Competitive Compliance is the need of the hour.. Naavi

Posted on May 3, 2013 by Vijayashankar Na

Speaking at the workshop on Safe E Banking, Naavi highlighted the regulatory aspects of Information Security in E Banking and the need for compliance. Speaking on the Risk mitigation guidelines released by RBI on February 28, 2013 and the fast approaching deadline for implementation by June 30, 2013, Naavi indicated that the regulations were a continuation of the G.Goplakrishna Working group (GGWG) recommendations and various other guidelines. He also pointed out that the GGWG as well as other regulatory guidelines had provided a time bound implementation plan for Bankers.

Refering to the comment of Mr G.Gopalakrishna during his introductory speech that the compliance of GGWG recommendations were only aroudn 38%, Naavi urged bankers to take urgent steps to improve the level of compliance.  In this context Naavi stated that what is required for Bankers is not only comply with the provisions of the GGWG recommendations but try to excel further as new technologies unfold. He pointed out that some Banks have a tendency to wait for other larger banks to comply before undertaking their own compliance measures and expressed his wish that Banks develop a sense of “Competitive Compliance” trying to do things better than other peers. He reminded that GGWG provided the “Flexibility” for the use of technology except where it was legally mandated and hence each Bank can explore better ways of achieving the security objective considering the GGWG recommendations as the base requirement.

Naavi

Posted in Bank, Information Assurance, RBI | Leave a comment

Security Protocol for Bankers

Posted on May 3, 2013 by Vijayashankar Na

E Mudhra consumer Services, a company associated with the certifying authority, E Mudhra, has announced launch of what it calls as an online banking security protocol. The product named “TRUSTFACTOR” is a combination of an authentication server solution, digital signature certificates, customized crypto-tokens and a secured process for issuance, The Company is also setting up certain dedicated centers which will provide a customer interface for issuance of digital certificates.

(See report here)

The initiative appears promising.

Naavi

Posted in Cyber Law | Leave a comment

Cyber Warriors under production-

Posted on May 3, 2013 by Vijayashankar Na

In recent days the media has highlighted some statements from the Central Government about the need of 5 lakh Cyber Security professionals in India. In order to address the skill gaps in Cyber Security professionals  that India may require in the future, EC Council (International Council of E-Commerce Consultants), a provider of certifications and training on information security has launched a publicity drive  to market its services.  In association with its training partners in India, the US-based company is expecting to offer training to about 40,000 people on areas such as Ethical Hacking, Computer Hacking Forensics Investigation, Security Analysis and Penetration Testing.

EC Council has been in business in India for quite some time and has been focussing on its “Ethical Hacking” programs. While such programs are attractive to youngsters, it is necessary for Cyber Security professionals to be developed on a foundation of “Responsibility”. Merely training youngsters on skills of hacking would lead to development of a large number of potential problem elements.

It is essential for every “Ethical hacking” training programs to be peppered with a teaching of “Cyber Law” as well as fortified with a proper “background Checks”, “Post training monitoring” and behavioural training.

There is therefore an urgent need for proper supervision of all “Ethical Hacking” training programs.

It is not clear if the Department of IT, Government of India nor DSCI, the Nasscom initiative is addressing this issue before trying to create a Frankenstein.

A serious national debate is required to evaluate the outcome of this publicity blitz undertaken by E C Council whose press release is cleverly implying endorsement of INCERT and DSCI. (See this report of Business Standard).

Naavi

Posted in Cyber Law | Leave a comment

National Law School to launch Cyber Law and Cyber Security Course

Posted on May 2, 2013 by Vijayashankar Na

National Law School University of India (NLSUI), Bangalore the premier law education center in the country  is launching a distance learning course on Cyber Law and Cyber Security from the next quarter.

Admissions are now open. However the admissions may be open only for a short period and interested persons may take this opportunity to enroll themselves immediately.

Presently not many traditional law colleges have been conducting courses on Cyber Law. Also this course is a combination of Cyber Law, Cyber Security and Cyber Forensics and it is expected that apart from Legal professionals, Police and Technology professionals may also find the course useful. The course would be a one year course with contact classes.

For more information visit : http://ded.nls.ac.in/courses_available#PGDCLCF

Naavi

Posted in Cyber Crime, Cyber Law | 15 Comments

Aadhar Nightmare continues

Posted on May 2, 2013 by Vijayashankar Na

Ever since the Aadhar scheme was introduced, security specialists have been warning about the large scale problems that may be caused by loss of identity of individuals.

The UIDAI authroities have been going ahead with spending of public money and enrolling the individuals who report at the counters of the registration agents.  Fraudulent registration agents have been creating their own enrollments with false identities as was revealed some time back when an aadhar card was issued in the name of “Coriander” (“Kottambari soppu” in Kannada. s/o Palav. (See the story here). In the meantime the UIDAI Bill is yet to be passed and several cases are pending in different Courts challenging the scheme altogether.

