Tuesday, December 6, 2011

Facebook Content Controversy

I would not repeat what media has already splashed in its news over the so called Storm over Facebook Content and as I hear that Google is also getting embroiled in the controversy.  Interesting stuff to note here is the reaction from Media over the Minister of Communication and Technology Sh. Kapil Sibal. I am not sure why Media is trying to over-react with the comments from Sh. Sibal over the Removal / Censorship of the Objectionable comments / content from the Social Networking Sites.

It is pretty disheartening to note that the media is trying to create a Controversy over the statement of Sh. Sibal and stating that Government Can not Censor online content. Well I object to the way the statement is coming from the various quarters of the Media, as Media needs to be responsible enough to impose self regulation. Sh. Sibal is very much right to make a statement that the objectionable contents need to go off the social networking sites and the online communities.

If I can draw the attention of Media towards the Constitution of India and point towards the Section related to the Fundamental Rights Conferred to its Citizens, I would like to state that there are five Fundamental Rights to the citizens of India including the Freedom to Speech.  However the same Constitution as well the the Legal Structure of India restricts these Rights to the extent they are used in diligent and dutiful manner.  Any Citizen (including the Netizens) of India need to understand their responsibilities to the extent of using these Rights that they Do not Create a Breach of National Peace & Harmony along with hampering the Fundamental Rights of Fellow Citizens.

So if we look at this case or any other case where the Cyber Discipline needs to be enforced, making a statement that Government Can't Censor Media / Social Networks / Online Communities, then we are totally Wrong.  Government can, but whether it does or doesn't play Cyber Nanny is something we should let Government decide. If Government doesn't act and something happens, the same Media would be the first one to make a comment "Government is Non-Existent" or "The Government must Step in to stop this" or any other comment that attempts to or maligns the image of the Government.

Media, you are the Fourth Pillar of Democracy - Be Responsible and Stop being the Tutor to the Government on How the nation needs to be run!!!

Monday, May 30, 2011

Data Privacy and Protection in India - Letter to Mr. Salman Khursheed

Below was the Letter that I had written to the Law Minister when he was not in-charge and he had asked me to provide the details so that he could have spoken to the then Law Minister Mr. Kapil Sibbal.  Interestingly, after the conversation, I had another round of telecon with the officials and then I sent the mail.  The Govt after a couple days had declared that India is Going in For Data Privacy and Protection regime....

May be coincidental!!! but the mail was written on May 29, 2011 and Govt declaration came in June 1st week :) 


Posted from Drafts on November 25, 2011
______________________________________________________________

Dear Mr. Salman Khursheed,

Please refer to our discussion on the Sets of "We the People" show of NDTV 24/7.  Highlight of the Discussion post the show was the requirement of Data privacy and Protection in India, and you had told me to write a mail to you and you would take it forward with Mr. Sibal, our Law Minister.  However, what I would like to Highlight here is the requirement of Data Privacy and Protection also involves following Ministries -
  1. Information and Broadcasting Ministry
  2. Ministry of IT and Telecom
  3. Human Resource Ministry
  4. Ministry of External Affairs
Well if we actually look at the requirement, the Data Protection is need of the Hour for India.  It would not just help India in being one of the Nations who have strong support for Securing the personal interest of its Law Abiding Citizens by protecting their Personal as well as Sensitive Information.

I had written Post on my blog with respect to this and same is as below.  I hope it would help understand the current lacuna in the Indian IT Act 2000 (amendment Act 2008) and the need to go for a Data privacy and Protection Act -

It is quite interesting to note that when it comes to the Cyber Laws, Indian IT Act 2000 (amended by Information Technology Amendment Bill 2006, passed in Lok Sabha on Dec 22 and in Rajya Sabha on Dec 23 2008 and reinstated at Indian IT Act 2008) is one of the best Cyber Laws in the world.  Incidentally,  India was just the 12th nation when the act was initially put to effect in the year 2000.  However, the Act fails to provide any point with regards to the Privacy of Personal Information.  Today when Identity Theft is one of the prime concerns in the Digital Space, India is lacking big time on the Ensuring the Integrity and Protection of Information as stored, processed and transmitted using information technology and the allied systems.

An Analysis of the Personal Data Protection Law in India by CRID - University of Namur (Submitted to Commission of the European Communities, Directorate General Justice, Freedom and Security) identified the specific lacunae as present in this area.

