which e-PPI issuers need to initiate)

General Comments: Most of the guidelines are reasonable interpretation of the current ITA 2000/8 compliance guidelines though the ignorant operators are better served with a specific notification that they can take notice of. This notification will therefore get into the compliance manuals of the e-PPIs and their advisors who so far had little respect for ITA 2008 compliance.

The notification is therefore a good move.

However, if the operators are to be serious, CERT-IN needs to make it mandatory that the managements file a voluntary disclosure that they are in compliance with the provisions of ITA 2000/8 and the rules made there in. This should be made a statutory mandated clause in all terms and agreements on the lines similar to the declarations that CFOs and CEOs are required to make under corporate Governance requirements in their share holder’s reports.

We donot recommend a “Licensing” or mandated audit from “Accredited auditors” both of which are ineffective and give room for corrupt practices. But a voluntary disclosure of compliance and an indemnity to the customers under Section 79 of ITA 2000/8 should be more effective.

Additionally, the operators should be mandated to secure their customer’s interest by a group insurance scheme under which every user should be covered by a Cyber Insurance plan upto at least an amount of Rs 10000/- per incident.

Also, all e-PPI operators should provide a warranty on their applications to be free from known vulnerabilities and also have a reasonable  Bug bounty program to crowd source security knowledge.

Any other comments that readers want to contribute are welcome. Naavi.org will consolidate and send its recommendations to the Ministry in the next few days.

Naavi

According to the ad, the Government has now decided to license public & private agencies to provide Digital Locker Services, as licensed Digital Locker Service Providers (DSLP) and invited applications.

Applications can be made either by an agency of the appropriate Government or a body corporate meeting the following criteria.

1. Minimum Paid up capital Rs 5 crores
2. Minimum Networth Rs 50 Crores
3. Foreign equity not to exceed 49%

The business of a DLSP may include “Portal Services” and “Access gateway management services” related to the Digi Locker scheme.

Naavi expects this business to be huge and requires a high level of skills in managing a secure electronic cloud environment.

It is possible that some of the existing Certifying Authorities who are managing Digital Certificate related business may try to get into this business. However it is not clear if the capital criteria required for the Certifying Authority business and Digi Locker business can be merged or they should be considered separate.

This business is a good opportunity for start ups who have the backing of a group which can provide the initial capital.

Otherwise the NBFCs  may also consider this as a good opportunity to diversify into this area.

It would be interesting to know which type of organizations have the vision to see the business prospects that this new line of activity presents.

Naavi

On the International Women’s Day, the Board of SBI has just announced what could be considered as an unwise move to allow women workers to work from home for one year. (As per news reports)

Is this a goodwill move for women employees? .. Perhaps it is intended to be so and perhaps the Board may also believe it to be so.

However there are two other dimensions to the decision. SBI is now merging its associate Banks with itself and will find this year to be a year of Chaos. At this time, there would be a huge excess staff and perhaps SBI Board considers it good if some congestion in the Branch is reduced.

By asking its  women employees to work from home they are being told that you are not required at the critical operation center. However we will pay you the salary but keep off the operations. This is an expression of no confidence on the women employees. This will be welcomed by all inefficient employees but many others would resent the need to get back to the family cores for the whole day without the relaxation of being in the Bank. However I am sure a majority of efficient members would be uncomfortable since they will lose competitive edge if they accept the “Home Based Work” instead of the Customer facing important work at the Branch and at the same time if they refuse to take the option, would find the pressures from the home front to stay at home increase.

But more seriously, SBI needs to consider the quantum jump in the Information Security Risks that will arise because some of their employees holding passwords on behalf of the Bank would now be working off-site on open networks and using their own computing devices when their attention is being diverted by the complaining mother in laws, the crying babies and the demanding husbands besides the servants and courier boys who may have more than prying eyes.

The “Techno-Legal- Behavioural Risks” of banking with SBI will therefore multiply.

SBI recently faced the massive card security breach and many cyber crime victims are still struggling to get their money back. Mr Urjit Patel is helping the banks to dodge the Cyber Crime victims from receiving back their dues by not operationalizing the August 11, 2016 draft circular issued by them.

But instead of providing a greater assurance to the customers about the security of the State Bank system particularly in the midst of the chaos of mergers which will be a fertile opportunity for fraudsters to indulge in massive phishing exercise, the Board of the Bank  has taken a political decision that will endanger the security of its account holders.

