The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 11 to 25.
Bangalore Chapter Meet of DSCI
http://editors.cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015
<b>The Centre for Internet & Society (CIS) will host the Bangalore Chapter Meeting of Data Security Council of India (DSCI) on September 26, 2015 at its Bangalore office in Domlur. The event will be held from 2.30 p.m. to 5.30 p.m.</b>
<p style="text-align: justify; ">After the Nasscom cyber security task force meeting held at Wipro in June, followed by DSCI Best Practices meet in July, we now have the next chapter meeting at CIS.</p>
<h3 style="text-align: justify; ">Speakers</h3>
<p style="text-align: justify; ">The first speaker will be <b>Melissa Hathaway, Commissioner, Global Commission for Internet Governance</b>. She is an internationally distinguished cyber security expert and has worked as cyber security adviser in two US Presidential Administrations, and is the former acting Senior Director for cyberspace at the National Security Council in the US. The topic she will be speaking on is "<a href="http://editors.cis-india.org/internet-governance/blog/connected-choices" class="external-link">Connected Choices</a>".</p>
<p style="text-align: justify; ">The second speaker will be <b>Sunil Abraham, Executive Director, CIS</b> (Center for internet & Society). Sunil is a renowned thought leader when it comes to internet governance, cyber space & its interface with civil society and actively contributes to DSCI and other forums. He will be presenting on "<a href="http://editors.cis-india.org/internet-governance/blog/anonymity-in-cyberspace" class="external-link">Anonymity in Cyberspace</a>" - the SIG that he led over last 8 months along with a diverse group of members from the industry in Bangalore.</p>
<h3 style="text-align: justify; ">Agenda</h3>
<table class="grid listing">
<tbody>
<tr>
<th>Time</th><th>Topic</th>
</tr>
<tr>
<td>2.30 p.m. - 2.45 p.m.</td>
<td>Recent Developments and Updates from DSCI</td>
</tr>
<tr>
<td>2.45 p.m. - 4.00 p.m.</td>
<td>Srinivas P. (Anchor): DSCI Bangalore Chapter</td>
</tr>
<tr>
<td>4.00 p.m. - 5.00 p.m.</td>
<td>Melissa Hathaway: Connected Choices</td>
</tr>
<tr>
<td>5.00 p.m. - 5.30 p.m.</td>
<td>Sunil Abraham: Anonymity in Cyberspace</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">This will be followed by High Tea & Networking.</p>
<p style="text-align: justify; ">For participation, please send your email confirmation to Rajesh of Infosys at <a class="mail-link" href="mailto:Rajesh_K18@infosys.com">Rajesh_K18@infosys.com</a></p>
<p style="text-align: justify; ">Since seats are limited, the participation will be restricted to first 50 confirmations. We had to organize it on a Saturday, due to Melissa’s availability – I’m sure many of you who know about her as expert security speaker, will not see weekend as a constraint to attend. Look forward to meeting you at CIS.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015'>http://editors.cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015</a>
</p>
No publishersunilCyber SecurityEventInternet Governance2015-09-09T01:40:56ZEventElectoral Databases – Privacy and Security Concerns
http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns
<b>In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.</b>
<p></p>
<p> </p>
<p style="text-align: justify; ">The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.<a href="#_edn1" name="_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> After due consideration, the ECI has decided to drop the plan.<a href="#_edn2" name="_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a></p>
<p style="text-align: justify; ">The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.</p>
<p style="text-align: justify; "><b>Publication of Electoral Rolls</b><br />The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.</p>
<p style="text-align: justify; ">The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document<a href="#_edn3" name="_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> given that the roll is published and can be circulated on the direction of the ECI.</p>
<p style="text-align: justify; ">With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.<a href="#_edn4" name="_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> In addition to that, the electoral rolls for the entire country are available on the ECI website.<a href="#_edn5" name="_ednref5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.<a href="#_edn6" name="_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a></p>
<p style="text-align: justify; "><b>Security Concerns</b><br />The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.</p>
<p style="text-align: justify; ">In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “<i>With Great Computing Power Comes Great Surveillance”</i><a href="#_edn7" name="_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a> Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain</p>
<p style="text-align: justify; ">For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.</p>
<p style="text-align: justify; "><b>Current IT Laws does not mandate the protection of the electoral database</b><br />A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”<a href="#_edn8" name="_ednref8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> However, the appropriate Government has not notified the electoral database as a protected system<a href="#_edn9" name="_ednref9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a>. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.</p>
<p style="text-align: justify; ">The Information Technology Rules (IT Rules) are also not applicable to electoral databases, <i>per se</i>. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (<i>hereinafter </i>Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”<a href="#_edn10" name="_ednref10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> and should arguably be made subject to the Rules.</p>
<p style="text-align: justify; ">The intent of the ECI for hosting the entire country’s electoral database online <i>inter alia</i> is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”<a href="#_edn11" name="_ednref11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.</p>