CRID evaluated Indian Regulatory Scenario in its 71 pager report covering the aspects of  -
  •    Federal Structure
  •    Constitution of India
  •    Judicial System
  •    Administrative Tribunals System
  •    Competence to Legislate on Data Protection
  •    Influence of International Norms
  •    General Legal Protection of Human Rights
  •    Data Protection Legislation
  •    The Right to Privacy in India
  •    Statutory Safeguards of Privacy and Data Protection Interest Outside Data Protection Legislation
  •    The Information Technology Act, 2000
  •    The Amendments to the IT Act 2000
The evaluation of Indian Regulatory / Legal environment around Privacy and / or Protection of Data has been referenced to the Article 25 of Directive 95/46/EC that regulates the transfer of personal data from Member States of the European Union (EU) to "third countries" – i.e., countries outside the EU (and EEA). According to Art. 25(1), transfer of personal data "may take place only if the third country in question ensures an adequate level of protection".

Salient Observations by CRID are -
  • Section 3.1.2.1 on page 30 states - No Such Concept as "Personal Data"
  • Para 2 of the section further elaborates - "The IT Act doesn't provide for any definition of personal data"
  • Section 3.1.4.2 b) states - The research found no express provision in the IT Act requiring data to be kept accurate and up-to-date
  • Para below that (again referred as 3.1.4.2) states - The research haven't found any provision in the IT Act requiring processed and transferred data to be adequate, relevant and not excessive.
  • Section 3.1.4.3 establishes under the Head Principle of Transparency, the Information Technology Act, 2000 has no equivalent provision to the EU Privacy Directive's Articles 10 and 11
  • Section 3.1.4.4 establishes that no specific provision requires particular security requirements that are appropriate to the risks presented by the processing of personal data. Moreover, the IT Act lacks a provision ensuring that personal data should only be processed on the instructions from the controller
  • Section 3.1.4.5 establishes that the IT Act does not provide for any of the principles related to access, rectification and opposition by individual data subjects.
  • Section 3.1.4.6.The principle of Restriction on Onward Transfers establishes that  The IT Act does not provide for such a principle
Through and through, the report highlights the areas where India Lacks in addressing Privacy and / or protection of Personal Data.  The report conclude "Given the absence of any general data protection Act, no Data Protection Authority has been established in India."

The points mentioned above certainly make a point that thought our Cyber Law is one of the Best, but it still is not the Best.  It needs to address the requirements on the lines of European Data Privacy Directive.  Moreover, the one place where India lacks is the general and overall lack of Understanding of its Cyber Laws by the Law Enforcement as well as Justice & Care Departments. A defined action plan needs to be implemented by the Law Makers to ensure that the intent and coverage of the Laws as defined and passed by the apex council are precipitated to the required levels in a manner to increase its Effectiveness and the Efficiency.

अभिनंदनीय
मयंक त्रिवेदी
लक्ष्यहीन जीवन दीशाविहीन एवं व्यर्थ है

Data Privacy and Protection -India's Need and Corporate Reaction

I have already written earlier on this issue -
Blackberry Encryption and Threat to National Security
Information Security - What India Needs
VOIP and Risk of Data Privacy and Protection
Issue of Data Protection & Privacy in India

However, this time I have come back to write on this issue again post my interaction that I recently had with one of the Honorable Central Minister, who happened to point me towards the Indian IT Act 2000 & Indian IT Act Amendment 2008.  When I highlighted the gaps in the issue, he directed me to write to him in this respect and in turn he would take it up with the Respective Minister to look into the issue.  I was a bit lazy and a bit too tide up with the office routine and the actionable took a back seat from my end.

But a recent incident where I was interacting with few Information Security Managers / Officers of various organizations, I was shocked to note the remarks "All Data and Information in organization is Secured and Privacy and Protection is of Prime importance for all the Data and Information."  What Shocked me there was the Statement "ALL DATA"  I was forced to think -
  1. How would ALL DATA and Information" be subject to Privacy and Protection?
  2. Why would one try to protect Data and Information that is inconsequential?
  3. What cost was the CISO trying to look at when making an statement about ALL Data?
Interesting conversation, as the discussion proceeded further on Private / Personal Data v/s Publicly available Data and replies were like, "Need to protect all data at any cost".  I was curious, so I raised the question on Access Control with them as well as Laptop Encryption trying to get a pointer on their thinking.  Replies were like, we have strong Authentication Mechanism where each user has to have minimum 8 characters complex password and needs to change it every 42 days. "Every 42 Days?? Ain't that Windows Default Setting??" I was expecting may be Two Factor or One Time password types, but plain password control, now that was somewhat shocking..... And on Laptop encryption, the reply was more shocking - "All our Executives are made aware of the Data and Information Security policy and they have to sign NDA, so we don't think we need to invest in that type of Control". Wow, what confidence and what trust on the Mobile Work Force.  Interesting Conversation!!!!.

