Saturday, October 8, 2022

AFTER FIVE YEARS WE ARE AT SQURE ONE. How much time will it take to enact Privacy Regulations in India?

 

We all are aware that Right to Privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21 of Indian Constitution. This fundamental right is one of the most significant rights when almost all of the Indian population is totally enthralled and captivated in cyberspace for one or other reason and we are not aware about the gaps from where this right can be infringed. These loopholes can be in form of cookies, permissions either explicit or implicit or when we access various websites, social media sites, online shopping sites etc.

Many of us may not even know that at present India is having which specific rules and regulations to protect this right to Privacy. Rather most of us even don’t bother about the same because common perception is that What can happen if my right to privacy is infringed and this casual attitude is very dangerous as social media providers and other online service providers are making merry of the ignorance of Indian citizen about protecting this Right to Privacy and minting tons of dollars.

This casual attitude of protecting this vital Fundamental right was witnessed in recent Supreme Court hearings wherein Government asked for some more time to inform to the court that what measures Government have initiated to frame the rules and regulations to protect this very important Fundamental Right.

And when similar situation was there almost FIVE YEARS AGO, the government has replied in similar manner and now WE ARE AGAIN LANDED AT SQUARE ONE. To refresh memory of those who may not recall the incident which happen five years ago, let us recall the same.

WhatsApp began its operations around 2010 and did not enable users’ data to be exchanged with any other entity for commercial exploitation from its commencement. WhatsApp, a non-revenue generating app, was bought for $19 billion by Facebook in February 2014, with the commercial interest best known to Facebook only and in the takeover agreement it was assured to users as well as to previous owners of WhatsApp that privacy policy would remain unchanged and WhatsApp, in its new Avatar, will never compromise with the data it had on its services. Rather as per my understanding it was essential and voidable term of the contract between parties.

Nonetheless, in 2016, WhatsApp, now controlled by Facebook, showed its true colour and unashamedly declared a shift to its privacy policies stating that it will now share information with Facebook family companies. It is Open Secret that Facebook makes money by commercial exploitation of entire data, it has with it.

It needs to be noted that The European Commission has already fined Facebook €110 million for providing incorrect or misleading information during the Commission's 2014 investigation under the EU Merger Regulation of Facebook's acquisition of WhatsApp. When Facebook notified the acquisition of WhatsApp in 2014, it informed the EU Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts. It stated this both in the notification form and in a reply to a request of information from the European Commission. However, in August 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users' phone numbers with Facebook users' identities. The Commission also found that, contrary to Facebook's statements in the 2014 merger review process, the technical possibility of automatically matching Facebook and WhatsApp users' identities already existed in 2014, and that Facebook staff were aware of such a possibility. This establishes the wicked attitudes of FB towards different legal regimes in the world.

On 26th August 2016, a writ petition Number 7663 was filed in India at Delhi high court for protecting the rights of users of the WhatsApp application after its updates of terms of service in 2016. The High Court of Delhi discarded the writ petition and granted partial relaxation to the petitioner in September 2016 , in response towards this order, a Special Leave Petition was filed with the Supreme Court (Civil) No. 804 of 2017) seeking, first of, whether the privacy policy infringes the right to privacy of its user groups, furthermore, whether the failure of the user to share their data with Facebook is impermissible and, lastly, whether the way in which WhatsApp obtains user assent is misleading and manipulative. Additional question raised was Does the Internet networking systems that allow users to share text/audio/video messages, data and render audio/video calls constitute ‘telecommunication’ systems and are subject to regulation by the competent authorities?

The Supreme Court on September 6, 2017 directed Facebook and WhatsApp to file affidavits explaining what data is being shared by them, which were duly filed by the respective respondent. It was vehemently argued by petitioner that privacy being a common law right and also guaranteed under Article 21 of the constitution, the state must regulate data sharing and enact legislation to protect privacy rights.

 It was submitted on affidavit that WhatsApp has built-in privacy in form of end-to-end encryption and other security features and it does not store user messages once they’ve been delivered and being end-to-end encrypted, WhatsApp and third parties can’t read any messages. Also, it was submitted that users may delete their WhatsApp account at any time (including if users want to revoke their consent to WhatsApp’s use of their information) using WhatsApp’s in-app ‘delete my account’ feature.

Delhi High Court held in September 2016 that the contention of the Petitioners that the proposed change in the Privacy Policy of WhatsApp amounts to infringement of the Right to Privacy guaranteed under Article 21 of the Constitution of India, cannot be a valid ground to grant the reliefs as prayed for since the legal position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided.

Thereafter in 2017, WhatsApp and Facebook filed a Special Leave Petition with the Supreme Court seeking the following issues to be considered ; 1) Whether the privacy policy infringes the right to privacy of its user groups, 2) Whether the failure of the user to share their data with Facebook is impermissible, 3) Whether the way in which WhatsApp obtains user assent is misleading, and 4) the Internet networking systems that allow users to share text/audio/video messages, data and render audio/video calls constitute ‘telecommunication’ systems and are subject to regulation by the competent authorities?