<p style="text-align: justify; ">The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.</p>
<p style="text-align: justify; ">It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.</p>
<div>
<hr align="left" size="1" width="100%" />
<div id="edn1">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref1" name="_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at <a class="external-link" href="http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss">http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss</a></p>
</div>
<div id="edn2">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref2" name="_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
<div id="edn3">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref3" name="_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> Section 74, Indian Evidence Act, 1872</p>
</div>
<div id="edn4">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref4" name="_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/the_function.aspx">eci.nic.in/eci_main1/the_function.aspx</a></p>
</div>
<div id="edn5">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref5" name="_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx">http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx</a></p>
</div>
<div id="edn6">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref6" name="_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a> “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at e<a class="external-link" href="http://eci.nic.in/eci_main/eroll&epic/ins06012010.pdf">ci.nic.in/eci_main/eroll&epic/ins06012010.pdf</a><span dir="RTL"></span></p>
</div>
<div id="edn7">
<p class="MsoEndnoteText"><a href="#_ednref7" name="_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a><a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf"><span><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"> </span></span></span>http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/</a></p>
</div>
<div id="edn8">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref8" name="_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> Section 70, Information Technology Act, 2000</p>
</div>
<div id="edn9">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref9" name="_edn9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a> Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure</p>
</div>
<div id="edn10">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref10" name="_edn10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
</div>
<div id="edn11">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref11" name="_edn11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns'>http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns</a>
</p>
No publishersnehashishDigital GovernancePrivacyCybersecurityData ProtectionInternet GovernanceSafetyInformation TechnologyCyber SecuritySecuritye-GovernanceTransparency, PoliticsE-Governance2014-01-16T11:07:21ZBlog EntryDiscussion at CyFy on Technology, Policy and National Security: Building 21st Century Curricula in India’s Law Schools
http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools
<b>Arindrajit Basu attended the session and gave comments on the course outline which included thoughts on:</b>
<ol>
<li>Threshold of technical knowledge-comparison with WTO law</li>
<li>Need for India-centric approaches both in domestic and foreign policy</li>
<li>Possibility of executive training of senior diplomats</li>
<li>Need to include fintech security in the syllabus</li>
<li>Necessity of international law as a tool of conflict 6. Sustained collaboration between think-tanks and universities</li>
</ol>
<p> </p>
<p style="text-align: justify; ">The event was organized by Centre for Communication Governance at National Law University Delhi and Observer Research Foundation at Villa Medici, Taja Mahal Hotel, Man Singh Road, New Delhi.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools'>http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceFinancial Technology2019-10-20T07:23:11ZNews ItemIndia’s Role in Global Cyber Policy Formulation
http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation
<b>The past year has seen vigorous activity on the domestic cyber policy front in India. On key issues—including intermediary liability, data localization and e-commerce—the government has rolled out a patchwork of regulatory policies, resulting in battle lines being drawn by governments, industry and civil society actors both in India and across the globe.</b>
<p>The article by Arindrajit Basu was <a class="external-link" href="https://www.lawfareblog.com/indias-role-global-cyber-policy-formulation">published in Lawfare</a> on November 7, 2019. The article was reviewed and edited by Elonnai Hickok and Justin Sherman.</p>
<hr />
<p style="text-align: justify; ">The onslaught of recent developments demonstrates how India can shape cyber policy debates. Among emerging economies, India is uniquely positioned to exercise leverage over multinational tech companies due to its sheer population size, combined with a rapid surge in users coming online and the country’s large gross domestic product. India occupies a key seat at the <a href="https://www.theatlantic.com/international/archive/2019/06/g20-data/592606/">data governance table</a> alongside other players like the EU, China, Russia and the United States — a position the country should use to promote its interests and those of other similarly placed emerging economies.</p>
<p style="text-align: justify; ">For many years, the Indian population has served as an economic resource for foreign, largely U.S.-based tech giants. Now, however, India is moving toward a regulatory strategy that reduces the autonomy of these companies in order to pivot away from a system that recently has been termed “<a href="https://swarajyamag.com/magazine/colonialism-20-truly">data colonialism</a>”—in which Western technologies use data-driven revenue bolstered by information extracted from consumers in the Global South to consolidate their global market power. The policy thinking underpinning India’s new grand vision still has some gaps, however.</p>