The Discussion led further to the base on which the controls are deployed and the answer was another interesting answer - "We have strict access authorization policy to have access to Information that is classified as per the organization's Information Classification policy." Interesting, as there was no mentioning of Data Classification as when probed on that side, the answer was "We Protect Information, Data Classification is not as important as Information Classification".  I was like "EXCUSE ME!!!! Data when processed provides you relevant information to make right decisions or pointers to right decision", but I maintained a tight lipped approach as I was trying to know the thought process that represents the Industry reaction.....

Though this was a closed group discussion, I was forced to think of the state of affairs that prevails in India with respect to Data Privacy and Protection.  The Country needs it very Badly as the Mobile Phone User Community is fed up of Pesky Calls, for the Mobile Companies or their agents somewhere sell Data to get that extra money. reminds me of one such case, when recently my bank people called me up for upgrade to my Credit Card and I said ok, within few hrs I got a call from another MNC Bank whom I never interacted asking me if I have any interest in another Credit Card that would be Free for Life Time and it would also help me avail a Loan of another 2 million Rupees without much documentation.  Shocking ain't it as the executive calling me up knew my Name, the organization I work with and few of my other Demographic Details that certainly are Classified as "Private Data".

So What am I highlighting and What should we be targeting?  I know the base and cases I highlighted have become too long that you might be loosing interest, But I thought they were required.  What India needs is a Strong Drive from the Information Governance perspective.  It is required for the Industry and Government both to make a unified move to get the Data Privacy and Protection Framework in Place along with a National Data Privacy and Protection Policy.  Just like the Mobile Phone "National Do Not Disturb Database" there should be a National level database to register / de-register for Opt-in or Opt out for various Promotional Mails and calls.

If Industry can make use of the CIBIL sort of facility to its benefit, then Why Not put something that protects the Interest of the Customers??  Government for that matter needs to take a Proactive step forward and initiate this with no further delay

Friday, March 25, 2011

Cloud Computing - The Risk Management Aspect

Cloud Computing is the Buzz Word that has caught the lime light in recent years and it is indeed interesting to see where does it go from here?  Will it be Hype or will it be a successful Marketing Gimmick by the Infrastructure Services Providers and the OEMs.  There has been a lot written and lot deliberated over the cloud security and cloud compliance, but the main case here is the case of Risk Management in Cloud Computing.  It is pretty important for the CIOs and the CFOs to understand the Risks as associated with the Cloud Computing Infrastructure.  Specifically in the Light of the Data Security and the Data Privacy requirements.  I am sure none of the CIOs and for that matter CXOs would ever want to fall in the trap where the data movement in cloud scenario would impact the Regulatory Compliance scenario with Cross Border Data movement on Cloud Infrastructure spanning across geographical locations.

I remember during one of my discussion with my colleagues, where I was skeptical about the data privacy issues.  It was one of the situation where I was pitted against the team of Architects who were pretty confident about building a solution providing the business benefit to the client.  But on my question - "What is the Geographical Span of the Cloud that you are looking at?" oops that was like a jolt from Blue for the Architects and they were looking for a definite answer, but to no avail.

In another offline discussion with one of the CSO friend of mine, the same question stumped him too.  His company was looking at Cloud Based Email Solution from a leading Service Provider.  My question to him was followed by another on the type of Data that flows on email.  It is interesting to note that Corporate emails carry attachments right from Employee details to Corporate Financial Performance and Business Strategies.  That means from Company HR, Marketing, Legal and Financial Data flows on Corporate Emails.  Interestingly, the organization didn't go for the Cloud Email Solution, as they could not find an answer to the question of Risk Management while going for Cloud based Email Solution.

I am still trying to look for an Answer from the Experts around on the questions a pitted above.  I would love to get an answer on the question of Managing Risks in a Cloud Based Computing Solution!!!