Naavi.org

From the 1st of August 2016, the new Privacy Shield regime in  US-EU  data market space has come into operation. This has replaced the “Safe Harbor” regime that was declared as ineffective by the Court of Justice of EU (CJEU) in October 2015.

This new Privacy Shield will provide the framework for EU-US personal data transfers from now on and will work concurrently with the alternatives such as the BCR (Binding Corporate Rules), SCC (Standard Contractual Clauses of EU) and the CBPR (Cross Border Privacy Rule).

Relevance to Indian IT Companies

These EU-US developments will also apply to the data processing that happens in India either because the data transfering customer is an EU country or that these will emerge as general standards of the industry. Hence a general understanding of these principles is essential for Indian companies engaged in data processing activities involving “Personal Data” of non Indian Citizens.

As regards the data of the Indian Citizens, the ITA 2000/8 imposes its own obligations under Section 43A (For sensitive personal information), Section 72A (For all personal information) besides other provisions that apply to “Data” in general. The key aspect of the Indian law is that it provides legal backing to the contractual agreements between an Indian data processor and the foreign data vendor. Hence whether it is the Privacy Shield obligations or the BCR/SCC/CBPR obligations, they all get extended to Indian processors and become enforceable under the Indian law.

Indian companies therefore have to be completely alert to the developments in the EU-US data exchange scenario and follow it in India as the best Privacy practice particularly when processing of international data is involved. Since it is impractical to maintain one set of privacy standards to data of foreign nationals and another to Indian nationals, companies need to adopt the international standards for all personal data irrespective of whether it is pertaining to an Indian citizen or a foreign citizen.

This should establish the relevance of the new US-EU Privacy Shield regimes and the other frameworks to the Indian context.

What is Personal Information?

In Indian law, the rules under Section 43A define personal information as

” any information that relates to a natural person,which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. “

In comparison, the “Sensitive Personal Information” is such personal information that contains any of the following type of information.

(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:

In contrast the EU definition of Personal Information is contained in the following form

“‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”

The EU definition appears broader than the Indian definition but we can assume that for practical purposes both mean the same. (Refer for details here)

However, it must be remembered that under  European law, data is considered ‘transferred’ when it is either physically transferred to another country (i.e. to be stored in a data centre on that territory) or when a person residing in another country accesses the data from that country. It is therefore an extremely broad concept that may apply even if personal data is technically stored within the EEA.

Hence the EU guidelines will become applicable in all cases where data is actually transferred to servers outside EU or when access is provided.

Essence of Privacy Shield

Privacy Shield principles are not much different from the general principles which are being followed in Safe harbor principle, there are a few significant differences that we need to take note of mainly in the enforcement of the provisions.

Stronger Supervision:

The intent of Privacy Shield is to transform the oversight system from self-regulating to one that is more responsive and proactive. The certification and annual re-certification process will remain unchanged, but the Department of Commerce will actively monitor compliance through detailed questionnaires, among other things.

Additionally, the FTC will maintain a “wall of shame” for companies that are subject to FTC or court orders in Privacy Shield cases.

Redressal Mechanism

Any EU citizen who believes that his or her data has been misused will have several redress possibilities under Privacy Shield. Among them, EU citizens will be able to report complaints directly to their local Data Protection Authorities. Redress mechanisms include established timelines for responses by a subject company. Privacy Shield also creates a new arbitration right for unresolved complaints.

Limitations imposed on US public bodies

There will be clear limitations, safeguards, and oversight mechanisms for access by public authorities for law enforcement and national security purposes. A new redress mechanism will inform a complainant whether an access or surveillance matter has been properly investigated and that either U.S. law has been followed or has been remedied in the case of non-compliance.

Steps to Certify

The subject Company should firstly develop and maintain a Privacy or Privacy Shield policy based on the following principles of certification under the EU-U.S. Privacy Shield, which includes

1. Notice: Privacy Shield Companies must update or prepare a global or EU applicable privacy policy or EU notice statements for the data subject of the certification to ensure such policy or notice is accurate, comprehensive, and visible to data subjects.
2. Choice. The policy will also cover areas where consent, permission, data use limitations or opt-out strategies, and special treatment for “Sensitive Personal Data” are applicable.
3. Access, Data Integrity, and Redress. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity, and Redress requirements needed to cover a Privacy Shield election.