<h3 style="text-align: justify; ">Data Localization</h3>
<p style="text-align: justify; ">Starting with a circular from the Reserve Bank of India in April 2018, the Indian government has <a href="https://twitter.com/cis_india/status/1143096429298085889">introduced a range of policy instruments</a> mandating “<a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">data localization</a>”—that is, requiring that certain kinds of data must be stored in servers located physically within India. A snapshot of these policies is summarized in the table below.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/IndianLaws.jpg" alt="Indian Laws" class="image-inline" title="Indian Laws" /></p>
<p style="text-align: justify; "><span style="text-align: -webkit-center; ">(</span><em>Source </em><a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf" style="text-align: -webkit-center; "><em>here</em></a><em>. Design credit: Saumyaa Naidu</em><span style="text-align: -webkit-center; ">)</span></p>
<p style="text-align: justify; "><span style="text-align: -webkit-center; ">While there are <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">a number of</a> reasons for this maneuver, two in particular are in line with India’s broader vision of data sovereignty—broadly defined as the sovereign right of nations to govern data within their territory and/or jurisdiction in order to support their national interest for the welfare of their citizens. First, there is an incentive to keep data within India’s jurisdiction because of the cumbersome process through which Indian law enforcement agencies must go during criminal investigations in order to access data stored in the U.S. Second, data localization undercuts the <a href="https://theprint.in/tech/digital-colonialism-why-countries-like-india-want-to-take-control-of-data-from-big-tech/298217/">extractive economic models</a> used by U.S. companies operating in India by which the data generated by Indian citizens is collected in India, stored in data centers located largely in the U.S., and processed and analyzed to derive commercially valuable insights.</span></p>
<p style="text-align: justify; ">Both foreign players and smaller Indian private-sector actors were against this move. A <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">study</a> on the issue that I co-authored earlier this year with Elonnai Hickok and Aditya Chawla found that one of the reasons for this resistance involved the high costs of setting up the data centers that are needed to comply with the requirement. President Trump <a href="https://www.whitehouse.gov/briefings-statements/remarks-president-trump-g20-leaders-special-event-digital-economy-osaka-japan/">echoed</a> this sentiment when he explicitly opposed data localization during a meeting with Prime Minister Narendra Modi on the sidelines of the G-20 in June 2019.</p>
<p style="text-align: justify; ">At the same time, large Indian players such as Reliance and Paytm and Chinese companies like AliBaba and Xilink were in favor of localization—possibly because these companies could absorb the costs of setting up storage facilities while benefiting from the fixed costs imposed on foreign competition. In fact, some companies, such as AliBaba, <a href="https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/alibaba-cloud-opens-second-data-centre-in-india/articleshow/65995570.cms">have already set up storage facilities in India.</a></p>
<p style="text-align: justify; ">As my co-authors and I noted, data localization comes with various risks, both diplomatically and politically. So far, the issue has caused friction in U.S.-India trade relations. For example, before Secretary of State Mike Pompeo's trip to New Delhi in June, the Trump administration <a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation">reportedly</a> contemplated limiting H-1B visas for any country that implements a localization requirement. Further, on his trips to New Delhi, Commerce Secretary Wilbur Ross has <a href="https://www.medianama.com/2019/05/223-us-trade-secretary-wilbur-ross-highlights-data-localisation-high-tariffs-on-electronics-telecom-products-in-india-as-trade-issues/">regularly argued</a> that data localization restrictions are a barrier to U.S. companies and stressed the need to eliminate such barriers. Further, data localization poses several <a href="https://www.lawfareblog.com/where-your-data-really-technical-case-against-data-localization">technical challenges</a> as well as security risks. Mirroring data across multiple locations, as India’s <a href="https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Draft Personal Data Protection Bill</a> mandates, increases the number of physical data centers that need to be protected and thereby the number of vulnerable points that malicious actors can attack.</p>
<p style="text-align: justify; ">Recently, the Indian media have reported <a href="https://economictimes.indiatimes.com/news/economy/policy/policymakers-a-divided-lot-on-personal-data-bill-provisions/articleshow/70404637.cms?from=mdr&utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">disagreements</a> between policymakers over data localization, along with speculation that the data storage requirement in the Draft Personal Data Protection Bill could be limited only to critical data—a term not defined in the bill itself—or be left to sectoral regulators, officials from individual government departments.</p>
<p style="text-align: justify; ">Our paper <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">recommended a dual approach</a>. In our view, data localization policy should include mandatory localization for critical sectors such as defense or payments data, while also adopting “conditional” localization for all other data. Under conditional localization, data should only be transferred to countries that (a) agree to share the personal data of Indian citizens with law enforcement authorities based on Indian criminal procedure laws (examples of such a mechanism may be an executive data-sharing agreement under the <a href="https://epic.org/privacy/cloud-act/">CLOUD Act</a>) and (b) have equivalent privacy and security safeguards. This approach would be in line with India’s overarching vision of data sovereignty and the goal of standing up to the hegemony of big tech and of U.S. internet regulations, while avoiding undue collateral damage to India’s global alliances.</p>