In the meantime many State Governments have been forcing citizens to go for Aadhar and linking mandatory public services to the Aadhar registration.

UIDAI however has been as irresponsible and as arrogant as the UPA Government and has continued with the project unmindful of the risks it is hoisting on the country. There have been many instances of data losses reported from different States. Even the successful registrants are battling with the practice of UIDAI sending aadhar registration cards by ordinary post which are reportedly dumped in dust bins in some places.

Now a massive data loss of 14 lakh cards has also been reported from Andhra Pradesh due to reasons that can be attributed either to negligence of UIDAI or criminal activities. (Report available here)

The fact that such large scale Aadhar related mischief is reported from Andhra Pradesh where the terrorist organizations from Pakistan are operating sleeper cells indicate the possibility of an organized threat to national security arising out of the stolen identities.

The stolen data can be used to create Aadhar ID for terrorists with different photographs. The biometrics can be switched if required. Even if the current biometrics is retained, since most of the ID use centers are unlikely to check biometrics and accept the parameters of name and address available in the given aadhar number and accept it as satisfactory identification of a person, (Eg Banks), the 14 lakh lost identities can be used to create that many false identities. using this false identity other IDs such as PAN cards and driving licenses can be created by terrorists.

This means that the system has been completely compromised and India is under threat.

It is therefore time for the Government to think of scrapping the scheme before further damage is done.

Naavi

Posted in Cyber Law | Leave a comment

mouthshut.com challenges ITA 2008 rules

Posted on May 1, 2013 by Vijayashankar Na

The Intermediary rules under Section 79 of ITA 2008 has been repeatedly used by parties to get adverse content on internet removed without appropriate procedures. The problem has been the interpretation that an Intermediary is bound to take down content objected to by a party within 36 hours.

As a result of these rules, many websites have been bombarded with notices for removal of objectionable content. Websites such as mouthshut.com are primarily meant for expressing consumer grievances and have been useful to general consumers looking for information on various products and services. It is also true that some times the comments posted on the site may hurt the business interests of the companies whose products are criticized. There could also be cases where adverse comments are posted by competitors while companies may also post self serving reports. However buyers can try to understand the strengths and weaknesses of products by browsing through the various comments.

There are also many instances of companies responding to the adverse comments of consumers on mouthshut.com.

In totality therefore a website like mouthshut.com is an instrument of “Consumer Protection” and deserves  encouragement.

However knowing the way some companies function and the threatening legal notices that lawyers can draft, it is not difficult to imagine the problems that mouthshut.com must be facing. More importantly the Police who may not understand law and who can be manipulated by the companies and their lawyers has the potential to unnerve the employees of mouthshut.com.

It must however be reiterated that Naavi.org has always been stating that Section 79 rules only indicate that “Action should commence” within 36 hours on grievance redressal. Such action need not start with the removal of the objectionable content unless there is a valid Court order for removal of content. This aspect was specifically clarified recently by the Government. (See here)

It is however essential for an intermediary like mouthshut.com to have a good grievance redressal mechanism on the site. At present a suitable system is not in place. According to the rules, the grievance redressal mechanism needs to be activated within 36 hours of the receipt of complaint.

It appears that mouthshut.com has now approached Supreme Court for the rules to be struck down. (See medianama report here). The cause of action cited is that it amounts to “Censorship”. However in the view of Naavi.org, “Censorship” rights cannot be presumed under the rules. The clarification of the government  on 18th March can be used as a defense against the petition. Hence though the petition is based on a genuine grievance, the grounds on which the remedy has been sought is incorrect.

Naavi.org has been repeatedly highlighting that when such petitions are made to Supreme Court under wrong pretences, the Court may be forced to reject the petition. The media which has highlighted the petition now as a “Challenge to ITA 2000 Rules” will also highlight that “Challenge has been dismissed”. This will give a wrong impression to the public that the Supreme Court has upheld the validity of the rule though the Court might have dismissed it for some other technical reasons. This is more harmful than leaving the rule as it is since such media reports will be taken as a vindication of the erroneous stand that may prevail now.

In such a scenario, many of the smaller websites which may be facing problems similar to what mouthshut.com is representing may have to shout down their business.

If however the Supreme Court goes beyond the technicality of whether Section 79 rules does in fact represents censorship or not and provides a positive assertion that “Expression of grievances of Consumers through websites such as mouthshut.com is part of the freedom of expression guaranteed by the constitution and needs to be protected for asserting consumer rights under  the Consumer Protection Act”, then there may be a positive impact of the case on the society.

I therefore urge mouthshut.com to include in their prayer such a declaration rather than asking only for the rules to be struck down. To ensure that its plea is strong, mouthshut.com needs to take immediate steps to make its site “Cyber Law Compliant” with appropriate changes to its terms of use.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment