Naavi.org

Ravi Shankar Prasad as the Minister of Communication and Technology occupies a key position in the Modi cabinet. His ministry is also critical to the image of Mr Modi himself who is pushing the Digital India Concept world over.

On the other hand, opposition is very keen that Modi should be portrayed in bad light and one strategy they seem to have hit upon is to work through the DeitY and put spokes in the digital projects that Modi would like to succeed. Mr Ravi Shankar Prasad has been caught in between and he is forced to face the bad publicity generated by the series of blunders committed by the department.

First it was the net neutrality debate, the publication of lacks of e-mail addresses by TRAI, then it was the Draft Encryption Policy and now the appointment of  “Brand Ambassadors” for the Digital India promotion.

The most recent of the decisions which has caught the attention of the public is the announcement on 29th September 2015 that Mr Ankit Fadia was appointed as a Brand Ambassador of the Digital India project on 1st July 2015. Also, PIB first released a press release number 128279 at 03.46 GMT (09.16 IST) denying that any brand ambassador was appointed as reported in the section of press as shown below.

Actually, the press report had emanated because Mr Ankit Fadia himself had posted on his Facebook Time line the information about the appointment along with a certificate issued by Mr Ram Sewak Sharma who was the secretary of the department earlier and has now moved over as the TRAI chairman and is due to go into super annuation shortly.

Then surprisingly, there was a clarificatory press release issued at 1800 IST that Mr Ankit Fadia and three others had been appointed as “Brand Ambassadors”.

It is surprising how the department manages to work in this manner again and again as if there are a bunch of school kids managing the department.

Apart from the strange manner in which notifications are issued, retracted and re-issued, it is necessary for the public of the country to understand that these repeated bloomers reflect a gross inefficiency and ineptitude of the departmental officials. They show case the ignorance of the officials in arriving at decisions which are downright bad.

To this list we may add one more shortly when the President of India would be passing a bill to amend Indian Registration Act in a manner that is not legally feasible under Information Technology Act 2000.

(Ed: This refers to a bill from Karnataka and the department has already been notified by the undersigned that it is ultra-vires ITA 2008 and has to be rejected by the President. But I am not confident that DeitY would act in time to stop the bill and we can discuss this once again as another faux pas involving the President also).

The people of India are worried that  these people in DeitY may be incapable of taking India to the Digital India and implement projects such as Smart Cities, IOT etc.

Let us look at the lack of normal due diligence that is evident in the appointment of Mr Ankit Fadia as the Brand Ambassador. If anybody makes a google search, he would come across a multitude of articles expressing grave doubts about this gentleman’s capability for what he claims, that is as an “Expert Ethical Hacker” and more importantly expressing doubts about his integrity, penchant for making false claims etc. I am not trying to pass a judgement on the gentleman here but would only draw the attention of the citizens of the country to some of the following articles namely

1.Ankit Fadia Revealed– Forbes India

2.Ankit Fadia is Indian Hacker-Arudh.com

3.Ankit Fadia-India’s Best Fake (Fraud) hacker– waybyhackers.blogspot.in

4.Is Ankit Fadia selling Viagra?..Midday

While there are many articles which on the other hand speak about his training programs etc., the information available from the informed Information Security Community indicate that Mr Fadia unfortunately does not seem to enjoy a good reputation.

Further, some body who claims to have hacked CHIP magazine, (Editor says this is false), helped FBI and CBI in cracking international cases (For which no proof seems to be there), the role of a “Brand Ambassador” where he has to be a “Role Model” does not suit. .

Perhaps  the wisemen in DeitY may be thinking that  we need to bring up the next generation of youngsters on the thought that it is great to be a hacker. I disagree on this view. The future of Digital India should not  be built on youngsters who think a “hacker”  is a role model.

I reiterate that I am no body to pass a professional view on Mr Fadia and his capabilities as a Hacker. But I am only looking at the perception that he carries in the professional circles and the perception that his appointment would have with the community.

I request through these columns, Mr Fadia to explain why the perception which the information security professionals seem to hold about him is wrong. We will be glad to publish the same here.

