India to have new CYBER SECURITY POLICY - My Wish-list

 The aim of policy should be to protect personal information by way of passing much awaited PERSONAL DATA PROTECTION BILL in coming session of Parliament.

Protecting Critical Information infrastructure and building data storage capabilities could also be part of the same.

Cyber Awareness regarding careful use of digital platforms for carrying out any online transactions and precautions to be followed while using Social Media should be other points which need focus in this new policy.

Centralized cyber crime quick response force should be the other priority. All police stations irrespective of their state location should be able to co-operate/ participate in investigation of cyber crimes and the solution for territorial jurisdiction should be worked out.

Improving Cyber Civil/Criminal Judicial system must be a priority.

Olx: most favoured portal to cheat people

 

Chief Information Security Officer in the Prime Minister's Office Mr. Gulshan Rai has said recently that there has been a 200 per cent rise in cyber incidents in India in the last couple of months. He observed that there have been larger cases of phishing, service issues and ransom ware.

 “Cyber fraudsters are adopting modern techniques to cheat innocent people and the OLX platform is being one of these methods to dupe unsuspecting people,” said Ch Y Srinivas Kumar, ACP, Cybercrime (Cyberabad). “The reason is that people believe that buying and selling things on OLX is very easy and that everyone on the platform is trustworthy. Fraudsters are using this trust to cheat innocent people to the tune of several lakhs,” the ACP said as reported in The Telangana Today newspaper dated 23 July 2020.

The above two news reports are sufficient to send shivers among online purchasers. Though digitalisation has proven to be beneficial in many walks of life there are these grey areas which are yet to be taken care of. The online selling portals are being used by many criminals to sell either stolen goods or non-existent goods.

OLX is most favoured portal to cheat the people owing to its popularity. With 55’Th overall ranked portal in India and with average 20 million visits per day, this portal is proving to be a bane for online purchasers. The typical frauds which have been reported to Cyber Crime Helpline, a free voluntary advisory service managed By Adv Dr. Mahendra Limaye’s Cyber Awareness Organisation, are related to Vehicle sell involving a soldier. The seller pretends to be a soldier from Indian Army and offers to sell either two wheeler or Four Wheeler at throw away price due to his transfer from one location to another. He also publishes few photos in Uniform to make people believe that seller is from Indian Army. Many times there are photos of vehicle bearing stickers or some marks related to army so that people believe that vehicle seller is genuinely belonging to Indian Army.

With this much input subsequent transfer of money in form of Advance or clearance charges takes place and buyers transfer money in sellers account through IMPS using mobile wallet transfers. Generally after first transfer of payment the seller tries to get confidence of the buyer and many times sends fake shipment receipt details and also claims balance money. There are various reasons like payment of tax, RTO Clearance, Insurance Clearance etc which are exploited by these fake sellers to extract as much money as possible from the buyer.

Many a times it’s too late when the buyer realises that he has been cheated but by that time huge amount is lost be him. The popularity of the portal and belief of the people that portal has followed due diligence prior to posting the advertisement proves wrong in such matters.

People must understand that these portals take the defence of Intermediary provisions available in Information technology Act and do not claim to be a part of such transaction. They make themselves safe by shifting entire blame on wisdom of Buyers and Sellers.

It is advised that people should follow due diligence by verifying authenticity of such sellers by all possible means. The unbelievable offer itself is best hint that trap is laid for you. The prompt response/acceptance to your offer is another red flag. Always insist for test ride of the said vehicle from someone known to you from the location where vehicle is currently available. Even this insistence of test ride can save you since the seller will avoid the same. You can also insist for video of the seller while riding/driving the vehicle which will also be refused by these fake sellers and will save you. You can also check the account details provided to you with those of the name of the person available on registration certificate of the vehicle.     

It’s not bad idea to purchase things online but you must follow the diligence in entire process is the key advice.

The investigation in such frauds is very complicated involving different states jurisdiction as well as different payment wallets and many banks. It has been also observed that people are reluctant to file the police complaints due to reputation issue or other social stigma. The criminals are well aware about these habits of non-reporting of the complaints and hence are becoming bolder.

So prevention and due diligence is the only remedy which can be presently prescribed for the Online Shopping Addicts by the author.