In this SLP, the Government on 6.9.2017 submitted an Office Memorandum dated 31.7.2017 stating that it had constituted a Committee of Experts to deliberate on a data protection framework for India and data protection legislation can only be brought forward after a report by the Committee of Experts has been discussed. It was also stated further that the Government of India is cognizant of the growing importance of data protection in India. The need to ensure growth of the digital economy while keeping personal data of citizens secure and protected is of utmost importance.

The Terms of Reference were a) To study various issues relating to data protection in India b) To make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill. It was also submitted by Mr. Tushar Mehta, learned Additional Solicitor General appearing on behalf of the Union of India at that time that after the report comes into being, there is a possibility that the law shall be passed regulating the data protection.

Thereafter a draft Personal Data Protection Bill 2018 was submitted and put before parliament and wisemen suggested some suggestions and thereafter PDPB2019 was tabled in Parliament. Thereafter a Joint Parliamentary Committee was constituted to hear views from all the stakeholders to make this bill broader and covering all the features of the Data Protection including non-personal data also. And suddenly on 3’rd August 2022, government of India withdrew this important bill from the parliament stating that it would soon be replaced by “a comprehensive legal framework,” that will be “designed to address all of the contemporary and future challenges of the digital ecosystem,”.

Mr. Tushar Mehta, now the learned Solicitor General of India, submitted on hearing held on 23 September 2022 before the Five Bench Constitution Bench that the matters came up suddenly yesterday night. It is pointed out that these are the cases where a Bill was introduced but for some reasons it was withdrawn. However, the learned Solicitor General pointed out that the Parliament is considering on bringing in a new law which should address the concerns of the parties. His definite stand that the policy of the Government of India is that the users of all the intermediaries in India should not suffer discrimination in comparison to the users of these platforms anywhere else in the world.

This completes the entire circle and we are again at Square ONE.

The decision on the petition is still underway and, with a clear acknowledgement of the fundamental right to privacy in Justice Puttaswamy case, it seems to be a testing ground for Indian Parliament as how to implement the Data Protection Law in India.

Dr. Mahendra Limaye

Cyber Legal and Data Privacy Consultant

Monday, October 3, 2022

Is Cert-in JUSTIFYING its Role as a CYBERSPACE Watch-dog??

 

CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology (IT) security organization. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. CERT-In was created by the Indian Department of Information Technology in 2004 and functions of cert-in are;     

 1) Collection, analysis and dissemination of information on cyber incidents.

 2) Forecast and alerts of cyber security incidents

 3) Emergency measures for handling cyber security incidents

 4) Coordination of cyber incident response activities.

 5) Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

 6) Such other functions relating to cyber security as may be prescribed.

 

One of the important duties on various stake-holders in cyberspace is reporting of cyber security incidents to the Cert-in as mandated in Rules of 2013 and as per section 70 (b) (7) Any service provider, intermediaries, data centres, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.

Cert-in is also empowered to issue directions for compliance's to the service providers, intermediaries, data centers and body corporate in such reports of cyber security incidents and to take appropriate action against non-compliance in form of civil as well as criminal remedy.

As per recent information received under RTI by Dr. Mahendra Limaye, a cyber legal consultant based in Nagpur, cert-in has received a total number of 394499, 1158208, 1402809 and 674021 cyber security incidents such as Phishing, Scanning, Distributed Denial of Service attacks, Website intrusions, Malware infections and Vulnerable services during the year 2019, 2020, 2021 and 2022 (up to June 22) respectively.

To the query regarding how many such cyber security incidents reported by 1) Service providers 2) Intermediaries 3) Data Centers 4) Body corporate, cert-in has issued directions for compliance, the response received from Cert-in is, “In discharge of its functions, appropriate communications calling for information and / or directions are issued by CERT-In to organizations.” This answer explains that cert-in was reluctant to issue detailed break-up of the incidents wherein directions were issued by the cert-in for compliance and hence to further queries like In how many cases non-compliance reports have been forwarded by cert-in to Review Committee and In how many non-compliance matters civil or criminal actions have been initiated by cert-in, the cert-in response was cold and stating no case booked and thus making it abundantly clear that cert-in has not recommended any matters of non-compliance to review committee nor initiated any civil or criminal actions against those who had not provided timely compliance's.

The main function of cert-in, is to provide guidance and collect information about cyber security incidents happened in India and cyber security incident is described as any real or suspected adverse event that is likely to cause or causes an offense or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity or availability of electronic information, systems, services or networks without authorization and have negative impact on national economy. Thus, it could be understood what significance is attached to roles and responsibilities of cert-in national cyber security and when about 36 lakh incidents have been received by cert-in in around 3 ½ years, it is highly improbable that compliance's would have been received in most of these incidents and still the information under RTI reveals that no matter was either referred to review committee or no matter was referred for appropriate civil or criminal action. Either the incidents reported were of not so significance to cert-in or may be of minimal risk to critical infrastructure of the nation and in both the cases cert-in owes to the nation the brake-up of the incidents sought under RTI.

