Issue of Data Protection & Privacy in India

Just what I had highlighted in the previous two posts about the Government intentions to get access to the Google mails along with the Blackberry and Skype.  Interestingly the news is here -  "Government wants to read your Gmail".  Well pretty Interesting huh!!! Just when we were worried about the Privacy of the previous cases, we get to know the cave in of the defense of Nokia and now Google is in Line.


I am not sure how would the Government ensure the security of the Personal Information associated with the emails et al.  It is well understood that the step is taken in the interest of National Security, but if the Government can't secure the Information collected through the access obtained, I do not see why the Netizens shouldn't Panic?


Its High-time for the Government to create an infrastructure that is Effective, Efficient and Resilient to counter Hacking attempts and at the same time ensure that the Privacy of Information is maintained at the level of "Classified Information" that should be accessible ONLY to the Agency responsible for and is in-charge of the said investigation. 


National Security also includes in its Folds the Security of Its Citizens and Netizens.  We should not be going Draconian Ways to create a scenario where the Individuals and Corporates get back to the traditional means of communication for the Fear Information Compromise by Government Agencies and then Leaking it in the Public Domain....Yeah there has to be some restrains on that side too.....

VoIP and the Risk of Data Privacy and Protection

Just finished reading "Encrypted Phone Calls & Skype Security" by a fellow blogger and a technocrat Friend Mukesh Kesharwani. Indeed pretty interesting and well covered stuff no doubts and that is what we expect from Mukesh.

However, when I look in from my Risk and Compliance Corner, the concern of using Skype in Corporate Network still looms large and Rings the Bell in my head... Can't do away with that as for me the Data Privacy and Protection (be it in any form) is primer.

Some of you might have read my previous post on this when I had written about the Blackberry Security and Issue of National Security.  I would reiterate those concerns in the case of Skype Usage also.  For most of the cases, if Skype is used for Corporate purpose, the corporates would try to cut the cost and try and use the retail version of Skype that's available to one and all with access to Internet.  In this case, I am sure that as and when the Security Agencies get access to the Data exchanged on Skype, though the sorts of agreement it now has with Research in Motion (the Company that owns the Blackberry Brand), there would be a High Risk to the Confidential and Business Critical Data that would be shared using Skype and mind it that may include files shared or voice communication.  Certainly if a company is using Skype, it would also use the VOIP facility to ensure that the Cost of Communication stays low.  

I would still suggest to take a step at a time in this arena to ensure that the Corporate Risk related to Data Privacy and Protection does not get High "Particularly when the Country DOES NOT have a Data Protection and Data Privacy Regime".  When I highlighted that risk in my previous blog, certainly there were few high profile cases of Data leak, but now we have the example of Telephone Tapes in which the conversations were taped in by an enforcement agency authorities to investigate some case, but the tapes went to Public Domain and now to the Apex Court.  

I still would be not too happy to hear from the Corporates Adopting Public Domain technologies for handling Corporate Affairs and Exchange Business Critical and/or Business Sensitive information over such channels.  Unless, the Govt comes around with a Data Privacy and Protection Regulation to ensure that the information stays where it is supposed to be and is not leaked out in a domain where it may be utilized in a fashion to cause material damage to the Corporate Affairs or so......

The Risk Remains High till such time....

Information Security - What India Needs??

It is quite interesting to note that when it comes to the Cyber Laws, Indian IT Act 2000 (amended by Information Technology Amendment Bill 2006, passed in Lok Sabha on Dec 22 and in Rajya Sabha on Dec 23 2008 and reinstated at Indian IT Act 2008) is one of the best Cyber Laws in the world.  Incidentally,  India was just the 12th nation when the act was initially put to effect in the year 2000.  However, the Act fails to provide any point with regards to the Privacy of Personal Information.  Today when Identity Theft is one of the prime concerns in the Digital Space, India is lacking big time on the Ensuring the Integrity and Protection of Information as stored, processed and transmitted using information technology and the allied systems.

An Analysis of the Personal Data Protection Law in India by CRID - University of Namur (Submitted to Commission of the European Communities, Directorate General Justice, Freedom and Security) identified the specific lacunae as present in this area.

CRID evaluated Indian Regulatory Scenario in its 71 pager report covering the aspects of  -

1. Federal Structure
2. Constitution of India
3. Judicial System
4. Administrative Tribunals System
5. Competence to Legislate on Data Protection
6. Influence of International Norms
7. General Legal Protection of Human Rights
8. Data Protection Legislation
9. The Right to Privacy in India
10. Statutory Safeguards of Privacy and Data Protection Interest Outside Data Protection Legislation
11. The Information Technology Act, 2000
12. The Amendments to the IT Act 2000

The evaluation of Indian Regulatory / Legal environment around Privacy and / or Protection of Data has been referenced to the Article 25 of Directive 95/46/EC that regulates the transfer of personal data from Member States of the European Union (EU) to “third countries” – i.e., countries outside the EU (and EEA). According to Art. 25(1), transfer of personal data “may take place only if the third country in question ensures an adequate level of protection”.

Salient Observations by CRID are -

1. Section 3.1.2.1 on page 30 states - No Such Concept as "Personal Data"
2. Para 2 of the section further elaborates - "The IT Act doesn’t provide for any definition of personal data"
3. Section 3.1.4.2 b) states - The research found no express provision in the IT Act requiring data to be kept accurate and up-to-date
4. Para below that (again referred as 3.1.4.2) states - The research haven't found any provision in the IT Act requiring processed and transferred data to be adequate, relevant and not excessive.
5. Section 3.1.4.3 establishes under the Head Principle of Transparency, the Information Technology Act, 2000 has no equivalent provision to the EU Privacy Directive's Articles 10 and 11
6. Section 3.1.4.4 establishes that no specific provision requires particular security requirements that are appropriate to the risks presented by the processing of personal data. Moreover, the IT Act lacks a provision ensuring that personal data should only be processed on the instructions from the controller
7. Section 3.1.4.5 establishes that the IT Act does not provide for any of the principles related to access, rectification and opposition by individual data subjects.
8. Section 3.1.4.6.The principle of Restriction on Onward Transfers establishes that  The IT Act does not provide for such a principle
9. Through and through the report highlights the areas where India Lacks in addressing Privacy and / or protection of Personal Data.  The report conclude "Given the absence of any general data protection Act, no Data Protection Authority has been established in India."

The points mentioned above certainly make a point that thought our Cyber Law is one of the Best, but it still is not the Best.  It needs to address the requirements on the lines of European Data Privacy Directive.  Moreover, the one place where India lacks is the general and overall lack of Understanding of its Cyber Laws by the Law Enforcement as well as Justice & Care Departments. A defined action plan needs to be implemented by the Law Makers to ensure that the intent and coverage of the Laws as defined and passed by the apex council are precipitated to the required levels in a manner to increase its Effectiveness and the Efficiency.

CardSystems Solutions Hack 2005 - Legal Suit Targetting Auditor

The topic sounds to be shocking, but if you read the article "In Legal First, Data-Breach Suit Targets Auditor" you would be surprised to know the proceedings that led to the Legal Suit. 

It will be really interesting to note the developments from here on as the Auditor may contest that the report was good for "As on Date" of Report and they are not liable for any subsequent breach as they are not keeping an eye on how the organization dealt with the information post the Audit Completion.


But does the role of Auditor end with the submission of report, specifically when the identified organization fails a previous Audit for storing sensitive data in an unprotected manner or in a manner that is not as per the specifications?  

Should not the Auditor go back at the records of previous Audit and identify the reasons that might have led to the failure in complying to the requirement?


Isn't the Auditor supposed to maintain the integrity of Audit Process and NOT overlook serious issue that were being reported for a period of 5 years preceding the Audit?


There are lot of questions that create a eye of suspicion on the role of Auditors.  Many a times the Auditors tend to turn a blind eye towards certain issues that are present due to organizational work culture.  They don't tend to highlight the issues for the reason that they feel they are not responsible for that.


