Is What’s App bound by Section 67C of ITA 2008?

Posted on December 25, 2014 by Vijayashankar Na

apna_ad_nov24

TOI has reported today that the Nagpur Bench of Mumbai High Court has dismissed a PIL filed by Advocate Mahendra Limaye demanding that What’s App should retain the data for a specified period under Section 67C of ITA 2008.

The Court has held that since the service is voluntary and free, there is no public interest in the requirement.

Recently I had a discussion with some senior police officials who informed that in several investigations they were unable to obtain information from What’s App because of which their investigation could not proceed on the desired lines.

From the published information it appears that What’s App stores the personal data of its subscribers and also the contacts of the subscribers. To that extent, What’s App is exposed to Section 43A of ITA 2008 requiring “Reasonable Security Practice”. This also requires adherence to data retention requirements under Section 67C. They are also bound by Section 79 of ITA 2008 as an intermediary. Under the circumstances it appears that What’s App is bound by ITA 2008 and therefore there is a stake for Indian public on What’s App being compliant to Indian law.

However, it is the business model of What’s App that they only store the contact information and allow the content only to pass through. According to information available at http://www.howdoeswhatsappwork.com ,  the messages are temporarily saved on What’s App servers and automatically deleted after 30 days.

It is also known that What’s App proposes to charge a service fee after a trial period though they have indefinitely postponed the charging on the service. Now that Facebook has taken over the management of What’s App it is only time that What’s App would be a paid service or an ad supported service in a short time. The contention of Nagpur Court on “What’s App is free” is therefore not correct.

Further one grey area of What’s App operations is that they are acquiring “Contact” details of the subscribers and using it. A question arises in this context whether the subscriber has the consent of his contact to part with the mobile number and name to What’s App and whether this would be subject to privacy right of the contact. Since the subscriber is only sharing the number as associated with a name he has assigned to the contact, it may be argued that the data ceases to be that of the contact.

After the Uber and Bitcoin controversies on Interpretation Internet based business models, What’s App also needs to be understood properly if it is a purely “Peer to Peer” service or a “Server Based Service” and if so, whether What’s App will have liability to retain data at least when demanded by law enforcement etc.

Naavi

Posted in Cyber Law | Leave a comment

After the sophisticated Sony attack, It is now the simple J P Morgan attack!

Posted on December 25, 2014 by Vijayashankar Na

apna_ad_nov24

Just as the IS community is absorbing the lessons of Sony attack, the JP Morgan security breach involving a suspected data theft of 76 million records has disturbed the community.

See Report 

According to the New York report it appears that the J P Morgan attack resulted from one of the servers being out of the 2F authentication which prevented the breach on close to 100 other servers. Though the 2F authentication is in itself not fool proof, the fact that every small step towards security can have its own ROI is proved from this incident since the servers which were hardened with 2F authentication seems to have escaped the attack.

It is interesting to note that hackers donot always need zero day exploits to make big hits. There are many negligent IS practitioners who can facilitate exploits which could have otherwise been prevented with a “Reasonable Security Practice”.

Naavi

Posted in Cyber Law | Leave a comment

Has Sony Experience Changed the Security Perception?..How should Indian Government respond?

Posted on December 21, 2014 by Vijayashankar Na

apna_ad_nov24

It appears that the hacking of Sony pictures in which corporate data has been destroyed and compromised has exposed the new dimension of a kind of Cyber warfare. According to FBI, the hack was attributed to North Korean Government and the motive was the prevention of the release of a Hollywood movie involving a theme of assassination of a North Korean leader. Of course North Korea has denied the charge.

The issue highlights the potential for damage to corporate business assets arising out of such state sponsored high impact attacks. Such attacks can occur on other corporates  in future as a targeted attack as a part of Cyber terrorism.

Indian corporates face the specific risk of Pakistan sponsored attackers intending to damage the Indian economic infrastructure.

It is time therefore for Indian Companies to initiate appropriate security measures to ensure that they can ensure business continuity if such debilitating attacks are targeted at them.

Apart from hardening of the security on an ongoing basis, most companies need to revisit their Disaster Recovery Programs (DRP). Many companies need to establish a DRP where there is none and upgrade if they have a basic facility.

As a result of this new threat perception and the necessary mitigation measures, the cost of maintaining the IT infrastructure would increase significantly.