 

About the Author

Dr. Mahendra Limaye is practising lawyer by profession and specialises in Cyber Litigation, Civil as well as Criminal. He has vast experience of 12 years in the Cyber Litigation and also runs a unique venture in the form of CYBER CRIME HELPLINE, which has provided free remedial guidance to more than 10,000 cyber fraud victims so far across India.

 

.

 

PERSONAL DATA PROTECTION ACT: NEED OF THE HOUR

Apex Courts 9 Bench unanimous judgement in Justice Puttaswamy case pronouncing that, “The right of privacy is a fundamental right; It is a right which protects the inner sphere of the individual from interference from both State and non-State actors and allows the individuals to make autonomous life choices” had attracted various reactions from all the sections of society when pronounced in 2017.

The then Union finance minister Shri Arun Jaitley, a legal acumen in himself, reacted that “Privacy issue went to Supreme Court because previous UPA government brought Aadhaar without legal framework. We framed Aadhaar law ensuring privacy as fundamental right will be protected. Supreme Court accepted privacy is a fundamental right but not an absolute right; judgment is a positive development."

The past and present Law minister, Shri Ravi Shankar Prasad said “The government welcomes the Supreme Court order on right to privacy. SC has affirmed what government had said in Parliament while moving Aadhar Bill. Privacy should be a fundamental right subject to reasonable restrictions."

 “Welcome the SC verdict upholding Right to Privacy as an intrinsic part of individual’s liberty, freedom and dignity. The SC decision marks a major blow to fascist forces," the Congress vice-president Rahul Gandhi tweeted. It was a “sound rejection" of the BJP’s ideology of “suppression through surveillance", Gandhi said.

R. Chandrashekhar, President, Nasscom in 2017 said, “This landmark judgment will ensure that protection of citizen’s privacy is a cardinal principle in our growing digital economy. Besides, it will enhance citizens’ trust in digital services, a prerequisite for widespread digital adoption. The ruling also significantly boosts India’s attractiveness as a safe destination for global sourcing."

Soli Sorabjee, India’s most respected legal luminary commented that “It is a very progressive judgment and protects the fundamental rights of the people. Privacy is a basic right which is inherent in every individual. The unanimity of the bench in giving this decision shows a very good approach of the Supreme Court. Any judgment which enlarges the fundamental rights of the people should be welcome."

These reactions were of 2017 and many expected government to come out with a law soon for protection of Privacy of the individual as a committee was set up under stewardship of Retired Justice Srikrishna to draft the act for Data Protection in 2017 itself.

Much water has been passed between pronouncement of judgement, setting up the committee and today. An Act for protection of Fundamental Rights of People is still a distant dream. It was in July 2018 that the Justice BN Srikrishna-led committee timely submitted its draft bill to the Ministry of Electronics and Information Technology (MEITY) to create a powerful data protection law in India. The draft was finalized after a year of consultations with various stakeholders and came just after the European Union General Data Protection Regulation (GDPR) came into force in May 2018. The Personal Data Protection Bill, 2019 is more important because of the urgent need to regulate data protection and data privacy, be it for online platforms, apps, social networks or even online services including by the government. It was expected when the Winter Session of the Parliament began in November 2019, that key bill, the Personal Data Protection Bill, 2019, will be passed. But it did not happen and presently the bill is before the Committee of Parliament for deliberations and consultations.

The 25% growth from 437.4 million in 2017 to 564.5 million currently in digital users should come as some sort of eye-opener. In a country where digital education, digital security or digital awareness is not priority of any of the digital service providers, the digital users are left on mercy of cyber criminals. These cyber criminals are carrying out innovative cyber attacks which are beyond imagination of the digital users. The most favoured white collared cyber crime is DATA THEFT. It is committed before open eyes of the digital users and digital users are not able to recognise the crime of data theft being committed. There are many high end cyber crimes which cannot be even noticed or detected by 90% of the digital users. Present digital era’s description as Golden Era of Cyber Crimes is not misconceived or ill-founded.

Recently, in view of information available with government of India that 59 Apps are engaged in activities which is prejudicial to sovereignty and integrity of India, defence of India, security of state and public order, the government of India has banned these apps , all of which are originated from China. The government said that the Ministry of Information Technology has received "many representations raising concerns from citizens regarding security of data and risk to privacy relating to operation of certain apps". As per government press release, The Computer Emergency Response Team (CERT-IN) has also received many representations from citizens regarding security of data and breach of privacy impacting upon public order issues”.  So, on this backdrop with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009 and in view of the emergent nature of threats these apps were banned.