A Privacy Shield company must maintain adequate and reasonable administrative, technical, and physical safeguards and controls designed to address appropriate security requirements for U.S. and EU applications that capture or process data within the scope of the certification.

Following a review of existing contracts, the contracts with the downstream Business Associates  must be updated to  addresses the specific Privacy Shield wording requirements.

Training of manpower to update them on the requirements of the Privacy Shield requirements need to be undertaken.

Documentation supporting the company’s Privacy Shield certification (e.g., policies and procedures, gap assessment report, and contract addendum) should be prepared/compiled and included in a compliance binder.

Registration

Companies who decide to adopt the Privacy Shield must register themselves with the International Trade Administration of the US department of Commerce and subject themselves to the self certification process involving completion of the required questionnaires.

Presently it is reported that 200 companies have signed up for the process in the first month when the registration started. Others may be weighing the need for registration vis a vis their present privacy practices which may have incorporated other measures such as BCR, SCC or CBPR.

Alternatives to Privacy Shield

BCR:

BCR or Binding Corporate rules are internal rules adopted by multi national group companies which define the global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.  Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities (“DPA”).   BCR does not however provide a basis for transfers made outside the group.

EU Standard Contractual Clauses

The Council and the European Parliament have given the EU Commission the power to decide, that certain standard contractual clauses offer sufficient safeguards as required.

The Commission has so far issued three sets of standard contractual clauses

• two sets for transfers from data controllers in EU to data controllers outside EU/EEA
• one set for the transfer from EU data controller to processors established outside the EU/EEA.

Adoption of these standard clauses could be considered if found suitable.

CBPR (Cross Border Privacy Rules of APEC)

The APEC Cross Border Privacy Rules (CBPR) system helps bridge the differences in privacy rules between different countries by providing a single framework for the exchange of personal information among participating economies in the APEC region.There are currently three participating APEC CBPR system economies: USA, Mexico and Japan, with more expected to join soon.

The APEC Electronic Commerce Steering Group (ECSG) and the EU Article 29 Working Party have produced a common referential for the requirements of the APEC CBPR system and the EU Binding Corporate Rules.

Participating companies are required to adhere to the standards established by the APEC CBPR system. All APEC CBPR system certified companies have their privacy policies and practices evaluated by an approved independent third party verifier (known as an “Accountability Agent”). Accountability Agents monitor and enforce companies’ compliance with the APEC CBPR program requirements. In appropriate cases, they are also required to report non-compliance to Privacy Enforcement Authorities.

Final Word

The mechanisms such as the Privacy Shield, BCR, SCC or CBPR  are different framework approaches to manage the privacy concerns when data from one country flows across to another and there could be differences in privacy laws between the two countries. Some of these frameworks differ in the system of enforcement and grievance redressal mechanism. While Privacy Shield is totally a self declaration based certification system, CBPR tries to bring in the Accountability Agent to certify at the first place. BCR may be for intra group data transfers in multi national companies and may not apply as a comprehensive approach. SCC framework is a good indicator and needs to be explored while drafting the Business Associate Contracts where data is transferred to sub contractors.

While these frameworks are essentially for the participating economies such as the EU-USA data transfers or within the CBPR signatories etc, Indian companies need to recognize the endorsement of ITA 2000/8 to these frameworks and the possibility that the vendors of USA or EU or any other country who transfer data for transfer to Indian companies may have incorporated a fine print clause in the SLAs or the Business Associate contracts and try to enforce indemnity clauses for any intended or negligent contravention of the privacy obligations.

It is time companies in India audit their privacy policies and its implementation status within the company to ensure that they are within manageable levels of deviation if any.

Naavi

One of the concerns of arbitrators intending to use ODR facilities provided by www.odrglobal.in is the doubt about how the Courts may interpret the “Seat of Arbitration” and apply relevant laws.

The applicable law in the case of an arbitration is relevant for seeking any interim relief during the process of arbitration as well as for appeals after the arbitration besides for interpreting the law related to the dispute.

The choice of the applicable law may depend on the residence of the disputing parties as well as the place where the underlying contract was performed. Ideally, the parties to a contract should chose the applicable law within their contract which will apply to interpretation of the legal issues involved in the performance of the contract.

This may however be insufficient to determine the law applicable to the conduct of the arbitration proceedings which is initiated as a dispute resolution mechanism.

Where no mention has been made about the applicable law for the arbitration proceeding, the convention has been to take the reference of the place where the arbitration is held as the basis for applying the procedural law regarding the conduct of the  arbitration. This is normally referred to as the “Seat of Arbitration”.