<h3 style="text-align: justify; ">Intermediary Liability</h3>
<p style="text-align: justify; ">In line with the goal of ensuring that big tech is answerable to the rule of law, the Indian government has also sought to regulate the adverse social impacts of some speech hosted by platforms. Rule 3(9) of the <a href="https://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf">Draft of the Information Technology Intermediaries Guidelines (Amendment) Rules, 2018,</a> released by the Ministry of Electronics and Information Technology in December 2019, takes up the interventionist mission of laws like the <a href="https://www.lawfareblog.com/germanys-bold-gambit-prevent-online-hate-crimes-and-fake-news-takes-effect">NetzDg</a> in Germany. The regulation would mandate that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.” These regulations have prompted concerns from both the private sector and civil society groups that claim the proposal fails to address <a href="https://cis-india.org/internet-governance/resources/Intermediary%20Liability%20Rules%202018.pdf">constitutional concerns</a> about algorithmic discrimination, excessive censorship and inappropriate delegation of legislative powers under Indian law. Further, some observers object that the guidelines adopt a “one-size-fits-all” approach to classifying intermediaries that does not differentiate between platforms that thrive on end-to-end encryption like WhatsApp and public platforms like Facebook.</p>
<p style="text-align: justify; ">In many ways, these guidelines—likely to be <a href="https://www.medianama.com/2019/10/223-intermediary-guidelines-to-be-notified-by-jan-15-2020-meity-tells-supreme-court/">notified</a><a href="https://www.medianama.com/2019/10/223-intermediary-guidelines-to-be-notified-by-jan-15-2020-meity-tells-supreme-court/"> (as an amendment to the Information Technology Act) as early as January 2020</a>—put the cart before the horse. Before devising regulatory models appropriate for India’s geographic scale and population, it is first necessary to conduct empirical research about the vectors through which misinformation spreads in India and how misinformation impacts different social, economic and linguistic communities, along with pilot programs for potential solutions to the misinformation problem. And it is imperative that these measures be brought in line with constitutional requirements.</p>
<h3 style="text-align: justify; ">Community Data and “Data as a Public Good”</h3>
<p>Another important question involves the precise meaning of “data” itself—an issue on which various policy documents have failed to deliver a consistent stance.</p>
<p style="text-align: justify; ">The first conceptualization of “community data” appears in both the <a href="https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf">Srikrishna Committee Report</a> that accompanied the <a href="https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Draft Personal Data Protection Bill</a> in 2018 and the draft e-commerce policy. However, neither policy provides clarity on the concept of data.</p>
<p style="text-align: justify; ">When defining community data, the Srikrishna Report endorses a collective protection of privacy as protecting an identifiable community that has contributed to community data. According to the Srikrishna Report, receiving collective protection requires the fulfillment of three key aspects. First, the data belong to an identifiable community. Second, the individuals in the community consent to being a part of the community. And third, the community as a whole consents to its data being treated as community data.</p>
<p style="text-align: justify; ">The <a href="https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf">draft e-commerce policy</a> reconceptualizes the notion of community data as “societal commons” or a “national resource,” where the undefined ‘community” has rights to access data but the government has overriding control to utilize the data for welfare purposes. Unlike the Srikrishna Report, the draft e-commerce policy does not outline the key aspects of community data. This approach fails to demarcate a clear line between personal and nonpersonal data or to specify any practical guidelines or restrictions on how the government can use community data. For this reason, implementation of this policy could pose a threat to the right to privacy that the Indian Supreme Court recognized as a <a href="https://thewire.in/law/supreme-court-aadhaar-right-to-privacy">fundamental right</a> in 2017.</p>
<p style="text-align: justify; ">The second idea is that of “data as a public good.” This is described in Chapter 4 of the <a href="https://www.indiabudget.gov.in/economicsurvey/doc/vol1chapter/echap04_vol1.pdf">2019 Economic Survey Report</a>—a document published by the Ministry of Finance along with the Annual Financial Budget. The report explicitly states that any data governance framework needs to be deferential to privacy norms and the soon-to-be-enacted privacy law. The report further states that “personal data” of an individual in the custody of a government is a “public good” once the datasets are anonymized.</p>
