Naavi.org

In yet another instance of a “Deviant mind” inside an otherwise brilliant security professional, a 20 year old security researcher who has worked as an intern in a security company doing research on mobile malware has been arrested for creating a malware himself.

The malware created by Morgan Culbertson, of Pittsburgh infects Android phones, steals data and takes control of the device. It can take stealthily screen shots, photos, videos and audio recordings from the target phone. The software was sold for $300 in the underground market. The incident came to light with the busting of the online black market identified as “Darkode”.

While one can regret the nature of human tendencies to misapply our capabilities to wrong ends in greed for money, the incident also highlights the need for better psychometric analysis of people who work in security research companies.

More information is available here

Naavi

“Reputation Damage” is a concern of both Individuals or a Companies. The risk of “Reputation Damage” has increased with the growing influence of Internet and more particularly the social media such as Twitter and Facebook.  While the core objective of Twitter and Facebook can be considered as providing a neutral platform for communication in the digital society, there are a few other internet based services that operate under a facade of “Free Speech” and build a commercially remunerative business of “Abusive Content”.

India has been a witness to this phenomenon by a glaring example in the TV media. Mr Arnab Goswami, the anchor of Times Now can be credited with being the creator of this brand of “Abusive Journalism” which has now showed a tendency to corrupt the minds of upcoming young journalists and other channels such as NewsX. On the Internet, sites such as *sucks.com have been there for some time to present a counter point of view against an identified physical entity. Websites such as Mouthshut.com built on the principle of Consumer protection through information dissemination have also been present in the Indian social media scene.

While one cannot fault the principle of “Consumer Protection” or “Freedom of Fee Speech” it is only when we analyse how an individual website or a user has used the medium in a given context that determines whether the medium is being used as an instrument of benefit to the society or an instrument of “Profiteering by Abuse”.

“Trolling” or “Flaming” are ways by which the social media is abused to harm the reputation of identified individuals. The differentiation of permitted “Criticism” and “Flaming” or “Trolling” is only in the degree of abuse and choice of words. When some body crosses the line, then law has to come to the assistance of the victim. This is the basis of “Defamation law”.

The frequent misuse of the defamation law by politicians in India has actually hurt the cause of decency in media by branding “Defamation law” as an instrument of oppression. Recently, clever lawyers convinced the Supreme Court of India that Section 66A of Information Technology Act 2000/8 was against the constitutional provision of free speech and hence should be deleted from the statute. Since even Judiciary is often carried away with popular sentiments such as “Free Speech” and “Human Rights”, they often err in their judgement as they did in the case of Section 66A where they equated “Abusive, targetted, one to one communication causing annoyance and distress” as “Free speech”. The legal representatives who defended the case from the Government failed to understand and project the purpose of the section. Even they were carried away by the grand talk of “Freedom of Speech” . The result is that there is a perception in some quarters that in India any abuse is tolerable though there are defamatory laws under IPC which can be invoked in case of need even against misuse of Internet.

Recently, a journalist has pointed out that in a criminal case (Aarushi murder case), the Judge had started writing his judgement convicting the accused, much before the defence even started its arguments. The Section 66A judgement was perhaps similar since the Judges were waiting for passing a judgement to scrap the section even before the petition was filed because they were angry that Police had repeatedly (mis) applied the section to mean that it was meant to address defamation and political criticism on social media.

It has been pointed out in these columns that in what we call as a “Glassdoor Attack”, that companies in India have frequently become a subject of abuse and reputational damage by disgruntled employees. This was earlier presented in an earlier article in the context of need to cover “Reputation Damage” through Cyber Insurance. However there is a larger need to debate if these principles of  “Abusive Journalism” which we see in Times Now TV channel or websites should be considered as equivalents of “Flaming” or “Trolling” and dealt with accordingly.

In New Zealand it appears that a new law called “Harmful Digital Communications Act” has been passed to address such issues. (Refer article here).

The law aims to deter, prevent and mitigate serious emotional distress resulting from digital communications, and to provide victims with “quick and efficient” redress. It includes civil and criminal remedies. The offence can be punished with imprisonment of upto 2 years and fine upto Pounds 21000 for individuals and 85000 for companies. The law applies to “Intermediaries” also.

In India, Section 79 of ITA 2000/8 makes an intermediary liable for any offence committed with content handled by them unless they can prove “Due Diligence”. Such due diligence could become a subject matter of interpretation in a Court of law and may involve the debates of free speech etc.  However, the victim has every right to seek a remedy. Indian law also has “Extra territorial jurisdiction” and hence can be applied to websites operating from outside India. If however, there is a problem of justice being denied by Courts in foreign jurisdiction, the victim can seek remedy of Courts to block the content from Indian viewers which results in a revenue loss to the website.