It is necessary for us to appreciate that the “Seat of Arbitration” may be different from the “Venue of the Arbitration” if the parties so chose to describe.It is possible that an arbitration proceeding can be held at multiple venues though the designated seat of arbitration could be the place where the Courts will apply their jurisdiction to the procedural aspects of the arbitration.

In India the law of arbitration has to be viewed as “Pre-Amendments of 2015” (Before Amendments or BA) and “Post amendments of 2015” (After Amendments or AA).

In the BA period, the guiding principle was the Supreme Court decision on BALCO Vs Kaiser Aluminium Technical Service Inc where it was held that ” the choice of another country as the Seat of Arbitration inevitably imports an acceptance that the law of that country relating to the conduct and supervision of Arbitrations will apply to the proceedings.”

According to this, if the Arbitration agreement was found or held to provide for a Seat / place of Arbitration outside India, then even if the contract specified that the Indian Arbitration Act shall govern the arbitration proceedings, Indian courts could not exercise supervisory jurisdiction over the Arbitration or the award.

It is an established principle of law (Delhi High Court, in the case of PCP International Limited (“Petitioner”) v. Lanco Infratech Limited (“Respondent”), OMP (I) No. 350/2015) that parties by consent cannot confer jurisdiction on a court which does not have jurisdiction. The choice of parties with respect to conferring exclusive jurisdiction on a particular court is limited to the courts that hold concurrent jurisdiction in accordance with the principles contained in Section 20 of the Code of Civil Procedure, 1908 (“CPC”).

The Delhi High Court in the above case of PCP International also held ” that the seat of arbitration refers to the legal localization of the arbitration whereas the venue refers to the appropriate or convenient geographical locality for hearings of the arbitration”. When the petition came up for review, the Court accepted the Supreme Court interpretation in the BALCO case, “concurrent jurisdiction vests in the court which would have jurisdiction where the cause of action is located and the courts where the arbitration takes place”

Hence when parties use a Cyber Venue for arbitration like ODR on ODRGLOBAL.IN, it does not in anyway affect the “Seat of Arbitration” that may be agreed upon by the parties in any of the places where there is concurrent jurisdiction.

In the case of a Virtual ODR, the arbitration is deemed to be held in Cyber Space. Cyber Space does not belong to anybody since it is an “Imaginary transaction space created by binary documents”. If therefore a dispute on a cyber space transaction has to be adjudicated by the physical judicial authorities, we need to agree upon the appropriate method to chose the jurisdiction of the Courts.

Since it is natural for parties to a contract to agree upon the “Seat of Arbitration” either as a part of the contract or when they try to fix a venue for an arbitration, the best option for parties accepting the virtual ODR process of dispute resolution is to state upfront in the contract whether the applicable jurisdiction will be that of the any one of the contracting parties.

Since ODRGLOBAL.IN is an Indian venture, the default jurisdiction by implication (if nothing else to the contrary is indicated), could be considered as India. As regards the domestic arbitration, there is no issue since all the contracting parties are in India and the difference of opinion if any is between one High Court or the other. In the case of any international arbitration, it is open to the parties to agree upon a non Indian country as the jurisdiction for any procedural disputes by stating that country as the seat of arbitration.

In India, the law that defines Cyber Transactions is contained in ITA 2000/8 (Information Technology Act 2000/8). The Arbitration Amendment Act of 2015 (Effective from 23rd October 2015) has specifically accepted “Electronic Communications” for formation of an Arbitration Contract [Section 4(b)] (Though it was always available by the interpretation of Section 4 of ITA 2000/8). Further ITA 2000/8 recognizes the “Place of Usual Residence” of a person sending an electronic communication as the “Place from which an electronic message is sent. Hence, an electronic message that forms a contract is deemed to have been executed from the place from which the acceptance is deemed to have been sent. Thus if the Virtual ODR room is set up under the instruction of the person who starts the ODR process, his place can be considered as the place in which the Cyber Facility gets established as a virtual place of arbitration. If the ODR is invoked by a person from a foreign country, it may therefore be possible to consider his country as the country defining the seat of arbitration.