<p style="text-align: justify; ">However, the report’s recommendation of setting up a government database that links several individual databases together leads to the <a href="https://thewire.in/government/india-vision-data-republic-dangers-privacy">“triangulation” problem</a>, in which individuals can be identified by matching different datasets together. The report further suggests that the same data can be sold to private firms (though it is unclear whether this includes foreign or domestic firms). This directly contradicts the characterization of a “public good”—which, by definition, must be <a href="https://www.britannica.com/topic/public-good-economics">n</a><a href="https://www.britannica.com/topic/public-good-economics">onexcludable and nonrivalrous</a>—and is also at odds with the government’s vision of reining in big tech. The government has set up an expert committee to look into the scope of nonpersonal data, and the results of the committee’s deliberations <a href="https://www.medianama.com/2019/09/223-meity-non-personal-data-committee/">are likely to</a> influence the shape that India’s data governance framework takes across multiple policy instruments.</p>
<p style="text-align: justify; ">There is obviously a need to reassess and reevaluate the range of governance efforts and gambits that have emerged in the past year. With domestic cyber policy formulation pivots reaching a crescendo, we must consider how domestic cyber policy efforts can influence India’s approach to global debates in this space.</p>
<h3 style="text-align: justify; ">India’s Contribution to Global Cyber Policy Debates</h3>
<p style="text-align: justify; ">As the largest democracy in the world, India is undoubtedly a key <a href="https://www.newamerica.org/cybersecurity-initiative/reports/digital-deciders/">“digital decider”</a> in shaping the future of the internet. Multilateral cyber policy formulation efforts remain <a href="https://cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india">polarized</a>. The U.S. and its European allies continue to advocate for a free, rules-based conception of cyberspace with limited governmental interference. China and Russia, along with their Shanghai Cooperation Organisation allies, are pushing for a tightly regulated internet in which each state has the right to manage and define its “network frontiers” through domestic regulation free from external interference. To some degree, India is already influencing debate over the internet through its various domestic cyber policy movements. However, its participation in international debates has been lacking the vigor or coherence needed to clearly articulate India’s national interests and take up a global leadership role.</p>
<p style="text-align: justify; ">In shaping its contributions to global cyber policy formulation, India should focus its efforts on three key places: (a) internet governance forums that deliberate the governance of the technical architecture of the internet such as domain names, (b) cyber norms formulation processes that seek to establish norms to foster responsible behavior in cyberspace by states and nonstate actors in cyberspace, and (3) global debates on trade and cross-border data flows that seek to conceptualize the future of global digital trade relationships. As I discuss below, there are key divisions in Indian policy in each of these forums. To realize its grand vision in the digital sphere, India needs to do much more to make its presence felt.</p>
<p><em>Internet Governance Forums</em></p>
<p style="text-align: justify; ">India’s stance on a variety of issues at internet governance forums has been inconsistent, switching repeatedly between <a href="https://www.cigionline.org/sites/default/files/documents/GCIG%20Volume%202%20WEB.pdf">multilateral and multistakeholder visions for internet governance.</a> A core reason for this uncertainty <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">is the participation of multiple Indian government</a> ministries, which often disagree with each other. At global internet governance forums, India has been represented either by the Department of Electronics and Information Technology (now renamed to Ministry of Electronics and Information Technoloft or the Department of Telecommunications (under the Ministry of Communications and Information Technology) or by the Ministry of External Affairs (MEA).</p>
<p style="text-align: justify; ">As my colleagues have documented <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">in a detailed paper,</a> India has been vocal in global internet governance debates at forums including the International Telecommunications Union, the Internet Governance Forum and the U.N. General Assembly. However, the Indian stance on <a href="https://www.diplomacy.edu/IGFLanguage/multistakeholderism">multistakeholderism</a> has been complex, with the MEA advocating for a multilateral stance while the other departments switched between multistakeholderism and “nuanced multilateralism”—which calls for multistakeholder participation in policy formulation but multilateral implementation. The paper also argues that there has been a decline recently in the vigor of Indian participation at forums such as the 2018 meeting of the Working Group on Enhanced Co-operation (WGEC 2.0), due to key personnel changes. For <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">example</a>, B.N. Reddy, who was a skilled and experienced negotiator for the MEA in previous forums, was transferred to another position before WGEC 2.0, and the delegation that attended the meeting did not make its presence felt as strongly or skillfully.</p>
<p><em>Cyber Norms for Responsible State Behavior in Cyberspace</em></p>
<p style="text-align: justify; ">With the exception of two broad and unoriginal statements at the <a href="https://unoda-web.s3-accelerate.amazonaws.com/wp-content/uploads/2016/10/India.pdf">70th</a> and <a href="https://undocs.org/A/71/172">71st</a> sessions of the U.N. General Assembly, India has yet to make public its position on the multilateral debate on the proliferation of norms for responsible state behavior in cyberspace. During the <a href="https://dig.watch/events/open-ended-working-group-oewg-first-substantive-session">substantive session</a> of the Open-Ended Working Group held in September, India largely reaffirmed points made by other states, rather than carving out a new or original approach. The silence and ambiguity is surprising, as India has been represented on four of the five Groups of Governmental Experts (GGEs) set up thus far and has also been inducted into the 2019-2021 GGE that is set to revamp the global cyber norms process. (Due to the GGE’s rotational membership policy, India was not a member of the fourth GGE that submitted its report in 2015.)</p>