The measure reason as stated by government is the Risk to Privacy as well as risk to data of the citizen. It is open secret that most of the apps are designed to collect huge personal data from the users. The terms and conditions of each of the app very categorically mention the permissions to be provided by gadget owner prior to installing that specific app. With our permission only, these apps are installed in our devices and hence there are very few who regret this decision of providing permission to camera, messages, contacts, GPRS Location, enabling calls and many more such activities by the apps. This is true for all the apps whether having origin in China or from any other part of world. You will rarely find any app/program which is not interested and designed for collection/storage of personal data. In short we need to have a permanent solution for Protection of the Personal Data of the individual as banning any app is short term solution.

Data is the lifeline of today’s business activities in digitalised world and on backdrop COVID 19 where most the world is opting for Work from Home and making maximum use of online platforms, the data theft threat is looming large in cyberspace. Yes , the incidents on Chinese Border has added fuel and security dimension to this Data Theft and Data security of the citizen and banning the 59 apps of Chinese origin by government can be justified. But bigger issue of Data Security and Protection of Privacy by other apps remains to be resolved. What can be said about big social media giants like Facebook, Whatsapp, Instagram or online meeting platforms like Zoom? Are these companies not involved in compromising Security of individual citizen and thereby invading constitutional guaranteed Privacy Right of the Indian citizen?

The most recent incident of trolling of Hon. Chief Justice of India for just sitting on a high-end mobike without headgear and mask and subsequent clarification/warning about not invading Privacy of Hon Chief Justice of India justifies the need of passage of Personal Data Protection Act by the parliament. When Hon Chief Justice’s privacy is vulnerable, what could be said about Privacy of we individual citizen? Are all citizens so powerful like Hon. CJI? What remedies are available to individual citizen for protection of their Right to Privacy? Under which law the reliefs can be sought?

Putting of Personal Data Protection Act in place is the only solution. The preamble of act itself describes the objects of the act as the act to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.

The preamble states that the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy and whereas the growth of the digital economy has expanded the use of data as a critical means of communication between persons and which needs to be protected.

So the significance of Personal Data Protection Act can be found in its preamble only and various rights available, after passage of this Act, to Data Principal like correction of Information, Erasure of information, discontinuing the use of information after the purpose of consent is over and deletion of information etc. highlights how personal data of the individual can be protected.

As most of the apps are exploiting our sensitive personal information without our explicit consent and this can be verified by huge spike in cyber crimes recently, the best way to deter/ control these apps and make citizen more powerful is by passage of Personal Data Protection Act. This act will give much needed tools to the citizen as well as government to check culprits involved in theft of personal data or invasion of Data privacy.

  

To allow the individuals to make autonomous life choices including choice about his Data sharing, the Hon Apex Court mandated a need of law which can give an individual, right about his personal data protection. This object can only be achieved by passage of The Personal Data Protection Act and its effective implementation. Hence in my view, passing and enforcing The Personal Data Protection Act is need of hour and should be top priority of the government.

Session with Adv. Mahendra Limaye on Cyber Laws and Cyber Safety

Session with Adv. Mahendra Limaye on Cyber Laws and Cyber Safety

Who has legal liability if Aarogya Setu Data is compromised?

The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 was notified by Ministry of Electronics and Information Technology on 11 May 2020. This has again led to new debate regarding whether after this notification Aarogya Setu app Data is safe? Adv Dr Mahendra Limaye, a cyber legal consultant, analyzed the notification and his reading of the notification is as below.

Functioning of Aarogya Setu app as per notification relates to technology and data management and certain necessary steps required to be taken to ensure its effective operation to detect and mitigate the spread of Covid 19 pandemic and enhance government preparedness at all levels. So the aim and object of the Aarogya Setu App was never a question and it is much applauded move by the government.

In order to ensure secure collection of data, protection of personal data of individuals and efficient use and sharing of personal or non-personal data for mitigation and redress this notification was specially issued. So we must understand that this notification was fall out of many objections raised towards security of the personal data collected through this app and about accountability of the data collected through this app and specially when some hacker claimed about vulnerability of this huge database. This response also shows government’s responsive approach to security concerns raised about the app and this is welcome move.