Apart from this, it may be noted that the Amended Arbitration Act provides under section 2, that

“… that subject to an agreement to the contrary, the provisions of sections 9, 27 and clause (a) of sub-section (1) and sub-section (3) of section 37 shall also apply to international commercial arbitration, even if the place of arbitration is outside India, and an arbitral award made or to be made in such place is enforceable and recognised under the provisions of Part II of this Act.”.(Amendment effective from 23rd october 2015)”

Section 9 refers to the interim measures in which a Court can intervene. Section 27 refers to assistance of court for taking evidence and section 37(1)and 37 (3) refers to appeals.

In view of the above, in a virtual ODR process, the parties are free to declare a specific seat of arbitration or proceed with the implied seat as India.

Virtual ODR process of Odrglobal.in also makes use of rendering a recording of the arbitration proceedings with a certification under Section 65B of Indian Evidence Act. In Indian Courts this should have automatic admissibility though in other countries it is open to the Court to admit it as submitted or ask for further affidavit etc.

Odrglobal.in however suggests that the “Arbitration Clause may itself be used to define the seat of arbitration if the virtual ODR facility is used”.

Since the Cyber space will be just another venue, parties are also free to use Virtual ODR of odrglobal.in for some hearings and physical hearings for some others. This will not adversely affect the validity of the proceedings.

Once the UNCITRAL Model Law on ODR is released in its final recommendatory form, ODRGLOBAL will be considered as an “ODR Administrator” and subject to the following of the prescriptions of the model law (Which Odrglobal.in is already following in substantive measure) and hence even in international arbitrations, the use of cyber space will become acceptable.

I suppose this clears the concerns that some may have on the use of Virtual ODR.

Naavi

The unfortunate terror attack in Uri in which about 20 Indian soldiers were martyred should open the eyes of our defense strategists to plug our weaknesses and strengthen our defenses.  There is no doubt that the incident highlights negligence on the part of the local unit in Uri which failed to assess the risk and take sufficient steps to stop such an attack. Like the US twin tower attack, the terrorists can gloat over their success for a long time to come and use it to motivate their force. We need to counter this with an appropriate counter attack that can have a long term impact on our defense systems.

We are sure that unlike the previous Congress Government which was more sympathetic to Pakistani terrrorists and even went to the extent of shedding tears when terrorists were killed and also provided shield to terrorists by taking a stand that Ishrat Jehan was not a terrorist, Modi Government is more determined to provide a tough counter response.

The debate however is “What should such tough Counter response be?”.  Since yesterday, we are seeing many experts suggesting different options. Some have suggested that India should raise a “Non State Actor Force” which can undertake covert operations to hurt Pakistan. A formal strike on terror hideouts is another suggested response. Economic blockade on Pakistan and its known sympathizers like China is another strong response suggested.

While political efforts to isolate Pakistan in the international scenario and obtain sanctions on them is overdue, it should start with India itself. We need to immediately put an embargo on all trade and people to people relations with Pakistan and ignore opposition from people like Salman Kurshid and Mani Shankar Iyer. We should also immediately act in J&K and declare Governor’s rule with Army in complete control. All Government expenditure on securing the separatist leaders and their security should be immediately withdrawn and they should be put in proper jails outside Kashmir. This is meant to hurt Pakistan psychologically.

Simultaneously, economic blockade of red flagging countries and companies dealing with Pakistan and putting barriers on their business with India must begin.

Beyond these Psychological and Economic measures, leaving the military options to the experts, there is a need for the Government to focus on the long standing demand for setting up the “Cyber Command” to take up “Electronic Warfare”. This has been discussed for over a decade now and I presume that some where in our defense systems some silent work is being done. But it is evident that we are not able to see the effect of this in either reducing terrorist attacks or in inflicting damage on the Pakistan economy through electronic warfare.

I think the time has come now for the Modi Government to take show case its resolve to fight Pakistani proxy war through terrorism by its own brand of Cyber War Fare.

India may require lot of investment in its defense which has been systematically weakened by the corrupt UPA Government in the past, in the form of Aircrafts, Submarines etc. But amidst such investments in military hardware, substantial investments in electronic warfare is also required. I presume that electronic warfare will eventually not as expensive as conventional warfare is.

To begin this exercise, Government has to first set up a Cyber Command or if one has already been in existence, start some action to develop a few thousand cyber warriors properly recruited directly off the colleges. The strategy and scope of operations of such command is not a subject matter of public discussion.

I look forward to some concrete action from the defense minister  immediately so that the Indian Cyber Command not only strengthens our intelligence capabilities but also the capabilities to launch strikes on Pakistan military. This should be the one single difference between India before Uri attack and India after Uri attack.