<p style="text-align: justify; ">However, before becoming an evangelist of any particular norms, India has some homework to do domestically. It has yet to advance a clear, coherent and detailed public stance outlining its views on the application of international law to cyberspace. This public stance is necessary for two reasons. First, a well-reasoned statement that explains India’s stance on core security issues—such as the applicability of self-defense, countermeasures and international humanitarian law—would show India’s appetite for offensive and defensive strategies for external adversaries and allies alike. This would serve as the edifice of a potentially credible cyber deterrence strategy. Second, developing a public stance would help India to take advantage of the economic, demographic and political leverage that it holds and to assume a leadership role in discussions. The <a href="https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century">U.K.</a>, <a href="https://www.lawfareblog.com/frances-cyberdefense-strategic-review-and-international-law">France,</a> <a href="https://www.lawfareblog.com/germanys-position-international-law-cyberspace">Germany</a>, <a href="https://www.justsecurity.org/64490/estonia-speaks-out-on-key-rules-for-cyberspace/">Estonia</a>, <a href="https://www.justsecurity.org/wp-content/uploads/2017/06/Cuban-Expert-Declaration.pdf">Cuba</a> (backed by China and Russia) and the <a href="https://www.justsecurity.org/wp-content/uploads/2016/11/Brian-J.-Egan-International-Law-and-Stability-in-Cyberspace-Berkeley-Nov-2016.pdf">U.S.</a> have all made their positions publicly known with varying degrees of detail.</p>
<p><em>Data Transfers</em></p>
<p style="text-align: justify; ">Unlike in other forums, Indian policy has been clearer in the cross-border data transfer debate. This is a foreign policy extension of India’s emphasis on localization and data sovereignty in domestic policy instruments. At the G-20 Summit in Osaka, India and the rest of the BRICS group (Brazil, Russia, China and South Africa) stressed the role that data play in economic development for emerging economies and reemphasized the need for <a href="https://www.youtube.com/watch?v=0a8YsZQ0F6k&feature=youtu.be">data sovereignty</a>. India did not sign the <a href="https://www.international.gc.ca/world-monde/international_relations-relations_internationales/g20/2019-06-29-g20_declaration-declaration_g20.aspx?lang=eng">Osaka Declaration on the Digital Economy</a> that kickstarted the “Osaka Track”—a process whereby the 78 signatories agreed to participate in global policy discussions on international rule-making for e-commerce at the World Trade Organization (WTO). This was a continuation of India’s sustained efforts opposing the e-commerce moratorium at the WTO.</p>
<p style="text-align: justify; ">The importance of cross-border data flows in spurring the global economy found its way into the <a href="https://g20.org/pdf/documents/en/FINAL_G20_Osaka_Leaders_Declaration.pdf">Final G-20 Leaders Declaration</a>—which India signed. Foreign Secretary Vijay Gokhale <a href="https://www.youtube.com/watch?v=0a8YsZQ0F6k&feature=youtu.be">argued</a> that international rule-making on data transfers should not take place in plurilateral forums outside the WTO. Gokhale claimed that limiting the debate to the WTO would ensure that emerging economies have a say in the framing of the rules. The clarity expressed by the Indian delegation at the G-20 should be a model for more confident Indian leadership in this global cyber policy development space.</p>
<h3 style="text-align: justify; ">Looking Forward</h3>
<p style="text-align: justify; ">India is no newcomer to the idea of normative leadership. To overcome material shortcomings in the nation’s early years, Jawaharlal Nehru, the first Indian prime minister, engineered a <a href="https://www.livemint.com/Opinion/h13WRfZP09BWA3Eg68TuVL/What-Narendra-Modi-has-Jawaharlal-Nehru-to-thank-for.html">normative pivot in world affairs</a> by championing the sovereignty of countries that had gained independence from colonial rule. In the years immediately after independence, the Indian foreign policy establishment sought to break the hegemony of the United States and the Soviet Union by advancing a foreign policy rooted in what came to be known as <a href="https://www.foreignaffairs.com/articles/india/2016-09-19/india-after-nonalignment">“nonalignment.”</a></p>
<p style="text-align: justify; ">Making sound contributions to foreign policy in cyberspace requires a variety of experts—international lawyers, computer scientists, geopolitical strategists and human rights advocates. Indian civil society and academia are brimming with tech policy enthusiasts from a variety of backgrounds who could add in-depth substance to the government’s cyber vision. Such engagement has begun to some extent at the domestic level: Most government policies are now opened up to consultation with stakeholders Yet there is still room for greater transparency in this process.</p>
<p style="text-align: justify; ">India's cyber vision is worth fighting for. The continued monetization of data dividends by foreign big tech at the expense of India’s socioeconomic development needs to be countered. This can be accomplished by predictable and coherent policymaking that balances economic growth and innovation with the fundamental rights and values enshrined in the Indian Constitution, including the right to equality, freedom of speech and expression, and the right to life. But inherent contradictions in the conceptualization of personal data, delays in tabling the Personal Data Protection Bill, and uncertain or rushed approaches in several other regulatory policies are all fettering the realization of this vision. On core geopolitical issues, there exists an opportunity to set the rule-shaping agenda to favor India’s sovereign interests. With global cyber policy formulation in a state of flux, India has the economic, demographic and intellectual leverage to have a substantial impact on the debate and recraft the narrative in favor of the rapidly emerging Global South.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation'>http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation</a>