I urge Ms Arundathi Battacharya not to look at herself as a “Lady Chair Person” and push decisions that will endanger the community.

Our conventional media may not be able to analyze the impact of such populistic decisions and may praise the Bank.

But Naavi.org strongly denounces this populistic move and demands the Bank to explain what information security measures will be initiated by the Bank before the move is put into practice.

I urge the RBI to clarify if they have done their due diligence in this regard before the move was announced by SBI in the public.

Naavi

For the last week or so, there have been intense debate on the social media and TV media about the Gurmeher Kaur incident where the 20 year old student of Delhi University kicked off a controversy by posting a You Tube Video in which she said “Pakistan did not kill my father, War did”.

Gurmeher’s father was a Kargil martyr and her statement incensed many who felt that she was trying to absolve Pakistan of the responsibility for the Kargil war.

When those who opposed her view posted their comments including one from Virendra Sehwag saying “I did not score two triple centuries. My Bat did”, the media started hounding Sehwag and others accusing that they were unfairly trolling Gurmeher, the poor 20 year old Girl and Student who had a “Right of Free Expression” under our respected Constitution with which all these “Liberals” swear. The people who opposed Gurmeher were accused of “Trolling” .

It is therefore necessary for Cyber Watchers to debate what constitutes “Trolling” and whether it should be considered as an “Offence” and if so under which law? etc.

As a disclaimer, I would like to say that I donot support the threats on this “20 year old  girl student” which was repeatedly stressed by Burkhadatt. I however consider that she was acting at the behest of political interests represented by RG and AK to raise a controversy in the light of the ongoing UP elections and to inconvenience BJP. She therefore deserves to be considered as a “political activist” and not a “Student”. Her age and gender is immaterial for holding her a motivated political worker.

First of all, I am seriously opposed to the student politics of all kinds and our educational institutions should be free of elections and political affiliations of all kinds. Students should focus on education and those who remain students eternally and keep creating problems whether in JNU or Ramjas or Film Institute-Pune or Jadhav University, must be kicked out of the educational institutions. They are free to join political parties and continue their disruptive work but not pose as if they are “Students” and claim respect and sympathy.

Those who support Gurmeher would like to consider that the “Trolls” have tried to curb the “Freedom of Expression” of Gurmeher and forced her to shut up and retreat from the “Campaign” she was in.  If Section 66A of ITA 2008 was present, perhaps we could have seen cases being filed (or tried to be filed by Congress and AAP) on Sehwag and others for harassing the young Girl student. Probably if a proper advocate who can influence the Judges by their powerful arguments as they did in the Shreya Singhal case is engaged, they may get the honourable Supreme Court to declare that “Trolling” is an offence and Sehwag and others like him should be immediately arrested for having violated the  Constitution of India.

In this connection, I would like to draw the attention of this community about the definition of what constitutes “Trolling”.

According to the Wikipedia,

Internet Troll means

“In Internet slang, a troll (/ˈtroʊl/, /ˈtrɒl/) is a person who sows discord on the Internet by starting arguments or upsetting people, by posting inflammatory,extraneous, or off-topic messages in an online community (such as a newsgroup, forum, chat room, or blog) with the intent of provoking readers into an emotional response or of otherwise disrupting normal, on-topic discussion,often for the troll’s amusement”

This definition seems to fit to Gurmeher’s post more appropriately than say Sehwag’s post. Hence she would be considered guilty of “Trolling”.

So if “Trolling” is to be punished, the first person to be convicted would be Gurmeher herself and hence her supporters should be wary of going to the Court seeking a remedy for trolling.

Naavi

The Motor Vehicles Amendment Bill 2016 which seeks to bring in many changes to the current Motor Vehicles Act has been approved by the Cabinet according to a report. (Refer here) The Bill is yet to be passed into an Act.

The Bill has caught attention of the public from several angles. One aspect that has been making rounds in the WhatsApp circles is the proposed increase in the penalties for traffic violations.

The second important aspect is the protection to good Samaritans proposed in the Bill so that accident victims may get immediate medical attention.

The third noticeable aspect is an attempt to define an “aggregator” like the Olas and Ubers.

According to the proposed section 2 (1A), an “aggregator” means a digital intermediary or market  place for a passenger to connect with a driver for the purpose of transportation”.