But at the same time we would like DeitY to explain if possible what sort of due diligence they exercised in appointing Mr Fadia as the Brand Ambassador for Digital India, whether the above articles were brought to the notice of Mr Ravi Shankar Prasad and he understood the import of appointing Mr Fadia for this role. Or were these articles hidden from the attention of the Minister and he was kept in the dark about this alternate view present in the market about Mr Fadia.

I am aware that this information can be sought by an RTI but we would like DeitY to disclose the information without the formality of going through an RTI process. We will be glad to publish the clarification that the department may give in this regard.

Assuming that some corrective action would be initiated by the Minister in this regard, we may put aside the issue for the time being.

However, I am deeply concerned that the repeated occurrences of what appears to be an impossibly foolish decisions taken by the DeitY indicate that there is some mole in the department who is working solely for the purpose of discrediting Mr Ravi Shankar Prasad and through him Mr Modi. He is acting like a typical “Trojan” or a “Computer Contaminant” who needs to be identified and removed. It is possible that the trojan may not be alone but actually be a group who owe their loyalty to the previous regime.

I call upon Mr Amit Shah to personally investigate the matter and take corrective action as otherwise the fears all of us have about Digital India project ending up in a fiasco may actually manifest.

On our part, as responsible members of the digital society at present,  undersigned as well as a few other professionals have found it necessary to start a “Secure Digital India” initiative and keep alerting the Government on some of the key issues on which attention may be required. We hope sooner or later the Government will realize that it is better to take advise from people who care for the nation rather than those who may be within the department and trying to destabilize the operations.

P.S: My apologies to Mr Ankit Fadia as a person. I have made some of the comments here with lot of regret. I  would have liked to avoid it if it was not for the belief that the administration needs to be toned up and citing his example was necesssary for this purpose.   I have used his example here more to highlight the lack of due diligence of the department rather than to pass any judgement on his capability. He may have a useful role to play for the success of  Digital India project but I doubt if that would be as a “Brand Ambassador”.  My friendly advise to him is to recuse himself from being the Brand Ambassador for the Digital India project.

Naavi

As Prime Minister Modi concludes his historic visit of the US west Coast aggressively selling the concept of Digital India to the US tech industry, back in India, it is recognized that the Digital India initiatives need to be supported by other support initiatives.

 The Ministry of Communications and Information Technology (MCIT) should be the natural leader in developing this support system. Other ministries including the Education Ministry,  Commerce Ministry, the Law Ministry and the Finance Ministry also have their roles to play. When it comes to security of Digital India, even the Home Ministry needs to provide its support.

At present, Mr Modi is running ahead of others with his ideas and marketing efforts. But others don’t seem to be able to catch up with him. In particular, the bureaucracy appear to be completely confused.

The scenario as it is building up is very much like a management problem that a CEO of a company faces when a major new project is being taken up for implementation and the organization as a whole is not ready for the change.

Some of the recent decisions of the MCIT which are initiated by the DeitY have created a concern among Information Security professionals that DeitY has no clue on the problems that Digital India implementation and Security requirements.

But, instead of remaining arm chair critics, a responsible group of Information Security professionals have decided that they would support the Digital India initiative of the Government with a “Secure Digital India” initiative.

The group has formed a “Special Interest Group” and will collaborate through the Face Book page and try to develop specific documents commenting on the information security aspects of Digital India. It will be a non Government voluntary initiative aimed at working like a “Shadow Cyber Security Expert Group” advising the Government (though unsolicited at this point of time) through the social media on issues relevant to Secure Digital India.

I look forward to your support in this initiative.

Naavi

The Digital India vision of Mr Modi has been making rounds in the tech circles in San Jose. During his interactions with the techies, it was notable to observe that Modi did mention about Privacy Protection, Cyber Security and Intellectual Property Protection which are key concerns in the Digital Industry and can be considered as “Essential Aspects of Ease of Doing Business in India” for the tech companies.

We are aware that we need to cover a lot of ground in these aspects and periodically, people like us will criticize bad initiatives such as the Draft encryption policy of the DeitY or the Section 66A scrapping by the Supreme Court or the Karnataka Adjudication system and Cyber Appellate Tribunal not being available, Karnataka Government passing an illegal bill in the Legislative houses etc. In the future also we will continue to criticize whenever things donot happen the way they should.