</p>
No publisherbasuCyber SecurityInternet Governance2019-11-13T14:13:33ZBlog EntryCYFY 2016 - The India Conference on Cyber Security and Internet Governance
http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition
<b>Sunil Abraham will participate as a panelist at CYFY 2016 event organized by Observer Research Foundation in New Delhi from September 28 to 30, 2016. </b>
<p style="text-align: justify; ">Into its fourth edition this year, CyFy: The India Conference on Cyber Security and Internet Governance has emerged as a global platform to discuss, debate and deliver digital policy solutions. CyFy 2015 featured nearly 110 participants from over 33 countries, with nearly 800 delegates in attendance. Prominently, the conference sessions featured several experts from Africa and the Asia Pacific, who addressed the policy priority of connecting the next billion. The 2016 iteration of CyFy will highlight the political, economic and strategic questions that underpin this imperative.</p>
<p style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/cyfy-2016-agenda/view">Download the Agenda </a></p>
<hr />
<p style="text-align: justify; ">See the announcement on <a class="external-link" href="http://cyfy.org/">CYFY website</a> or write to Samir Saran at <a class="mail-link" href="mailto:ssaran@orfonline.org?subject=CyFy 2016">ssaran@orfonline.org</a> or Arun at <a class="mail-link" href="mailto:arun.sukumar@orfonline.org?subject=CyFy 2016">arun.sukumar@orfonline.org</a> for more details on the conference.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition'>http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-09-13T15:23:59ZNews ItemIs India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No
http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks
<b>From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.</b>
<p style="text-align: justify; ">The article by Sushil Kambampati was <a class="external-link" href="http://thewire.in/67398/india-is-unprepared-for-future-cyber-attacks/">published in the Wire</a> on September 21, 2016. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.</p>
<p style="text-align: justify; "><span>However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On </span><span>May 17, the cyber-security firm Symantec </span><a href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" rel="external nofollow" target="_blank" title="stated"><span>stated</span></a><span> in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.</span></p>
<p style="text-align: justify; "><span>A week later, another cyber-security firm, Kaspersky Lab, </span><a href="http://www.kaspersky.co.in/about/news/virus/2016/Danti-and-Co" rel="external nofollow" target="_blank" title="announced"><span>announced</span></a><span> that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities. </span></p>
<p style="text-align: justify; "><span>Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators </span><a href="http://arstechnica.com/security/2016/04/how-hacking-team-got-hacked-phineas-phisher/" rel="external nofollow" target="_blank" title="reveal"><span>reveal</span></a><span> the attack, the target of the attack </span><a href="http://www.forbes.com/sites/davelewis/2014/10/14/sears-owned-kmart-discloses-data-breach/#3755df43540d" rel="external nofollow" target="_blank" title="discloses"><span>discloses</span></a><span> the breach, or because the leaked data </span><a href="https://www.washingtonpost.com/news/the-intersect/wp/2015/08/19/how-to-see-if-you-or-your-spouse-appear-in-the-ashley-madison-leak/" rel="external nofollow" target="_blank" title="shows"><span>shows</span></a><span> up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations </span><a href="http://tech.firstpost.com/biztech/cyberespionage-group-suckfly-targeted-indian-govt-e-commerce-organisations-symantec-315538.html" rel="external nofollow" target="_blank" title="received"><span>received</span></a><span> tepid </span><a href="http://timesofindia.indiatimes.com/tech/tech-news/Cyber-spy-group-Suckfly-to-continue-targeting-Indian-government-Symantec/articleshow/52326126.cms" rel="external nofollow" target="_blank" title="coverage"><span>coverage</span></a><span> in India. A few news organisations </span><a href="http://www.hindustantimes.com/tech/cyber-spy-group-suckfly-to-keep-targeting-indian-government-symantec/story-F50rNLT2zYhkG90o7DGKaN.html" rel="external nofollow" target="_blank" title="published"><span>published</span></a><span> the same wire </span><a href="http://economictimes.indiatimes.com/tech/ites/government-units-top-it-firm-among-cyber-espionage-targetssymantec/articleshow/52312952.cms" rel="external nofollow" target="_blank" title="story"><span>story</span></a><span> that basically </span><a href="http://tech.firstpost.com/biztech/kaspersky-reports-cyber-espionage-attacks-on-indian-government-in-2016-317107.html" rel="external nofollow" target="_blank" title="rewrote"><span>rewrote</span></a><span> information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause. </span></p>
<p style="text-align: justify; "><span>Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.</span></p>