Naavi

Related Article:

The Cyber Command: Upgrading India’s national security architecture

orf special report

New Indian Cyber Command Urged Following Recent Attacks

Indian National Cyber Security Challenges

The Electronic Frontier Foundation (EFF) which fights for the rights of Netizens has opened up an interesting debate on evidence collected during FBI’s investigation of a Child Pornography operation. (Refer Article here for details on the case)

To explain the context briefly, FBI received a tip about a site called “Playpen” hosting child pornography from the LEA of another country. During preliminary investigations, it was found that the IP address of the server could be identified due to some technical misconfiguration of the site. The IP addresses were located within the US jurisdiction. Using this information, FBI obtained a search warrant and seized the server.

However, instead of shutting down the server, FBI maintained the server under its supervision for another two weeks collecting evidences of different kinds. In the process, FBI also installed malware of its own called NIT (Network investigative technique) on the computers of the visitors to the site. This could collect the identity information of the users.

It is reported that FBI has charged and arrested hundreds of persons based on this investigation.

Naturally, this operation has given raise to a debate on the rights of the LEA s in violating the privacy of individuals during an investigation and there after.

One interesting issue that unfolds here is that in the incidents, there were offences committed before FBI took over the Playpen site and during the time when it was operating the site. There were also evidences collected before FBI took over and during the time it ran the server.

There is also illegal activities committed by the FBI itself to trap continuing users of the site and new users.

The issue is complicated and views of how the evidences would be admitted in the Court may differ. However it appears that in respect of persons who started using the site during the time FBI was in charge of the site, any evidence collected may be considered as “Collected through an illegal process” and may not be admitted by Courts.

However, if offences were committed earlier and only the identification details were collected during the investigation process by planting of the NIT, perhaps the Courts may accept the identification and the evidence of crime prior to FBI take over and continue the prosecution.

I hope new case laws will come to be recognized when the cases pertaining to this investigation are analyzed by the Courts in USA and will set a trend in interpreting evidence collected by the LEA through intelligence operations.

Naavi

In a significant departure from the “Make in India” posture, India which can compete with the world for global IT super power status has adopted a surprisingly  approach to hosting Government data on the cloud which is both a concern for information security and also a measure that could kill indigenous public sector organizations like NIC and BSNL.

Refer Article here

When Mr Modi took over, one of his policies which attracted me most was the idea of turning Public Sector units profitable by bringing in a “Private Sector Management Culture” instead of actually privatizing the holding. During the UPA days, there was a systematic effort to kill public sector to benefit vested private sector interests through corrupt practices. In this process, Air India as well as BSNL/MTNL turned sick only to make the private sector counterparts grow in strength. Part of this was due to the lack of efficiency of the public sector employees who failed to modernize their approach with the changes in the environment, but most of it was due to the active political support to the private sector competitors.

The “Make In India” concept was also a right step in this direction of making public sector operation profitable without privatization of ownership. Air India has now become better. Railways is showing significant innovative approach to stay profitable.  IT might not have done enough to exploit all the opportunities as it has stumbled from one bad decision to another such as the encryption policy, the Facebook policy etc..

Obviously, the private sector also has to survive and we need FDI and therefore there is a need to find a compromise solution in certain sectors where foreign investment is inevitable since indigenous services are not available. However in the field of telecom the local resources must be good enough to make a significant progress with indigenous initiatives lead by public sector agencies which have a huge infrastructure.

It is therefore necessary to find solutions to effectively use available resources in terms of hardware, software and network with BSNL and NIC as well as CDAC to ensure that a big part of India’s growth comes with the use of these public sector agencies. There is no need to kill these agencies just to promote private interests.

Even when the first dilution of this policy has to be accommodated, we need to first look at Indian Corporates before we turn to foreign agencies.

Indian private sector has the freedom to offer their services globally and so are the foreign companies operating in India. Hence we cannot be too restrictive to foreign businesses to pick up business opportunities in India and we need to accept that these are commercial operations have to go on for the sake of providing level playing field to international trade.

However, when it comes to handling of “Information” particularly from the “Government”, the issues of National Security should be paramount. With increasing interest in “Big Data” and data mining for international espionage, cyber terrorism and cyber war, we cannot jeopardize national security by exposing national security sensitive data to the international private sector companies who will not have any commitment to India’s national security and will also be under a legal obligation to provide a backdoor to US intelligence agencies.