We had earlier seen a law emanating out from the hi-profile case of Enron and Arthur Anderson, where both the companies disappeared from the Market.  As if that was not enough a lesson to be learnt by the Auditors that we often get to know of similar cases, though not of that profile.


Would that mean we will soon see another law stemming out, something that would Regulate and Govern the Audit Scenario?  Should not the Auditors tighten their belts to ensure that the Audits and the Audit Reports are fair and square, resulting in what they are actually supposed to result in, rather than twisting the results one way or other?

It is quite interesting that the Noble Profession of Auditors is fast becoming Commercialized, and at this pace, i would not be surprised to see a License Regime enforced for the Auditors on same line as the Lawyers and Formation of a Regulatory Body Like Auditor's Council to Govern Auditors'.

Blackberry Encryption and Threat to National Security

I have been following up the topic from quite some time now.  The whole issue of National Security in danger is very much right from the context of being able to intercept the secure messaging that Blackberry Services Provide. But, there is a Pandora's Box that would open up if the stuff is done unplanned and without adequate Law Enforcement.  You would be thinking as to what am I talking about?

Well consider a situation where the Government and Security Agencies start intercepting the secure mail flow as well as secure messaging services from Blackberry.  This will provide them access to the Sensitive and Confidential Corporate Data too.  here lies the trouble as the Law enforcement agencies might unnecessarily misuse the data or more so this might lead to Horse Trading to gain insider information by the competitors.  Does Government Want to get into these troubled waters without adequate Data Management and Privacy Law in place and without adequate technical arrangements from its side?

Surely the Home Ministry as well as the whole Government Machinery will have to think High on this side to ensure that they DO ADDRESS the concern of Data Management and Disposal of Legitimate Data that is in NO WAY Threat to National Security.

iPhone 3G - iOS 4.0.1 upgrade

Okay just finished testing Jail Break on iOS 4.0.1 and yeah it works pretty fine with following steps -

1. ensure you have iOS 4.0 also available with you, 
2. upgrade your phone to iOS 4.0.1
3. use redsn0w to jailbreak, but do not point to 4.0.1, rather point to iOS 4.0 and let redsn0w do the needful
4. let you phone boot back to normal
5. connect to a WiFi spot and use Cydia to download and install Ultrasn0w
6. Damn that's done, you are through upgrading your Phone to 4.0.1 and unlocked it to suite your requirements.

For caution, please follow the steps in my previous blog -

iPhone 3G - iOS 4.0 upgrade

In case you need any help, please leave me a message on this blog.

iPhone 3G - iOS 4.0 upgrade

Many out there have been thinking on how to go about the upgrading jailbroken iPhone 3G with iOS 4.0.  Its quite simple and well ensure you make following preparations before going with the upgrade -

1. Back-up your iPhone using iTunes
2. Make sure you have the latest version of iTunes installed, if not please update iTunes first.
3. Download iOS 4.0 from - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7380.20100621,Vfgb5/iPhone3,1_4.0_8A293_Restore.ipsw
4. Download the latest version of RedSn0w from - http://iphwn.org/get/redsn0w_win_0.9.5b5-5.zip (hoping that you using Windows O/S)
5. Ensure that you have WiFi network available - you would require to use WiFi network later to unlock your iPhone.

Now that you are ready follow following steps -

1. Update your iPhone 3G to iOS 4.0 using iTunes
2. Switch off your iPhone (keep it connected to your Computer)
3. Start Redsn0w and point towards the ipsw file you downloaded in step 3 above.
4. Select Install Cydia - you would require this to later unlock your phone to connect to any network
5. Follow Onscreen instruction and let Redsn0w do the needful for jailbreaking your iPhone 3G with iOS 4.0
6. Your phone would reboot once Redsn0w jailbreaks it.

Few things that you need to make note of - when you are using Redsn0w to jailbreak your iPhone 3G with iOS 4.0 -

1. when you start RedSn0w, ensure that the phone is switched off and connected to your machine
2. when prompted on RedSn0w screen, hold power on button for exactly 3 seconds and press Home button immediately
3. Keep Holding Power and Home Buttons for exact 10 seconds
4. Release Power Button and hold Home Button for Next 30 odd seconds till RedSn0W detects your Phone in DFU mode.