The researchers in cyberspace very much doubt that when @36 Lakh incidents took place, there are no incidents which cert-in thought worthy of reporting to review committee or to any judicial authorities and hence they are compelled to raise questions regarding whether cert-in is justifying its role as a watch-dog of cyber space of India?

If RTI query is to be believed then it’s really worrying that the Indian premier organisation for reporting cyber incidents is not making use of its resources in effective ways and may be putting Indian Cyberspace in danger and that’s why the question, “Is Indian Cyber Watchdog sleeping?????

 

Dr Mahendra Limaye

Cyber Legal and Data Privacy Consultant

 

 

 

 

Friday, September 2, 2022

GOOD NEWS!!!! AS PER NCRB 2021 STATISTICS, PEOPLE IN DIGITAL INDIA ARE BECOMING DIGITAL LITERATES!

 

The National crime records bureau of India has recently published the statistics related to various crimes in India. According to this report Cyber-crimes have seen growth of only 6% as compared to growth of @15 % in last year. In 2018 reported Cyber-crimes were 27248, in 2019 the cyber-crimes were 44735 and in 2020 cyber-crimes were 50035. In 2021 the total cyber-crimes were 52974. It can be deduced that cyber-crimes saw huge growth of @ 65% in year 2019 whereas in year 2020 growth is only @15%. So, in fact it can be said that Cyber-crimes have gone down by about 50% as compared to its growth rate in last year. In 2021 the growth over previous year was only 6%. It can be seen that consecutively in second year Cyber-crimes have gone down by @50% year to year. This is very appreciable and also a sign that people are becoming more alert and more digital literate and sensible.

This rate of Cyber Crimes registered is a meagre 3.9 % of total Indian Population and chargesheet average rate is 33.8% across India. MP with 91.2 % and Delhi with 90.8 % have done exceptionally well while submitting the charge sheets in court after registration of FIR whereas Odisha 16.2%, Assam 15.9% and Telangana 16.4% needs to improve more along-with Maharashtra with 38.4%, Karnataka with 31.3% and Rajasthan 30%. The charge sheeting represents that investigation is completed and trial can be commenced.

As far as motives behind the cyber-crimes, it is disclosed by NCRB report that total 32230 crimes were related to Fraud, 4555 crimes were related to pornography and 8043 were related to other categories making a whopping 44828 i.e., about 85% of total cyber-crimes reported covered in these 3 categories only. Its high time that digital users be made aware about fraudulent activities as covered under fraud category so as to bring this rate down and save people from falling in traps laid by such cyber criminals.

As regards the statistics of different states are concerned, Uttarakhand 243 to 718 saw 200% growth whereas Telangana 5024 to 10303 and Delhi 168 to 356 saw 100% growth in Cyber-crimes. Assam saw @ 60% growth 3530 to 4846. Satisfactory part is that many states have witnessed negative growth also. 12 states out of 28 states saw negative growth in cyber-crimes and 2 U/T out of 8 saw negative growth as per NCRB report.

Comparative Statistics (2020-2021) of few big states are as below: Andhra 1899 to 1875, Bihar 1512 to 1413  Karnataka 10741 to 8136, Maharashtra 5496 to 5562, Madhya Pradesh 699 to 589 Uttar Pradesh 11097 to 8829 and West Bengal 712 to 513.

The statistics also highlights the Cyber-crimes in 19 Metros of India.

In 2020, total 18657 crimes were registered in Metros whereas in 2021, metros witnessed slight decrease in cyber-crimes with cyber-crimes going down to 17115 i.e., @8% decline. Bangalore retained the top spot with 6423 as compared 8893 last year, followed by Hyderabad, a distant second 3303 (2553 in 2020) and Mumbai catching fast for second position with 2883 (2433 in 2020). Nagpur with 193 crimes (243 in 2020) is at 13th rank as compared to 9”th position in 2020. As compared to last year Nagpur witnessed 20% decline in cyber-crimes and Credit must be given to local police for the same. Mumbai witnessed 20% growth and Pune saw marginal decline of @ 5% in cyber-crimes.

Another interesting statistic about cyber-crimes in Nagpur is that the city has not witnessed a single crime related to credit-debit card fraud, ATM fraud, Online banking fraud, OTP fraud etc. in entire 2021. Out of 192 crimes, the NCRB statistics reveal that 115 crimes were reported under cheating (IPC 420 or fraud category) and @29 crimes were related to cyber stalking or sexual harassment etc. covered u/s 67/67B.

As regards motives behind the crimes are concerned the reports state that in 118 crimes motive was to cheat whereas 30 crimes were committed due to anger and in 18 crimes motive was sexual exploitation.

Being a keen observer of cyberspace since a decade, if these figures are to be believed then the credit must be given to various initiatives of the police and other Organisation for creating CYBER AWARENESS amongst masses.

HOW MUCH TO BELIEVE ON NCRB STATISTICS IS YOUR OWN CHOICE BUT IF NCRB REPORTS SO, THEN YES INDIA IS COUNTRY OF DIGITAL LITERATES!!!!!

 

Dr. Mahendra Limaye (09422109619)

Cyber Legal and Data Privacy Consultant