Privacy Protected Zones Required

Posted on February 9, 2013 by Vijayashankar Na

While discussing any legislation affecting Cyber Space, we discuss “Privacy” and “Data Protection” as important aspects for consideration. In India we are presently banking on ITA 2000/8 for “Data Protection”  and “Constitutional Rights” for “Privacy Protection”. ITA 2000/8 can indirectly provide some relief for privacy breach from electronic space under sections such as 43A ,72 and 72A.

However the “Data Privacy Bill” is yet to be passed and hence statutory protection is still not available to the citizens of India for privacy protection beyond the principles established by earlier Supreme Court decisions as part of the constitutional rights.

Further some of the recent developments on Section 66A and the actions taken by police indicate that provisions of ITA 2000/8 are likely to be misapplied from time to time by uninformed police who may also be motivated by other considerations such as political influence.

These twin aspects of “Lack of Privacy Law” and “Mis use of law” when applied to the corporate scenario present “Risks” which cannot be properly assessed,mitigated, absorbed or transferred. They remain as uncovered risks of business and could badly hurt any business.

While Indian companies have to live with such bad implementation of law, in the context of attracting international investments into IT in India, these risks are considered huge barriers that may put off most of the international operators intending to invest in India.

In the global scenario, “Cloud Computing” is on a growth path and either as part of such “Cloud Computing” initiatives or as an increased attention to the DRP requirements the need for “Secured Data Centers” in India have been growing. This also offers an opportunity for international players to invest in huge data center facilities in India at least in some states where “quality power” is not an issue. This is also an opportunity for Indian companies to operate Data Centers as a part of “Service Exports”.

However the lack of “Privacy Protection” coupled with the enormous administrative powers that ITA 2000/8 bestows on lower echelons of bureaucracy  and law enforcement make it difficult for reputed international players to seriously consider India as an offshore destination for their data center projects.

In this context we would like to place a suggestion before the community if it is time to set up designated “Privacy Protection Zones” where units will be provided privacy protection on par with the best global practices such as EU. In these zones special IT laws will be applicable which can be drafted specifically as “Special Cyber Space Laws”. Alternatively a “Privacy Protection Law” exclusively applicable to such zones can be drafted to work in conjunction with but overriding ITA 2000/8.

This being a high level policy decision, needs to be part of large consultative process. Naavi.org invites public comments on the proposal.

Naavi

Posted in Cyber Law, Privacy | Leave a comment

Letter sent to Chief Minister of Karnataka on Cyber initiatives

Posted on February 9, 2013 by Vijayashankar Na

Following up on the earlier initiatives, an email letter has been sent to  Chief Minister of Karnataka reiterating the needs of the Netizens of Karnataka,under copies to the Minister of Law and Parliamentary affairs and the Secretaries of IT and law departments as well as the Chief secretary of the state.

All India Forum of Netizens (AIFON) will continue to follow up on this matter in the interest of the citizens and Netizens of Karnataka.

One of the objectives of AIFON is to mobilize a consolidated response of the Netizen community during elections so that our voices will be heard.

At present AIFON is in the initial days of formation and hope to make a difference to the society in due course.

Details of the letter sent are available here:

Naavi

Posted in Uncategorized | Leave a comment

Is Indian Banking system hiding the risks?

Posted on February 8, 2013 by Vijayashankar Na

The recent report of frauds in the Credit card system in India has given rise to a discussion on how safe is Indian Banking system and whether there is a systematic attempt to suppress threat information from public and give them a false sense of safety.

Mr Dinesh, a security expert shares his views in this article in informationweek.in

Naavi has been pointing out that major Banks are the culprits and RBI is unable to control those rogue banks.

When the full impact of the Cyber Crime frauds hits the Indian Banking industry, RBI may find itself in a situation where its own intentions and ability to regulate the Indian Banking industry may be questioned.

Unless RBI is able to raise above IBA and exercise its control on the Banks even if IBA is not in favour of the RBI regulations or control measures, Indian Banking customers continue to face the risk where a few of the top Banks may be wiped out of the market along with the adverse consequences which will also have political implications on Mr Chidambaram as the supreme controller of the national banking system.

Naavi

Posted in Cyber Crime, ITA 2008 | Leave a comment

Efficacy of Anti Virus software

Posted on February 8, 2013 by Vijayashankar Na

The recent Chinese hacking of New York Times has raised the issue of the efficacy of anti virus or security softwares used by corporates.

According to NYT, the hackers had installed 45 custom malware over the previous three months of which only one could be detected by Symantec. (See article)

Symantec has however said in its defense that Times did not use the software properly.It said “The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks.Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

This gives rise to a discussion on what are the default capabilities of an end point security software and what is the extent of expertise required by the clients to use such a software efficiently.