Done you ready with a jailborken iPhone 3G with iOS 4.0, now its time to unlock the phone. Follow following steps to unlock ur phone -

1. Connect to the WiFi network and start Cydia that you installed while jailbreaking your iPhone
2. Go to Cydia and add repo666.ultrsn0w.com under Sources, you can do this by selecting Manage->Sources-> Edit
3. Install Ultrasn0W
4. Reboot your Phone
5. Done - Your Phone is Ready to be connected to any network you want.

 Please refer to following for details -
http://www.iphonedownloadblog.com/2010/06/21/jailbreak-iphone-3g-on-ios-4-with-redsn0w/

Time to Consolidate and Govern

Organizations have done a lot to secure their infrastructure, get compliance efforts in place and get going with the emerging requirements that are hard pressing them to move to excellence on the Security Front. But how much to secure is secure? It should not be the case where Security that is supposed to be the business enabler becomes a show stopper.

In my numerous discussions with the CTOs and CIOs, I noted that many of them do not know why a recommendation from consultant or a requirement as being driven by their CISO / CSO is to be honored. There were few remarks as in they go with the general opinion during the meeting and if majority voices to go for it, they go for it. Strange ain't it? To me it was rather shocking. In few other cases, the CIOs I interacted with were a little Puzzled on what data to be secured and where does it lie in their network. Shocking, certainly it was a shocking revelation for me. but I had to accept it the way it is.

So what do we require now? What I call is consolidation of efforts driven to manage IT. Consolidation of Overall Compliance Scenario, which till date is happening on as-on where-is Project basis. Different SMEs leading different Compliance Programs with no interlink between their efforts. The CIOs need a deeper and clearer view of what's happening in the Organizational IT Landscape with a definitive look at the requirements driven from the Risk perspective.

Certainly, I am talking about establishment of a Governance Framework within an organization to ensure that the projects do not get executed as standalone projects and that they have the required interactions between them to rule out any redundant step / control deployment. The governance framework thus established needs to run in a risk management program. This Risk Management program should not just look at the risk emanating from the threats pertinent to organization, but also the threats emanating form the lack of governance to IT Landscape.

The efforts more need to consolidate to ensure that the Organizational Approach towards Securing Data and Information is Top-Down Approach than the Bottom-Up as it will give better control and insight to the Controls Deployment. Any Control / measure deployed will have strict backing of the output from the Risk Management Exercise.

This would not mean that the Organizations need to do away with the Bottom-Up Approach all-together as during the Risk Management Exercise, it will be the Bottom-Up approach that will provided an insight to what is going the way it should and where the gaps are. The Risk Management exercise also needs to be aptly supported with a Business Impact Assessment Program to ensure that the inputs from all the quarters are taken in consideration when decisions are being made.

The market is already moving towards the Governance frameworks and there are many tools in place to address the consolidated requirements in Governance, Risk and Compliance sphere, its just that the drive is from the Vendors and OEMs, we still need to see the Organizations driving it. From where I see, the Role of CISO would need to be molded as that of IT Risk Manager and an Office of IT Governance needs to make its way to the IT Board Room.

Newly-discovered infestation - 'Kneber botnet'

A new botnet infestation has been reported to have been identified and named Kneber Botnet. Computer Systems from nearly 2,500 organizations across the world have been compromised (including commercial and government entities worldwide). Hackers have been able to steal large amount of confidential data including approximately 68,000 corporate login credentials and online banking sites.

The case was discovered only in late January as per NetWitness - a US based Security Firm., stealing large amount of confidential data, says a report.

source - Economic Times

Urgent need to ban porn websites: Chief Justice of India

Another Article and another set of mixed responses on Banning or Blocking Pornography –“Urgent need to ban porn websites: Chief Justice of India”.