Despite the growing friendship with US and the possibility of defense collaboration with them, India’s interests will be best served by keeping its cards close to its chest as long as feasible.

We therefore feel that the decision of the Government to consider allowing its departments to use cloud services of IBM, Amazon and Microsoft is retrograde. The Ministry of Electronics and Information Technology (Meity) should therefore revisit its proposal to host data from different Government departments on the services of these foreign companies even if they set up servers in India.

The Meity often takes its decisions in consultation with NASSCOM  which is highly influenced and driven by the interests of  private sector mostly of the Microsoft type. The bureaucrats in the department are either unable to take or not willing to take a tough stand against commercial interests represented by NASSCOM.

Naavi.org recently pointed out how DSCI promoted FIDO Alliance products by conducting special seminars in Bangalore and Mumbai (Is NASSCOM promoting an Online authentication system which is not ITA 2008 compliant?).

A trend has set in where NASSCOM becomes a shelter for retiring Meity employees and hence the cozy relationship is natural and will continue.

It is therefore necessary for wiser men in the PMO to ensure that the commercial influence does not corrupt the National Security posture of the decisions. Hence in certain areas, public sector agencies need to be given a priority treatment. If they lack necessary expertise or technology, efforts should be to fill in the gaps rather than blame the people who may be fighting a battle with one hand tied behind their backs.

Presently there are two areas in which Government can show its resolve to “Privatize the Management of Public Sector agencies” like BSNL and NIC.

First we shall consider BSNL. It has a huge telecom network which includes Optic fiber network and connectivity to villages through landlines. This network needs to be fully harnessed.

At the same time we are seeing Reliance Jio entering at the high end market of VoLTE and trying to capture a substantial part of the market. Today Jio is a greater threat for Airtel than BSNL. But in due course Jio may also start hurting BSNL if no corrective steps are taken now.

The other private sector players have already ganged up in a cartel to deny inter connectivity to Jio which is illegal and against their license terms. However, since it is a question of their survival, they will find some means to ensure that Jio services are disrupted from time to time to the extent that their customers will be frustrated enough to try to remain with the competing service providers. The legacy service providers may resist number porting to Jio and ensure that customers delay their shifting to Jio.

This fight will go to TRAI and TRAI’s decision whatever it be will go to Supreme Court and over the next 6 month, this battle will create a huge mess in the telecom segment that will put our Digital progress back by several years.

But BSNL cannot join this dirty fight. It has to protect its interest separately. We also need to find a solution to clear this mess in the larger interest of the country.

In this context, I see one solution here where there can be a “Win-Win” possibility for BSNL and Jio.

I think BSNL and Jio should explore the possibility of collaboration where BSNL will provide a “Gateway Switch” to connect Jio customers to any network (Universal switch to connect to other networks from BSNL proxyID) where the request for connectivity from Jio to other networks are connected through a proxy server of BSNL so that the other networks will not be able to identify and filter out Jio requests. BSNL can charge a fee to Jio for the service. If these calls are to be dropped, the competitors would have to block BSNL connectivity requests also which will legally be “Denying Service to disrupt a Government Network” which can be considered as an offence under Section 66F of ITA 2000/8 (Yes, it is called Cyber Terrorism). I suppose therefore that BSNL will be a shield with which Jio can have a smooth business devoid of unfair practices.

In return, BSNL can ensure that it remains the king in landline business besides retaining its existing residual business in 2G, 3G and 4G voice and data. I also see a potential in running a secure 2G voice network for Government servants to avoid conversations between Government officials being tapped by international spy agencies.

This would also prevent Jio from eating into the landline business of BSNL in future since their Optical Fiber network has the potential for killing the BSNL landline business as well.

The strategy therefore would help BSNL survive and grow in its domain of strength and benefit by the interconnectivity proxy services that are suggested here.

I am sure that Airtel and others would oppose such a move under the TRAI guidelines as improper but I think there is a legal possibility of providing such services within the current license provisions. The threat of Jio-BSNL collaboration should be sufficient to soften the industry players to stop their unfair practice and grudgingly allow number porting and connectivity to Jio.

As regards NIC, its business potential can be in data center services and digital signature services. Presently NIC is restricting its services to Government sector. If MeiTY wants to open out Government business to private sector, there is no reason why they should mind if NIC also goes for private sector business. This may generate good revenue for NIC by bringing its service charges on par with the private sector. CDAC can certainly help NIC in technology upgradation. Even IDRBT may be able to merge its digital signature business with NIC so that the digital signature and e-sign business can be run as a profit making venture between NIC , CDAC and IDRBT.