The Government of India needs to therefore think what is its responsibility in providing a security blanket to Indian Corporates against such attacks coming from enemy states. It appears that this is a National Defense Responsibility rather than an information security responsibility of an individual company.

There are two immediate actions that the Government may contemplate.

1. First requirement is to provide some kind of a defense cover to the Indian corporates by offering financial support directly promoting higher cyber security investments by corporates. This could be in the form of setting up a National Secured Data Center at different parts of the country where in companies can be provided DR hosting facilities at a reasonable cost.

2. Second is to  recognize that such attacks on private citizens of one country by another state actor  is  “Terrorism” and handled as such by the international community India should join an international consortium with US to develop a “Global Cyber Security Force of Democratic Nations” that can attack and bring down the rogue states who mount cyber wars on the citizens of other countries.  This should be discussed during the visit of Mr Obama to India during the next month.

The Sony attack is a defining moment in the global cyber security and we cannot afford to ignore the event as the next such attack can come upon one of our own global players.

Naavi

 Related Articles:

5 ways how Sony Hack will Change how America will do business

Hollywood Reporter

Security Week

US Cert Advisory

Posted in Cyber Law | Leave a comment

Is there a Mehdi in my company?

Posted on December 14, 2014 by Vijayashankar Na

apna_ad_nov24

Mehdi Massor Biswas the Bangalore based employee of an ITC group company  was arrested by the Police for having maintained the Twitter account Shami Witness in which he was promoting ISIS ideology.

While the Police will continue their investigation and punish the guilty, the HR manager at ITC would be wondering how he/she could have not found out that a radical jihadist was working with them without being found out. Some may argue that Mehdi was very clever and carried a “Dual Personality” exhibiting only his quiet professional face in the organization and did what he did during his free time. Some may even say that organization has no responsibility for what an employee does during his spare time.

But let us not forget that ITC employed a jihadist and paid him a salary of about Rs 5.3 lakhs per annum. In a way this was funding a terrorist. However unpalatable it would look like, there is no way the organization can say they have not indirectly supported a global terror movement.

If so, can the Company officials be held liable for “Vicarious Liability”?. This depends on whether the company officials had a knowledge of Mehdi’s character as a Jihadi sympathizer and failed to take any action since nothing happenned during office time using office infrastructure.  If so they would be liable for not taking such steps as would be necessary to prevent the crime. This responsibility would also fall on Mr Mehdi’s co-workers who might have had more information than the HR Manager himself.

Had the Company practiced “Due Diligence” or “Reasonable Security Practices” to identify vulnerabilities in their human resource and apply risk mitigation measures perhaps the crime would have been detected earlier.

Now that the incident is behind us, not only ITC but also other companies need to review their HR and Security policies to check if they have a Mehdi in their company?.. a person who is a radicalized “terror sympathizer” and who carries the risk of committing a terrorist campaign or even a terror attack either within the company or in India or elsewhere.

If there is any such person in their company, then they need to take action to remove him from any sensitive positions and if necessary from the organization itself.  If in doubt, he needs to be kept under watch for action at a later time. Probably there is a need to share such information with the intelligence authorities also.

How do we identify persons who could be causing trouble? ..well this is a million dollar question. The normal “Back Ground Verification” where a report about the person’s previous employment etc is verified is inadequate since people providing reports are not always truthful. They tend to suppress any adverse report either because they are unsure of their assessment or because they are sympathetic to the employee even though he might have been chucked out of their organization.

We therefore need other means to identify the behavioural traits of a person during the time when a person is working for the organization. The first step in this direction is  to implement a “Whistle Blower Policy”, because there is a high likely hood of the Mehdi type person exposing himself with his co-workers unwittingly. A well managed whistle blower policy would help identifying such person at the earliest.

Additionally, one needs to adopt sophisticated psychological measures to spot persons with a deviant tendency. This could be done through behavioral analytics applied in a non intrusive manner to map the behavioural tendencies of the employees. May be the well known behavioural theories used in criminal psychology can be applied to identify persons who have a deviant tendency.

In the coming days, this domain of Behaviour Science will be the new skill  requirement for HR Managers and Security managers.

Related Article: ITC Confirms..