There will be a need for the “aggregator’ to get a license under Section 93 of the Act for which guidelines are to be issued by the Central Government. It is also specifically mentioned that the aggregator shall comply with the provisions of the Information Technology Act 2000 and the rules and regulations made there under.

The penalty clause under Section 193 proposes as follows:

“Whoever engages himself as an aggregator in contravention of the provisions of section 93 or of any rules made thereunder shall be punishable with fine up to one lakh rupees but shall not be less than twenty-five thousand rupees.”

“Whoever, while operating as an aggregator contravenes a condition of the licence granted under sub-section (4) of section 93, not designated by the State Government as a material condition, shall be punishable with fine of five thousand rupees.”.

According to these provisions, it would be mandatory for the Aggregators to be compliant with ITA 2000/8 failing which they need to face the possibility of a fine of upto Rs 1 lakh. This will be considered as additional to the penalties that may be imposed under ITA 2000/8 which will kick in when a wrongful harm has been caused by an “intermediary”.

It would be interesting to see how this section will be interpreted in practice.

Let’s watch the developments when the Bill is discussed in the Parliament. It is quite likely that the debate will completely ignore the impact of ITA 2000/8 though for us this is an important aspect to be taken note of.

It is also proposed that a”National Driving License Register” would be maintained (should be available in electronic form) and certain changes like change of address etc can be made electronically.

Also the State Government has been mandated to introduce electronic monitoring of enforcement (legitimizing the use of CCTVs, Speed Guns, body wearable cameras etc for booking offences) for which State Governments need to make rules.

The Central Government and the State Governments can also make rules for  the use of electronic forms and means for the filing of documents, issue or grant of licence, permit, sanction, approval or endorsements and the receipt or payment of money.

Naavi

Reference documents

Copy of the Amendment Bill

Copy of the present Act

[P.S: This post is meant for the Academicians and discusses certain theoretical concepts. Professionals in the Information Security domain may seriously dispute some of the concepts and it is considered perfectly logical and welcome.]

Naavi is a techno legal professional and has been thought leader in the field of Cyber Laws in India. Many of the innovative thoughts of Naavi have been expressed through this website and have found practical uses in the form of services.

As an academic practitioner, Naavi has applied his Technical, Legal and Behavioural Science training and education to the field of Information Security to develop his own version of Total Information Assurance (TIA) built on the pyramid model of hierarchy of TIA objectives from Availability to Non Repudiation through different stages of Integrity, Confidentiality, and accountability.

Naavi has adopted a model which differs from the traditional model with “Availability” as the foundation while traditional thinking of “Security” places “Confidentiality” as the focus and no hierarchical stacking of objectives. The reasons for the deviation is explained elsewhere and it suffices to say that it is based on the practical implementation thinking process of a business manager and stems from the basic premise that “Information Security is for the protection of the Information Owner” more than “Protection of the Information” and hence decisions are to be guided primarily from the business owner’s perspective and not the perspective of the Information Security professional if the two functions can be distinguished.

Similarly, Naavi propounded the “Theory of Information Security Motivation” based on the “Pentagon model” where he tried to explain the process of how Information Security implementation in an organization can be motivated for implementation by the practitioners. This adopted a closed wall integrated approach concept instead of the hierarchical concept under the premise that all 5 elements of IS motivation need to close in like walls to be effective.

The essence of the theory was that IS implementation cannot be motivated until the five elements of Awareness, Acceptance, Availability, Mandate and Inspiration formed a closed boundary plugging the possible leaks. This included the three dimensions of technology (availability and awareness), Law (Mandate and awareness) and Behavioural Science (Acceptance, Inspiration and Mandate).

Now, in the “Theory of Secure Technology Adoption” Naavi is focussing to study and present how in his view, technology is adopted by people and organizations and what is the role of security in such technology adoption.

Obviously there could be many other studies of similar nature which has thrown up different dimensions of this thought. This is yet another contribution to the academic pool of thought.

I will present some brief thoughts about the theory in subsequent posts and expect others to build on it and develop it with the central thought that “Secure Technology Adoption” has a pattern which we try to understand so that in future product/service developers would take note of why certain technologies get easily adopted and certain technologies get adopted after a lapse of time and certain technologies are shunned by the market.

In developing my thoughts on this subject I would be influenced by what I have read, studied, tought and experienced over time and hence reflect some thoughts of the great thinkers of the past. Such coincidences are incidental and not intentional.

Naavi