This conglomerate should also be able to offer many commercial services to the citizens in the Digi Locker related services and Aadhar Authentication services and become hugely profitable.

I am aware that there are many technical inadequacies with NIC which need to be addressed. But CDAC is capable of addressing these technical inadequacies and the network of Government sector is large enough to harness the business across the country.  CDAC should also not drop its old project to find our indigenous operating system for computers.

If these two organizations namely BSNL and NIC-Private become profitable, then India’s Digital India dream would get a good boost.

Hope Government at the PMO level starts thinking of these possibilities without depending on recommendations from NASSCOM driven interests.

Naavi

In recent days, “Ransomware” has become a global threat to IT and requires some strong counter measures to be undertaken. A few months back, ransomware attack had been reported in Hyderabad and more recently, I came across an incident in Coimbatore where a corporate entity faced a ransomware attack. What is also threatening is that “Ransomware Kits” appear to be afloat for sale in the darkweb and more and more misguided persons may be tempted to buy and use “RansomWare as a Service” (RaaS).

Before this Ransomware virus spreads into an epidemic, we need to act decisively and take it under control. In particular, I request men in the Police force to set up special investigation teams to crack the reported cases and my first such request is for Police in Coimbatore where a report has popped up.

“RansomWare” by definition can be any “Computer Contaminant” (Call it Virus or Trojan if you like) that encrypts the user’s data and demands payment of ransom for unlocking.

The extortionist here is not interested in “Data Theft” and “Ex filtration” of data so that some Data Leak Prevention (DLP) defenses may not be able to identify the malicious activity. But the “Encryption Process” should be otherwise detected by a good Malware detection software if it is not a zero day threat. Since the early days of ransomware, most anti virus companies have tried to address the threat and identified specific “Ransomware Removal Tools”. (Refer this article: 7 Best Ransomware removal tools..). But like in the case of other viruses, the fight is continuous and will go on. Users need to be aware that despite the efforts of having the best antivirus software and managing its timely updations, risks still remain and need to be addressed on a war footing.

Any threat mitigation effort has to start with improving the awareness about the threat and hence we need to know more about the threat by creating an awareness about the threat amongst all the IT users in the organizations including the top management personnel who are as vulnerable as anybody else.

According to a recent note from US Government, in US  issued by HHS in the context of HIPAA Compliance, there have been 4000 daily ransomware attacks since early 2016 (300% increase since 2015) indicating the acceleration of the malicious activity. (See the Factsheet here).

The threat of Ransomware in India is grave and our Corporates need to build a robust defense system to mitigate the risks.

I wish all the corporate managers go through this informative article, “Ransomware-Practical view, Mitigation and Prevention tips” by Mr Tal Eliyahu. Microsoft has also released a guideline that is useful to read. ( Read Microsoft Note on Ransomware here).

The essence of the defense is to ensure that the possibilities of infection in the first place is reduced.

The first defense is ofcourse to equip oneself with a good Firewall and Anti malware software that can filter known threats. Keeping such software updated and properly configured goes without saying. The accompanying diagram (courtesy-Microsoft) shows the types of ransomware that we may encounter.

The infection may also occur due to visiting of unsafe or fake websites through the network, opening of e-mail attachments, clicking on malicious links in social media or even using a USB drive. Obviously, these are threats about which we are aware and have been discussing with our employees for a long time.

But what has changed is that the risks have grown bigger and crippling and this has to be driven home to the users. It is no longer fun to occasionally flout the security norms since virus infection is only a “Probability”.

We need to presume that the “Probability of Infection is always One”. 

The second line of defense is therefore to drill home the need to adopt a safe IT usage culture in the organization. I advise every organization to conduct an exclusive training session on the threat of ransomware and obtain a written commitment from every employee that he is aware of the threat and will take steps to ensure that he will secure himself and the organization against the threat.

The third line of defense is for the system administrators to ensure that the “Backup Process” is as good as it can be. Yes this will involve costs but it is better to invest here rather than pay the ransom in future.

How To Respond?

Notwithstanding the measures taken to prevent a ransomware attack, it is an unenviable dilemma that a company faces when it is actually confronted with a situation where it has to take a decision whether to Pay or Not. Obviously, the decision is dependent on the loss that the company has suffered. If it has not backed up its data and has been caught in the attack, then it has to evaluate how to extricate itself out of the situation.