I sort of Agree with what CJI has opined for. If people say that there are ways to circumvent the ban, they are forgetting that there are ways to plug the loops that people might use to circumvent them. Technology today helps us banning and blocking anything that we want to ban and block. My question to those opposing it is - if you are accessing porn on a regular basis, aren't you habituated to it?? Porn is something that in a way might be related to this country and as I have already pointed out in another comment regarding the amendment to Indian IT Act, stiff resistance would be faced for banning and blocking these sites. There have been arguments that have poured in that the parents need to take ownership to ensure that their kids do not have access to porn sites. Well yes there are many tools for this matter including Net Nanny and other similar products that may be bought and subscribed for to be deployed on one's computer for blocking the porn / hate etc. But would someone come ahead and tell me on how many parents in India are technology and net savvy??? Bestowing only them with this responsibility (certainly they would be responsible for their kids any which ways)would mean regular counseling for them regarding this and to ensure that they are made acquainted to the issue of Pornography on the net. This will directly lead to more friction between the teenage kids and parents as kids would see it as another disciplinary control by parents. I would say the community needs to come out with a more comprehensive and better thought on this by way of evaluating the pros and cons of various steps / controls that can be put to effect.

Mayank Trivedi

E-mail - mayank.a.trivedi@gmail.com

Blog - http://www.myopinions.name

Tech Blog - http://matricsindia.net.in

Govt can't ban porn websites for obscenity

Just happened to read the Article “ - Govt can’t ban porn websites for obscenity

I was more shocked than surprised. Though this sort of inaction can very much be expected from the Govt, we certainly could not accept it. When the Indian IT Act amendments were being discussed and the amendment to the act were being looked at in 2008, it was a strong feeling and the Cyber Security Professionals were of the idea that the amendments would be making law bit more stringent in nature. Its exact reverse of what had been expected. I had numerous discussions with the various Cyber Security Professionals and Cyber Law experts and each one of them was expecting a drastic change in the way issue of Porn sites is dealt with. It was opined that the Govt would empower Cyber Tribunal or similar organization and convert it as a watch dog to govern the display, access and transmission of Porn material. Alas, it didn’t happen. Govt more so has cleared itself off from the responsibility on this front. Amendments to the section 69A are something that certainly have weakened the power as it was earlier identified for it. Moreover with assigning the power to block the Porn sites has been granted to the Courts and that too if a petition is filed in the Court for jurisdiction. Apparently, the govt has indirectly let Porn be prevalent in the Cyber Society, without giving a thought that this very porn is at times the cause to create nuisance in the society and leading to molestations, child abuses etc. Yeah it would be countered that how can we create the correlation between the two things. Incidentally some bright mind came up with a pretty Creative Thought – “May be Government Machinery and Think Tank would have thought as to when the Country has Given KAMASUTRA to the world, how can we stop Porn that is nothing but an extension to KAMASUTRA. They might have thought that if they block / ban porn in cyber world, the cyber community might come up with an argument that similar things are depicted as Artifacts and Artistic at various temples in Khajuraho.” Well may be, who knows.

But all said and done, don’t we think that too much of Porn is circulating around on the net and is unnecessarily leading to the situation of unrest and creating an atmosphere that would affect law and order negatively?

I am unable to understand as to Why govt can’t Enforce a Blanket Block at ISP Gateway levels? I guess rather than going with an approach of Law and Order, the Govt. can simply go ahead with issuing a notification to the ISPs to go ahead and Block all the Porn Sites right at the ISP Gateway Level itself. I don't understand what is stopping the Govt. from doing that? or do we take it this way that the Govt. machinery is pretty happy to let Pornography be prevalent till it affects the Public Order???

There are Countries where a Country level Proxy is set-up and that blocks all the Porn sites from being accessed. An argument may come up that the countries where this sort of set-up has been deployed are smaller countries with lesser Internet traffic, where in case of India the traffic is humungous to be managed by a central Proxy. So, let me clarify that I am not saying so. What my point is – If the Govt. wants to really act in this direction, it can instruct the ISPs to deploy measures at their levels to ensure that porn sites are completely Blocked out. Govt may also conduct periodic surprise audits of the ISPs to this effect and ensure that the directive as published is well followed by the ISPs.

Mayank Trivedi

Blog - http://www.myopinions.name

Tech Blog - http://matricsindia.net.in