But it is clear that Mr Modi and his vision is at a different plane to all others in the Indian Government. As a result either the rest of the people in his Government are unable to keep pace with him or more probably the bureaucracy which has developed its own vested interests in the Congress regime is looking at  opportunities to discredit the current Government and Modi’s initiatives and need to mend its ways.

However, we are atleast reassured that Mr Modi is traversing in the right direction, and even if his journey is delayed, he will ultimately reach his destination and make the Digital India dream a reality. It was heartening to observe that the tech giants were able to share the optimism of Mr Modi and were eager to increase their commitments to India.

Sitting in Bengaluru, governed by Congress which has been pursuing the sole policy of doing everything to prevent Modi from succeeding in taking the country ahead, it appears that the State has lost a great opportunity to progress by electing the Congress Government in the last state elections. Mr Siddaramaiah himself came to power with a good promise but he has become a victim of the Congress culture and unable to do things which he himself could have done to enable Karnataka move ahead. It appears that he has now resigned to counting time to retire. If he had been able to be on Modi’s Digital India initiative, representatives from Karnataka should have been in San Jose now trying to arrange a marriage between the US-Silicon city with the Indian Silicon City.  Unfortunately we continue to languish in the garbage of bad roads, caste politics,  etc.

What will be amusing in the next few days is how Congress politicians try to find fault with Modi’s actions in USA and further expose their frustration as well as anti development initiatives.

One of the key aspects which was impressive in Mr Modi’s dicussions in San Jose  is the concept of “Personal Sector” which Mr Modi appears to have brought up during the discussion with Mr Tim Cook of Apple when he tried to impress upon him that apart from developing a manufacturing base for iPhones, he should consider an “App-development Eco System” in India supporting individual entrepreneurial initiatives. The view that came out was that just like the Public Sector and Private Sector there can be a “Personal Sector” of the economy that can contribute to the growth of the country with self employed technical professionals working on their own without looking for employment either in the Public or Private Sector and eventually creating employment opportunities for others.

A few decades back, when the undersigned resigned first from public sector and then from private sector and entered what we now recognize as the “Personal Sector”, we were very apologetic about the decision. Despite our personal confidence, we had to contend with the society which looked upon such persons as impractical. But now the “Start up Culture” has gained  respectability and IIT and IIM graduates donot mind giving up lucrative job offers and moving into the “Personal Sector”.

Modi’s visit to San Jose has raised the awareness and respect for  such moves so that in the coming days parents donot discourage their wards if they are really interested in giving up jobs and starting their own ventures.

Now it is for Mr Arun Jaitely and Mr Ravi Shankar Prasad to think of other supporting policy initiatives that make this “Personal Sector” develop in their respective departments of Finance and IT.

Apart from the two ministries of Finance and IT which need to provide direct policy push to Mr Modi’s “Personal Sector” initiative, it is necessary for Ms Smriti Irani  also to start thinking of policies that will not only provide the right educational input at the time our students graduate, but also run “Start Up Entrepreneurial Programs” for developing the necessary skill sets. Many times, failures of start ups result from the fact that an idea may be technically brilliant but is not financially feasible for various reasons.

I have been advising many Start ups to start as a team of professionals of which there should be Financial, Marketing and Managerial experts also besides the Technology experts. Additionally, I have been advising such Start ups to conduct a “Techno Legal Feasibility” of their projects so that they donot get into legal hurdles for their projects.

I hope “Digital India” initiative will incorporate a sub project for developing “Start Up Skills” and I would like professional organizations in India undertake a series of workshops and conferences on the theme of “What it takes to be a Successful Start up”?.. Will Computer Society of India or NASSCOM or  Management Associations take the responsibility?

I invite one of these institutions to build a “Development Center For StartUps” and undertake all activities that are integral to the skill development for this sector. The Central Government through the education ministry can provide the necessary support in terms of funds and conduct workshops around the country to develop the “Personal Sector”.

Naavi

In what should be an eye opener to the Corporate Sector, Law Enforcement and the Government, it is reported that two Indian conglomerates were forced to pay $5 million each to hackers who blackmailed them.

Refer Report in ET

Refer Report in businessinsider.in

Refer Report in track.in

The report hides the names of the conglomerates but states that the payments were made in May. It appears that the hackers collected series of email correspondence between the employees of the company and some other entity which revealed illegal activities and blackmailed the companies to pay the ransom.