Naavi

Posted in Cyber Law | Leave a comment

ISIS Propaganda from a Bengaluru Executive?

Posted on December 12, 2014 by Vijayashankar Na

It is a shocking revelation that one of the most prominent Twitter handles carrying on ISIS propaganda happens to be that of a young professional working in Bengaluru in an MNC firm.

Report

The twitter handle was titled Shami Witness and the person is identified by his pseudo name Mehdi.

The incident highlights how terrorism has spread its wings to young professionals with good educational background. It is unfortunate that the Police in Bengaluru had no inkling to the goings on.

It also highlights the failure of the employee behaviour monitoring system in the organization in which the person was employed and HR professionals need to think of new ways of identifying such deviant minds working in the system.

Naavi

P.S: Another question which the Government of India and Karnataka need to answer is that just as they banned Uber and other app based taxi services, will they ban the ad company in which the person was employed and also other ad companies !

Posted in ITA 2008 | Leave a comment

Government Fails to understand the Uber business model

Posted on December 11, 2014 by Vijayashankar Na

apna_ad_nov24

The incident in Delhi involving a Uber taxi driver (a known criminal convicted earlier) committing rape of a girl using the taxi service to get a drop back to her house at around midnight after attending a party and pub has exposed the inability of the Government of India to understand the business model of app based taxi service.

When these officials who does not understand business, try to regulate a business that they donot understand, we cannot but see the bizarre knee jerk reactions alround.  So far the Government is talking of banning the taxi services without realizing that these companies such as Uber, Ola or Taxi for Sure donot run a taxi service as we traditionally understand. They provide certain technology services to the drivers (may also be the owners) of vehicles which are available for adhoc hiring. They are “Communication Management Companies” or a “Digital Call Center service” trying to bring the commuters and the vehicle owners for meeting mutual requirements. Everything else is “Perception”.

In a way, the problem being faced by the app based taxi services in India is similar to the problems faced by Bitcoin community some time back when RBI came down heavily on the system taking it as a challenge to the currency system.

In the case of the Bitcoins, the system was promoted and perceived as a “Currency” replacing the Rupee or Dollar where as it was a “commodity” acceptable for exchange of goods and services  in a “Limited Voluntary user forum”. The mistake was that of both the community which promoted it as a currency and the regulators who considered it as a currency.

Now, as regards the Uber, Taxi for Sure and Ola, are not “Fleet Operators” who own vehicles under a permit and run it with the help of drivers employed either on salary basis or on contract basis. In the “app based taxi service”, if any body has to be registered as a “Commercial Taxi” it is the individual driver who operates the taxis and not the Ubers or Olas. It is incorrect to even call them as “Taxi operators”. They must be called ” Aggregators” acting on behalf of the drivers. In fact it is more appropriate to consider  the Ubers and Olas  as the agents of the taxi drivers and not the other way round.

It would therefore be not possible for the transport department to register them as taxi operators without a change of law. If this path of changing of law to consider Ubers and Olas as taxi operators is attempted by any of the State Governments, it could lead to more legal complications than what they are trying to solve. As per the current laws, perhaps a single vehicle owner can register himself as a “Commercial Taxi Operator” and this law is sufficient to address the needs of the drivers who are affiliated to the Ubers or Olas.

The Ubers and Olas would be still liable as an “Intermediary” with some vicarious liabilities arising out of representing themselves as “Principals owning the taxis” instead of  “Agents for Booking”. Their liability will be more like the “Cyber Cafes”.

If the Government tries to define the Ubers and Olas as “Fleet Operators”, then they also need to consider the impact of such an interpretation on  private bus booking agents, train or air ticket booking agents, tour operators etc. If the Government says that Ubers and Olas cannot run their business without owning the vehicles themselves, then similar rules would be made to all other cab operators and auto rikshaw operators also that only the owners need to run the business. This will be impractical and cannot be implemented. In that case the app based service providers can consider that they are being discriminated and their fundamental right to run a business of their choice would be unfairly curtailed. If challenged, the Supreme Court may have to declare such laws as unconstitutional.

If the role of Ubers and Olas as a technology intermediary is recognized, their technology strengths can be harnessed by the Government to ensure that consumers get a good service and at the same time technology can be used in various ways to improve the security of the passengers.

Naavi

Posted in ITA 2008 | Leave a comment