The notifications says that in order to formulate appropriate health responses for addressing the COVID-19 pandemic, data pertaining to persons who are infected, at high risk of being infected or who have come in contact with infected individuals is urgently required. This data includes demographic data, contact data, self assessment data and location data, collectively called ‘response. The demographic data includes the name, mobile number, age, gender, profession and travel history of an individual. Contact data covers data about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred. Self assessment data means the responses provided by that individual to the self assessment test administered within the Aarogya Setu mobile application. Finally Location data means data about the geographical position of an individual in latitude and longitude. So the broad categories of data collected through this app by government is once again made public by this notification.

The notification also states that the Ministry of Electronics and Information Technology, Government of India (“MeitY”) is designated as the agency responsible for the implementation of this Protocol and its developer, the National Informatics Center shall, under this Protocol be responsible for collection, processing and managing response data collected by the Aarogya Setu mobile application.

So it is highlighted that MeitY will be only supervising authority. So the government has brought NIC in picture for protection of entire data in the capacity of developer and made its role minimal in capacity of implementer.

Highlights of Principles for collection and processing of response data:

a. Any response data and the purpose for which it is collected by NIC shall be clearly specified in the Privacy Policy of the Aarogya Setu mobile application.

b. NIC shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.

c. NIC shall process any data collected by it in a fair, transparent and non-discriminatory manner.

d. Contact and location data shall by default, remain on the device on which the Aarogya

Setu mobile application has been installed after such data has been collected. It may be uploaded to the server only for the purpose of formulating or implementing appropriate health responses.

e. Contact, location and self assessment data of an individual that has been collected by NIC shall not be retained beyond the period necessary to satisfy the purpose for which it is obtained which, unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol, shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted. Demographic data of an individual that has been collected by NIC shall be retained for as long as this Protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier.

f. The response data shall be securely stored by NIC and shall only be shared in accordance with this Protocol.

Principles for sharing of response data have also been stated which highlights that 1) Response data containing personal data may be shared with various government agencies/bodies where such sharing is strictly necessary to directly formulate or implement an appropriate health response.2) Response data in de-identified form may be shared with various bodies with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.3) NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared.

Obligations of entities with which response data is shared are like use of such data strictly for the purpose for which it is shared, the data accessed and used by such entities should not be retained beyond the period necessary to satisfy the purpose for which it is shared, in any circumstance; such data shall not ordinarily be retained beyond

180 days from the date on which it was accessed, after which such data shall be permanently deleted etc.

The main concern is who is liable for any privacy violations committed through security breach of Aarogya Setu App? This notification does not provide any clarity to said concern. It was clarified that any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable. Legal position for the protection of sensitive personal information under section 43A of Information Technology Act 2000 is that state cannot be made responsible in case of breach of data or lapse in protection of sensitive personal data. Through this Notification State has clarified that it is acting only in supervisory capacity and National Informatics Center, which is developer of the Aarogya Setu app will own entire responsibility as far as security and sharing of Response Data is concerned.

As regards section 51 to 60 of the Disaster Management Act they have one important protection as related to breach of data and the protection is “ unless he proves that the offense was committed without his knowledge or that he exercised all due diligence to prevent the commission of such offense”.

In case of any data breach through Aarogya Setu app defense will be always available that all due diligence was observed to prevent the commission of offense like Data Theft etc. So in my view this notification clearly fails to provide any specific measures which government has suggested for protection of Data of millions of Aarogya Setu app users. Also the other question remains is whether the provisions of the Disaster management Act can be enforced after Disaster is over? If data breach is reported after present pandemic is over then whether these provisions can be enforced, remains a question in my mind.     

Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practices in Information Technology Act based litigation's before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.

"Bois Locker Room" and what next we are waiting for?

Its only when such episodes get national publicity suddenly the whole digital world becomes awake, all so called human right activists become active and start hue and cry about regularisation of social media etc. These are the same people who were at forefront in matter of Palghar incident and came down heavily of Information Technology Act section 66A which ultimately led to abolition of the same.

What we sow we reap is old saying. Our society consists of the same people who had seen section 66A of I T Act as draconian and don’t wanted social media to be regulated. They saw regulating social media, which according to them is the biggest tool of freedom of speech and expression, as curtailment of Fundamental Rights and ultimately our Apex Court also viewed in similar perspective.