Though the report names some hacker groups from Middle East, the possibility that the employees themselves have raised the demand through others cannot be ruled out.

It is stated that the Companies appointed “Private Detectives” to check the incident and did not report it to the authorities. Such Cyber Experts have also passed on their comments to the news reporters and these news agencies now have the identity of both the companies as well as the cyber experts who also have the knowledge of the incident.

So far so good. $ 10 million is lost and probably the two companies are large enough to absorb this loss and move on.

But the story does not end here. In fact another story has just begun and I want the law enforcement to move in and investigate. It is possible that the law enforcement also may be sucked in to this “Hiding of Information” and the companies may pay silence money to them. I therefore call the attention of the Central Government which is concerned about the “Black Money” and initiate a larger probe to bring the offence to full light and let the public know what really happened and where.

The fact that the two companies have paid a ransom of US $ 5 million each (Rs 30 crores each) indicate that the value of the offence which they had committed earlier about which the hackers successfully collected the ransom must of of the order of at least Rs 100 crores each. This must be a cognizable offence which the companies as well as the Cyber experts and the media have kept under the wraps. Neither the news paper nor the Cyber Experts involved have the right to hide a cognizable offence which may have ramifications including “Financing of Terrorists”.

Also if the Companies have paid the ransom to the Middle East entities, the payment itself will be in black money possibly in the form of bitcoins. Payment in black, buying Bitcoins both could be considered as additional offences committed today by these companies to hide their previous offences. The Companies therefore have committed further crimes to cover their earlier crimes.

Also, it cannot be ruled out that the hackers may make further claims perhaps through different entities and demand further ransom since for them these companies will be an eternal milchcow.

Now it is necessary to recognize that these two sets of offences and the potential loss in future will have adverse impact on e Investors in the Company and Banks who have lent to the conglomerate.

I therefore call upon SEBI and RBI to clarify to the public what action they are going to take in this news report.  If SEBI and RBI keep quiet, it would only indicate that they have been silenced too.

Probably the Courts also can take suo moto action and launch some proceedings. At least I hope the news channels who crave for such crime stories to pick up the incident and explore for the nation to know the truth.

Let us wait for some time for RBI and SEBI to clarify and then start the next level of questioning these agencies if they fail to act.

At the same time, I would have preferred the two companies to have surrendered to the authorities instead of paying the ransom and requested the Government to pardon them. If they failed to do so earlier for whatever reasons, they should do so at least now.

Naavi

The recent faux pas committed by the Department of IT, Government of India in publishing a half-baked policy as the “Draft National Encryption Policy” created a needless controversy on the topic of “Encryption Policy” itself and whether it was required or not. Once the dust settled down, we need to think with clear minds, whether “Encryption” (in the context of data or information) is important for us and whether it needs to be regulated in the form of a “National Policy” and if so how.

We must admit that subjects such as Encryption which is linked not only to technology but also to concepts such as “Privacy” are sensitive and complicated from the point of view of regulation. Privacy itself is also related to national security on one hand and Freedom of Expression on the other.

Hence, any attempt to regulate “Encryption” will affect “Right to Privacy”, “Right to Freedom of Expression”, “National Security”. As a result the regulation will have to find a balance with provisions of Indian Constitution, the existing laws such as ITA 2008 or Indian Telegraph Act and also the proposed “Right to Privacy Bill”. A minor irritant will be the views and attitude of the Supreme Court as exhibited in the Shreya Singhal Case which lead to the scrapping of Section 66A  of ITA 2008.

If the DeitY wants to develop a revised draft Encryption Policy, it needs to take into consideration all these aspects.

Since the subjects of “Right to Privacy” and “Right to Freedom of Expression” are subjects dear to non technology people such as the Media and law Fraternity and also that many of them are human right activists, any perceived infringement to these rights will generate a disproportionate counter reaction that will be used as tools of political criticism by issue starved opposition parties.  The Government will therefore be pushed to a corner and is likely to panic and take wrong decisions. This happened in the Section 66A case where the Government failed to properly defend and let the section be scrapped.

The activists who donot understand technology and the political activists who neither understand not want to understand technology need to be first made to commit on the fact whether we need “Security of the State”. Information is the lifeblood of the current generation and securing its integrity and availability is an issue which is beyond debate. In the process of ensuring availability and integrity, confidentiality is also a necessity. Encryption comes into discussion because “Confidentiality” of information is achieved through the “Encryption Process”.

Way back in 2000, India adopted the Digital law called Information Technology Act 2000 (ITA 2000) which recognized the use of asymmetric crypto system for the purpose of authentication of electronic documents with the use of digital signatures. The technology was adopted as was considered the best available in the form of accredited algorithms such as the RSA public key system supported by hashing algorithms such as MD5 and SHA1. Over a time the hashing algorithms have been reviewed and presently SHA2 algorithm is recommended. In due course the encryption algorithm may also be reviewed and alternatives to RSA may be considered.

While digital signature was normally used for authentication, it was not used for data encryption in general. Whenever data had to be encrypted either in transit or at rest, the “Symmetric Key Encryption” system was being used . These systems were either embedded in other applications such as the e-mail or internet data transmissions, document management systems or used as a standalone application.

Since US had a policy of not allowing export of encryption products beyond a certain level of security (40 bit key strength in symmetric key system), it became a de-facto standard in India also. With the gradual availability of stronger products with the revised encryption export policy of the US  and entry of other countries such as Israel as leaders in information security products, gradually stronger end encryption entered the Indian scene also.

The Law enforcement has been facing challenges of decryption communication used by criminals and terrorists and have been in the forefront of engineering a policy change that makes it easy for them to snoop on the conversation of suspected criminal activities. While the right of the law enforcement in this regard cannot be denied, if the security is reduced to accommodate easy snooping, it can also be misused for breach of privacy. Breach of Privacy is not only a human rights issue but also leads to “Identity theft” which is again a law enforcement headache.

It is therefore necessary for the Law Enforcement Agencies (LEA) to realize that it is not in their own interest to force the community not to use encrypted communications of their choice. If they do, there would be a huge increase of Identity theft incidents followed by financial frauds that will destroy the concept of Digital India.

ITA 2000 provided the leverage to LEAs through Section 69 to demand decryption from the users of communication failing which there could be 7 years imprisonment. This is should be considered as adequate legal support to LEA as regards the use of encryption to hide communication from LEAs.

We are however aware that  criminals will continue to use Strong Encryption because they are any way challenging the law. They will also use the excuse of available protections not to cooperate with the LEAs . Even if 7 year imprisonment is a deterrant for ordinary citizens, it may not be so for criminals.

But  normal citizens who are concerned about privacy and use strong encryption for privacy protection can always be convinced to part with the unencrypted data when there is a suspected criminal activity. What they are vary of is that this process of forced disclosure should follow a “Due Process” since public donot trust the LEAs not to leak the information given for a specific purpose for some other purpose detrimental to the interest of the data subject. Presently such practices are there under Indian Telegraph Act and snooping of telephone conversation is authorized from time to time under a due process. (though abused from time to time).

The Government should therefore understand that Criminals will continue to encrypt their data exchange whether India has an encryption policy or not and honest Citizens would not mind sharing the data when demanded provided they are given the confidence that data would be used responsibly by the Government.  Here there is a need for a due process of law to be adopted and universally accepted principles of  Privacy such as minimal and purposeful collection, consent, disclosure, security etc are followed.

Encryption of data is an essential part of Information Security and at a time where “Cloud Storage” of data  has become a norm imposing artifical restrictions on the strength of encryption is impractical and undesirable. In fact we need to encourage Netizens and E Commerce/E Governance to use strong data encryption so that information security is maintained at a high level and criminals are challenged to the extent possible. Encryption is therefore a necessity and has to in place.

The objective of Section 84A of ITA 2008 was to enable notification of  the minimum acceptable encryption standards and methods that can be used by the public. It need not have been used to restrict the upper end of encryption strength. Section 84A was also not meant to define data retention standards for which there was section 67C separately. There was Section 69 already available to ensure that decryption can be forced. Hence the law permitted encryption of data in storage and transmission and if some body is cooperative with LEA, there is no reason why he should not use the strongest encryption. In fact if the upper end of security is freed, there could be innovation and research in India to find more secure forms of encryption. Any person of ordinary prudence would have realized that if there was a need for the Encryption Policy, it was required to encourage innovation and indigenous research and not to restrict the uage.

Imposing export restrictions is another aspect that is to regulate the misuse of encryption by those who are not within the jurisdiction of the exporting country. If India is a manufacturing country for cutting edge encryption products then it makes sense in imposing export restrictions.  Again whether this has to be in the form of export-ban or export licensing is a matter that can be considered.

For records, my view is that if “Make in India” reaches that level where we can export information security products and encryption products, there can be a strict export licensing to track the use of such products by people outside India.

My recommendation to the Government is to think innovatively on thoughts such as “Regulated Anonymity”, allow licensed “Anonymizer Services” who provide anonymization service and encryption support but remain cooperative with LEAs.  This will serve the purpose of both the LEAs as well as meet the demands of the Privacy Activists.

Several years back, I had proposed a structure for Regulated Anonymity. It can be suitably revised to develop a  structured plan of action to be a bridge between the proposed encryption policy and the proposed Privacy Bill. (The earlier recommendations can be found here). 

The concept of “Regulated Anonymity” and the “Licensed Anonymizers” will be new innovative E Commerce business thoughts that can be commercially feasible.

It therefore did not make sense to say that “Users should maintain data in plain text form for 90 days” as the draft policy tried to say. This was foolish and exposed the utter incompetence of those who wrote and approved the policy. We cannot trust national information security with such incompetent persons. Some people have claimed that the policy was drafted by a group of “Experts”.  

I would like the Government to reveal the name of those “Experts” and give a commitment to the public that these experts are thrown out of the system that is entrusted with national security.

My demand that the Minister should order an enquiry to find out if there was an attempt to sabotage the reputation of the Government stands.  I look forward to necessary action.

Naavi

Related information on Encryption Export Policy of US

Comparative Evaluation of US and EU

The recent issue of a draft encryption policy caused acute embarrassment to the Government of India and had to be withdrawn almost instantly because of the immediate opposition it raised.  Commenting on its withdrawal,  we had suggested that an enquiry should be ordered on how such a shoddy policy document was released to the public and whether it was done to embarrass the Minister.

We now understand that an enquiry has indeed been ordered to identify the individual responsible for the release of the shoddy draft and to give him an “orientation” on how to communicate on such issues.

In the meantime, the report also quotes S.D.Saxena, former finance director of BSNL that the document was prepared by a team of officials and bureaucrat.

I suspect that this is an attempt to defuse the blame and protect a mole who could be a mischievous person wanting to discredit the present IT minister and probably even Mr Modi who was about to embark on his US trip. There is distinctly a reason to suspect Conspiracy by a team of officials owing loyalty elsewhere. This is what the enquiry needs to find out, namely the political orientation of the person who was responsible.

One reason why I suspect that everything is not normal in this case is the way the notifications are presented including the latest withdrawal note

The copies of these three notes are available  here.

1. Encryption policy
2. Clarification
3. Withdrawal

All three notes are supposed to be official documents from the Government of India. But they have not been issued on a letter head or a typed mast-head in the name of the department. There is no signature in any of these notes. (Obviously there is no digital signature on the electronic copy as well”. If the policy was attributed to a “High level Expert Committee”, then the secretary of the committee or its chairman should have signed the document. The posting on the deity website and the presence of a contact email ID in the draft policy are the only indications that this is an official communication.

This is not the way we know the Government functions. The policy must have been drafted and forwarded to the IT Secretary who should have approved it. At least a Director of the department ought to have owned up the note and signed. The clarification and the withdrawal note appear to be simply photocopy of a chit of paper on which some typewritten notes are scribbled.

The fact that unsigned documents are being released on official websites itself is highly objectionable. Tomorrow any hacker can post such documents on the Government websites and further embarrass the Government.

Hence the responsibility should be fixed in the department not only for the content of the note but also on the manner in which a global communication was released through an unauthenticated letter.

I wish that the issue should not be closed just by finding a scapegoat at a lower level bureaucrat but identify the real mole who could be behind a conspiracy and who may not after all be a junior scientist.

The enquiry should therefore be conducted by a trusted team of appropriate officials from outside the DeitY and cover the entire department.

Naavi