On the part of the websites who want to genuinely support the cause of consumer protection, there is a need to put in practice certain due diligence standards that protect the Companies from unfair reputation damage.  The due diligence requirements in such cases include a need to identify the persons who make abusive posts when a demand is made under due process of law. Failure to do so will elevate the media from being a neutral purveyor of information to an active supporter of the cause espoused by the abusing individual and a concomitant responsibility to defend under the freedom of speech provisions of law.

Unfortunately, many of these websites turn arrogant that they are protected by “Free Speech law” and any person raising objection is a votary for Internet censorship and hence fail to respond to genuine requests for either taking down of objectionable content or revealing the identity of the person posting the abusive content. This gives an opportunity even for business competitors to post harmful content solely to hurt the business prospects of an entity. Since these websites donot have any means of identifying the person posting the content, any imposter can easily post content as either an employee or ex-employee or a product user and post abusive reviews.

Now with the passage of the New Zealand law, there is a wake up call to the Intermediaries all over the world that they cannot make “Abuse as a business model”. The days of journalistic clan of Arnab Goswami and his clones in the digital media need to be brought to a logical end.

At the same time, there is a need for industry organizations such as ASSOCHAM, FICCI or CII to take up the issue of “Organized Media Abuse” as an industry issue and seek remedies. The “Risk Managers” in the industry need to look at the “Reputation Risk” arising out of such abusive journalism, trolling and flaming and cover it with appropriate cyber insurance. The Cyber Insurance industry on the other hand has to work out a mechanism to mitigate the risk of reputation loss through such abusive journalism and misuse of social media freedom.

Hopefully, the New Zealand law will pave the way for a debate on this issue.

Naavi

The vagaries of weather are a risk that Indian farmers need to manage as part of their life. Those who cannot face problems in the form of inability to repay farm loans taken from the loan sharks in the village. This has given rise to many farmers committing suicides and reflecting on the Governance aspects of the relevant State Governments. The Central Government is trying tackle the problem with its own policy on “More Crop for Every Drop” and encouraging drip irrigation to conserve water and ensure a larger area of irrigation. Today the RBI has also moved in the right direction reiterating the need for Banks to participate in direct farm lending so that low cost funds become available to the farmers and their dependence on local loan sharks is reduced. In the last few years, the emphasis on farm loans for Banks had been reduced and hence the flow of credit had fallen.

The response of Modi’s Government and the RBI are pragmatic and could reduce the farmer’s vows. It shows that the Government and RBI is learning lessons from past mistakes and inaction.

It would however be wiser if we can anticipate the adverse impact of a policy on the society and respond pro-actively than reacting to the adverse events after it has taken away precious lives.

Digital India is now calling for similar pragmatism and wisdom from the Government. If the Government has not realized the threat of Cyber Frauds in the increased digitization of the Banking and Governance systems in India, we can only say that the Government is blind. While the Ministry of IT has come up with a report on Net Neutrality, it has not yet come up with any report or policy on “Cyber Frauds”.

In the case of farmer’s suicides it is the inability to repay the loans and only those farmers who feel humiliated by being an insolvent commit suicide. But Cyber Frauds make a comfortable citizen suddenly turn a pauper when his bank account is wiped out. This is more shocking than the vows of the farmer. If there are any suicides in this class of Cyber Fraud victims, it is unlikely that it will get the same publicity as the farmer’s suicides until a time when thousands of frauds get reported simultaneously.

Let the Government take notice that frauds are happening in hundreds and not all of them get reported. May be the losses are in smaller amounts of less than a lakh and hence the victims are some how absorbing the risks.

The Government on the other hand has done pretty little in this area. In fact it has not been able to put the Cyber Judiciary in place. The Chair Person for Cyber Appellate Tribunal has not yet been appointed and Adjudicators in States are non functional. But the DEITY remains unconcerned. Mr Ravi Shankar Prasad remains stoic. Mr Modi in the mean time keeps pushing the Digital India process. This is a recipie for disaster.

I would like to highlight here that any policy change that does not take into account the problems of the society will lead to disaster. It is therefore necessary for the Government of India to address the issue of securing the public against Cyber Fraud losses before it is too late.

It is in this context that Naavi.org demands “Cyber Insurance For All” as a policy of the Government. To us, this is more important than the Net Neutrality debate.

Will the Government wake up?

P.S: If you have not participated in the India Cyber Insurance Survey 2015, it is time you do so now and record your views. You can access the survey form here.