The underlying object of regulating social media with reasonable restrictions was never debated seriously and nobody has taken a futuristic view about the same. With many similar incidents gradually happening every passing day and when it comes to flash point in Bois Locker Room issue, people again started debating the need to regulate social media. So is this completion of the circle?

We stared with section 66A which regulated online posts on various grounds in 2008, then came 2015 Apex Court Judgement striking down section 66A of I T Act and now with the incident of Bois Locker Room there will be again enactment of some provisions for regulating social media. Unfortunately all this is happening when most awaited regulation regarding Personal Data Privacy is being studied by Indian Parliament. When in Puttuswamy case in July 2017, a need was felt to have a regulation to protect privacy of the individuals and the panel was formed under chairmanship of Justice Shrikrishna (Retd.) to draft new regulation. The Shrikrishna commission has submitted draft bill in July 2018 and it was before parliament since then and recently a high powered committee is again set up to finalise the same.

If this is the level of priority for Privacy regulation in India and in absence of section 66A of I T Act there in no deterrence to perpetrators of such heinous acts through Social Media and Bois Locker Room incidents will happen regularly.

What was the incident?

An 18 year, Class 12 student resident of Noida, started an Instagram group named "Bois Locker Room", on which obscene messages and morphed photos of underage girls were shared. 27 more students of prominent Delhi schools have been members of the group, some were underage and some 18 and older. The chatroom, conversation was exposed by a girl, who was targeted in the group chats and this has drawn massive anger, shock and disgust on social media. The manner in which Class 11 and 12 students casually discussed "gang-raping" girls, sexualized and slut-shamed those in screenshots of chats have gone viral on Twitter and other social media.
"We absolutely do not allow behaviour that promotes sexual violence or exploits anyone, especially women and young people, and have taken action on content violating our Community Standards as we were made aware of it," was the Facebook spokesperson’s response on the episode. The official age of joining Instagram is 13 or above in India as per their policy.
In India 13 year old person is not capable of entering into contract but these social media giants are making mockery of Indian regulation by allowing these young kids by providing them such platforms.
There are basically few questions which need serious debate according to me.

1)    Should social media be regulated? If yes by whom?

2)    Should social media obey right to be forgotten or right to modify one’s personal information?

3)    Do we have Personal Date Privacy Act as a national priority?

4)    Could porn contents be specifically moved to different domains like .xxx?

5)    Is this encroachment of digitalisation in every walk of life is must?

6)    Are people really aware about threats posed by AI and other activities?

7)    When Cyber Awareness Education will be taught to digital netizens?

Unless we collectively provide answers to these questions such incidents are bound to happen. For that instance even if you go through confession pages of schools you will find many such indecent acts by students, who I am sure are not teens.
If we investigate this scam, the first question comes to my mind is from where the teen got hold of the photographs? All of us know the answer is simple. The victims themselves might have uploaded these photographs without thinking that these photographs could be grabbed by anyone and used on any place on the earth. At the time of uploading picks they were never told what the consequences of such acts are. I can go one step further and caution the readers that there are syndicates which are trapping many persons carrying out indecent act on camera and blackmailing them.
Second question is regarding how teens of age group13/14 were given such liberty by their parents to use social media without proper supervision. Are those parents liable for punishment for acts of their minor wards? Yes they must be definitely penalised similar to new provisions in Motor Vehicle Act, where parents are liable for fine/jail term in case they handover vehicle to their under aged ward. Without parents supervision digital education will prove to be a disaster in country of digital illiterates.
Third question is under which provisions of law action will be taken and against whom?
This is very tricky situation because as per reports few are teens and will be protected being Juvenile. Those who are above 18 might not have passed any comments which could be strictly punishable under provisions of I T Act. If IPC is applied then act being committed in Cyber Space must be covered under provisions of I T Act and which provisions of I T Act are applicable? It’s not Identity Theft nor Personating nor Violation of Privacy as per various provisions of section 66 of I T Act. Can section 67 or 67A of I T Act be imposed?
What next is real question and answer for same is lies in answers of Seven questions posed by me earlier.
The power of collective will by self restraint, to make social media a better place can only make it possible. All the stake holders like we netizens, government of all the nations, social media giants along with search engines should come forward and extend best possible solution which will decide the course of future. From my side CYBER AWARENESS IS THE ONLY MANTRA which we are relentlessly carrying out since last decade.

Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practises in Information Technology Act based litigations before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.