Try all the removal tools that you may be aware of so that you will be able to extricate yourself if you are lucky.

Never hesitate to call in the Police. You need their assistance and they need your cooperation for accumulating knowledge to prevent such happenings in future.  Police can be of real help as I have indicated separately later in this article.

Assuming that the removal tools fail or there is no more time to try, the management may be forced to admit defeat and pay.

Once a victim agrees to pay, it means that the attacker feels the kick of success and will continue his exploitation of the same customer in future or others. It is like feeding the hungry devil who would ask for more.

However, it is not always possible to be obstinate and take the moral high ground to say that I will never pay. If the loss is unbearable, then the choice is “Pay and Survive to fight another day”.

There is no guarantee that once a payment is made, the attacker will oblige with a decryption key but it is the risk that some may have to take.

The Penance there after

It is however necessary to remember that the quality of the management is revealed not because they succumbed to the threat and paid up, but by the measures they take soon after. If for whatever reason one agrees to pay, then the victim has to take some urgent steps to correct their past mistakes by measures such as the following.

a) Create a “Clean” backup of data which does not have the infection. Ensure that the decrypted data is analyzed to remove any lurking trojan which may get activated once again.

b) Try to identify the source of infection and root it out

c) Harden the security measures so that the possibilities of re-infection is eliminated.

What the Police Can do

We should remember that ransomware attack succeeds only when the attacker successfully gets the payment for his efforts. This means that there has to be a reverse flow of money from your account to the other and here in lies the small possibility of detection and bringing the culprit to book.

According to Indian Law, “Ransomware Attack” can be classified as “Cyber Terrorism” since it strikes terror in the minds of a section of people, causes damage to property and uses denial of access and unauthorized access as an attack  strategy. According to Section 66F, the perpetrator of a ransomware attack can be imprisoned for life under section 66F.

I wish that Police first takeout an advertisement to publish this so that the India based extortionists at least will realize that buying a ransomware kit and sending it across to a few to try their luck is as dangerous as playing with a terror game or a drugs game and land them in Jail without Bail.

Though this may not deter the foreign attackers who work with Bitcoin payments, at least we will reduce the number of such attacks in India.

When such an attack materializes, the attacker will leave some trace through his e-mail (as in the case of the Coimbatore attack) or destination payment agent. There will be many “Intermediaries” who would be used by him to encash on his crime. Police need to neutralize them ruthlessly first by seeking their assistance and if they refuse to cooperate, applying section 69,69A and 69B provisions of ITA 2008 and locking up if necessary the executives of these firms for 7 years as the law provides. ( I suppose this will not be necessary if sufficient awareness of this threat is built up again through advertisements by the Police).

Since the tracing of the criminal can happen only during the payment cycle, I request all victims to contact the Police even if they are not confident that they will be of help in decryption. Police also should realize that even if they are not capable of decryption, they may be efficient enough to track the flow of money and eventually catch the criminal.

I wish that Police in each state as well as CBI set up a special “Ransomware Cell” to address this menace. Magistrates should be made to realize that “Ransomware is Cyber Terrorism” and they have to be strict in punishing the criminals once they are caught.

I sincerly believe that it is through such deterrance only that we may be able to slow down the spread of ransomware and we need to work towards this goal.

I call upon Coimbatore Police where one of the crimes have now been reported set up the first “Ransomware Task Force” in India and take up the reported case.

Simultaneously Bangalore Police which has the necessary expertise at the Cyber Crime Cell to also consider setting up a task force to build expertise in solving ransomware attacks if and when it is reported to them.

I look forward to their response.

Naavi

Message for the Public 

RansomeWare attack is Cyber Terrorism in India..There can be Life Imprisonment and No Bail for the suspects. Intermediaries who donot cooperate in investigation and donot put in practice “Due Diligence” and “Reasonable Security Practice” to prevent ransomware attacks are liable for 7 years imprisonment for their Directors and Executives.

Related Information

Stellar Data Recovery : Speaks of No Recovery-No Charge Policy

TrendMicro Screen Unlocker Tool

Ransomwarre Resistance from Kasparesky

AVAST ransomware Protection

Bitdefender FBI Ransomware infection

List of Free Ransomware Decryptor Tools from windowsclub.com

List of Tools from majorgeeks.com

How to Rescue your PC from Ransomware..PCWorld