In this connection the this comparative test of different products for Home users would be useful. This test is based on the most common default settings and hence is of interest to an average user. In this test several products have been compared against three specific parameters namely ability to identify threats,repair them and the usability factor.

While evaluation of an anti virus solution for home users has to be based on default configurations without expecting too much of expertise, Naavi.org is also trying to find out the expectation level of informed buyers such as corporate customers regarding the security solutions they look for.

All said and done, Chinese hacking of NYT could also be due to targeted attack on the domain which would be difficult for an average AV software to detect. There is however a possibility of detecting it at least after the malware starts exhibiting its properties. i.e. if prevention fails at least early detection should help. In the NYT case Symantec seems to have failed in detecting the malware for nearly 3 months. This delay needs to be pondered over.

Naavi

Also: PCworld review

Posted in Cyber Crime | Leave a comment

Bankers try to mislead credit card customers

Posted on February 7, 2013 by Vijayashankar Na

Earlier in the day today, Times of India first reported the arrest of 5 Indians in USA in connection with the US$ 200 million credit card fraud.

Immediately thereafter there was a second report in TOI itself attributing the growth of recent credit card frauds to “Dexter” malware. The report referred to quotes from some Bankers who were not identified who stated that the fraud did not reflect any weakness in the security system of the Banks.

The unidentified Bank official was quoted as stating “I doubt that this is related to skimming. In skimming there is a physical limitation in the number of cards that can be read also we are getting cases from metros across the country” . It was also added that since this fraud was perpetuated at the card acceptance stage it was not limited to one card issuing bank. He is said to have further assured that “We have secured our solutions through incorporate of advanced security mechanism such as Unique Key Per Terminal and Terminal Line Encryption which make the systems future ready as per RBI compliance needs”

The report absolves RBI by stating that it cannot prevent international frauds.

The entire report appears to be a planted story from some credit card issuing Banks in India along with RBI to hedge against them being held liable.

While the Bank official proudly states that International E Commerce sites some times accept credit cards without the CVV2 number and hence the frauds prevail, Naavi has brought to the attention of the public in India an instance with SBI cards where a Hotel In Delhi had charged the customer without any kind of authorization from the customer. This indicated that most Banks in India never verify the charge slips and make payments against forged charge slip signatures as well as non existent charge slips. (After prolonged correspondence over a few months the charge was reversed. However though Naavi insisted that action should be taken against the fraudulent merchant, no such action appears to have been taken).

The fact is that RBI has introduced certain technology features without proper security measures and influential Banks are not absorbing the fraud risks.

RBI is aware that credit card companies in India are  forcing the customers to buy fraud insurance at their costs even against “Forged Charge slips”. This is unethical and illegal as it tries to force a Consumer to accept additional cost for a service arising out of a “Forgery” which is the responsibility of the Bank to prevent. RBI is by its silence contributing to the prevalence of the fraudulent practice.

Will the unidenitfied Bank official clarify if the above situation is prevailing in India and if so whether it is correct?

A detailed explanation of the activity of “Dexter” virus is available in the following article.

Report on “Dexter” malware

As this article indicates Dexter attacks the POS terminals used by Merchants in the physical space. This is not an internet transaction. Hence this needs the signature of the customer. If therefore frauds can take place in this scenario, it can occur only because of unsigned charge slips. Such debits cannot be placed on the customer and the Banks must absorb the losses.

Hence the US $ 200 million fraud to the extent it relates to Indian Banks (If any) represents the losses to the Indian Banking system. RBI needs to disclose the details of the Indian Bank’s involvement and how it would prevent consumers from being bullied by Banks to accept the losses on their accounts.

Also see: Credit card fraud in Mumbai

Naavi

Posted in Bank, Cyber Crime, Cyber Law, Information Assurance | Leave a comment

Hearing on PIL on CAT Appointment at Bangalore

Posted on February 7, 2013 by Vijayashankar Na

The hearing on the public interest litigation in the High Court of Karnataka (WP 37577/2012)regarding the non appointment of the Chair Person for Cyber Appellate Tribunal which was scheduled for today the 7th February 2013 has not been listed in the proceedings for the day.

It is understood that it is now rescheduled for next Monday.

As per the last order of 3rd December 2012, Government of India was today expected to file its objections to the petition of Advocate Chaitanya.  However the hearing has not been listed and hence there is some additional time available with the Government of India for filing its objections.

The exact reason for the postponement  is unknown. It is speculated that the Government of India might have requested for the reschedulement hopefully intending to notify the appointment before the date of hearing to avoid the Court passing any further observations.

Naavi

Posted in ITA 2008 | Leave a comment