Naavi

Naavi.org has in the past discussed the information security issues from the consumer perspective in the IRCTC website and demanded suitable security audits. It is good to note that it has now been reported that STQC is conducting an information security audit on the new reservation system. We welcome the move.

Related Article

In this context, we can also draw attention to another aspect. IRCTC has seen many cyber crimes being committed on the platform. One kind of crime is stealing of consumer data including financial information which is “Sensitive Personal Information” under Section 43A of ITA 2008 and booking of tickets using stolen credit card purchased elsewhere.

In such cases, the issue to be settled is “Is IRCTC an intermediary?” ” Is IRCTC a Body Corporate”?

If IRCTC is a corporation having rights to sue and be sued in its own name, it is a “Body Corporate” having obligations under Section 43A ITA 2008. It is also an intermediary which exposes it to liabilities under Section 79 to follow the “Due Diligence” responsibilities.

At the same time, since we are discussing the topic of Cyber Insurance, one can also ask a question if IRCTC should cover itself with Cyber Insurance to avoid liabilities that may arise under Section 43A or Sec 79.

STQC which would be conducting information security audit,need to recommend if part of the risk needs to be transferred to a Cyber Insurance company.

Another collateral question that arises is that there are several e-initiatives of the Government both at the center and states where liabilities could arise on account of cyber crimes. One legal view is that any organization like a Government department that can enter into contracts in its own name should be considered as a “Person” under law and therefore is also exposed to the liabilities under ITA 2008.

If so, can the Government department which is doing some kind of E-Business obtain Cyber Insurance? Or Should Cyber Insurance be limited to private sector companies? or to only Individuals? or to all of them?

This is a question on which India Cyber Insurance survey is tying to capture the perception of the market.

If you have not yet participated in the survey and recorded your view, please do so now.

You can access the survey here.

It is one of the established principles of Insurance that when the Insurance Company pays a claim, it does make its efforts to recover its loss in whatever manner possible. When the loss has been caused on account of a Cyber Crime, the Insurance Company tries to recover its losses by pursuing the legal options against the criminals/accused.

In order to pursue legal options against the accused, the Insurance Company needs to step into the shoes of the victim and fight the case in a Court of law. This right is called the “Right Of Subrogation”. This is considered a natural ingredient of all Insurance Contracts. The principle of subrogation also creates certain responsibilities to the insured. It is expected that despite having insurance, the insured has to take such protective measures about the insured asset as he would take as if there was no insurance. In other words, the insured should not be negligent in his security measures because there is an insurance company to cover his losses.

Obtaining insurance therefore does not absolve the company to have a good Information Security practice. In fact, Insurance creates a fiduciary responsibility for the insured to protect the interests of the insurance company. One such responsibility is to be in a good legal position to pursue recovery of losses against the accused.

If the insured company has a legal right against the crime accused, it can transfer this right to the insurance company after the claim is settled so that the insurance company can continue its legal action. However, if out of negligence the insured has lost legal remedy against the accused, it is possible for the Insurance company to take a stand that the insured company has not acted in good faith in protecting the legal interests of the insurance company upon exercise of its right of subrogation.

Normally, we donot expect the Insurance company to take such an unfriendly stance. But if the loss is substantial, it is not prudent to ignore this risk.

When a claim is made an assessor of the Insurance company will not only assess the value of the loss but also the reason for the loss and the status of the subrogation rights. For the claim to be approved, the reason of loss should not indicate abetment of a crime by the insured and also an irresponsible reckless attitude that might have caused the loss or makes it impossible for the subrogation rights to be effectively pursued.

The means by which an insured company can document and prove that it has not lost the subrogation rights by negligence is following the principle of “Due Diligence” as envisaged under ITA 2008. Hence ITA 2008 compliance could be the differentiator between the insurance company having an effective subrogation right or a diluted or lack of subrogation rights.

In other words, an Insurance Company could prefer a company with ITA 2008 compliance to another without it, for determining the eligibility for insurance or for considering a premium reduction or for easy claim settlement. Hence ITA 2008 compliance could improve the insurability of a company under a Cyber Insurance policy.

Not all Information Security professionals may agree with this stand. May be Insurance Companies also contest that they are not that mean as to reject a claim for lack of subrogation rights. Well opinions may differ. The best thing to do when there is disagreement is to know what the majority of people in the market and the experts think. This is one of the views that the India Cyber Insurance Survey 2015 aims to capture.

Don’t miss to participate in the survey and express your opinion today. Also ensure that your friends also participate in the survey by passing on this information and sharing it with your social media friends.

Naavi