<p style="text-align: justify; "><span>This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government </span><a href="http://zeenews.india.com/news/gujarat-on-high-alert-after-intelligence-input-on-infiltration-of-terrorists_1862830.html" rel="external nofollow" target="_blank" title="goes"><span>goes</span></a><span> on high alert, resources are </span><a href="http://timesofindia.indiatimes.com/india/Additional-BSF-battalion-on-Pakistan-border-to-avert-infiltration/articleshow/42081166.cms" rel="external nofollow" target="_blank" title="mobilised"><span>mobilised</span></a><span> and the public is </span><a href="http://timesofindia.indiatimes.com/city/ahmedabad/IB-warns-Gujarat-about-possible-infiltration-bid-at-Kutch/articleshow/50495655.cms" rel="external nofollow" target="_blank" title="warned"><span>warned</span></a><span>. The government then tries to identify the threat and stop it from doing any harm. Citizens </span><a href="http://idsa.in/idsacomments/IndiasCounterTerrorismPoliciesareMiredinSystemicWeaknesses_gkanwal_140512" rel="external nofollow" target="_blank" title="demand"><span>demand</span></a><span> that in the future the government take proactive steps to catch infiltrators and prevent any future threats.</span></p>
<p style="text-align: justify; "><b>Weak government response</b></p>
<p style="text-align: justify; "><span>One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was </span><a href="http://bits.blogs.nytimes.com/2015/10/14/deadline-to-disclose-data-breaches-raises-concerns-in-europe/" rel="external nofollow" target="_blank" title="used"><span>used</span></a><span> to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange. </span></p>
<p style="text-align: justify; "><span>All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values. </span></p>
<p style="text-align: justify; "><span>Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, </span><a href="http://www.idsa.in/system/files/book/book_indiacybersecurity.pdf" rel="external nofollow" target="_blank" title="disrupt"><span>disrupt</span></a><span> control systems of electrical grids or nuclear facilities and gain access to everything the government </span><a href="https://incometaxindiaefiling.gov.in/e-Filing/Services/KnowYourPanLink.html" rel="external nofollow" target="_blank" title="knows"><span>knows</span></a><span> about its citizens, including personal details, financial information and </span><a href="https://uidai.gov.in/beta/enrolment-update/aadhaar-enrolment.html" rel="external nofollow" target="_blank" title="identity information"><span>identity information</span></a><span>. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent </span><a href="http://gizmodo.com/bangladesh-bank-hackers-created-malware-to-target-the-g-1772834299" rel="external nofollow" target="_blank" title="attempt"><span>attempt</span></a><span> to heist $800 million from the central bank of Bangladesh.</span></p>
<p style="text-align: justify; "><span>A report on risks facing India, </span><a href="https://home.kpmg.com/in/en/home/insights/2016/08/de-risking-india-in-the-new-age-of-technology.html" rel="external nofollow" target="_blank" title="published"><span>published</span></a><span> in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.” </span></p>
<p style="text-align: justify; "><span>In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/copy_of_Network.jpg" alt="Network" class="image-inline" title="Network" /></span></p>
<p style="text-align: justify; "><span>In the Suckfly case, it took a right-to-information </span><a href="https://yourti.in/document/gu9wgny7" rel="external nofollow" target="_blank" title="query"><span>query</span></a><span> from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.</span></p>
<p style="text-align: justify; "><span>The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s </span><a href="http://www.cert-in.org.in" rel="external nofollow" target="_blank" title="Computer Emergency Response Team"><span>Computer Emergency Response Team</span></a><span> (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.</span></p>
<p style="text-align: justify; "><span>CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is </span><a href="http://pgp.mit.edu/pks/lookup?search=cert-in.org.in&op=index" rel="external nofollow" target="_blank" title="registered"><span>registered</span></a><span> in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative. </span></p>
<p style="text-align: justify; "><span>The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification </span><a href="https://rbidocs.rbi.org.in/rdocs/notification/PDFs/LBS300411F.pdf" rel="external nofollow" target="_blank" title="issued"><span>issued</span></a><span> on </span><span>June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an </span><a href="https://yourti.in/document/ien8cd4r" rel="external nofollow" target="_blank" title="RTI query "><span>RTI query </span></a><span>to get a statement from the RBI, and there it responded that it had no information on the matter. </span></p>
<p style="text-align: justify; "><span>The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack. </span></p>
<p style="text-align: justify; "><span>SEBI also </span><a href="about:blank" target="_blank"><span>issued</span></a><span> a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.</span></p>
<p style="text-align: justify; "><span>What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.</span></p>
<p style="text-align: justify; "><b>Right or wrong?</b></p>
<p style="text-align: justify; "><span>The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec. </span></p>
<p style="text-align: justify; "><span>On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach. </span></p>
<p style="text-align: justify; "><span>If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India </span><a href="http://money.cnn.com/news/economy/world_economies_gdp/index.html" rel="external nofollow" target="_blank" title="is one"><span>is one</span></a><span> of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.</span></p>
<p style="text-align: justify; "><span>According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”</span></p>
<p style="text-align: justify; "><span>Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know. </span></p>
<p style="text-align: justify; "><span>What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first </span><a href="http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/" rel="external nofollow" target="_blank" title="revealed"><span>revealed</span></a><span> by security reporter Michael Krebs. Target was </span><a href="http://mashable.com/2014/01/17/retailers-security-breach-timing/#XN.TRtygnEqf" rel="external nofollow" target="_blank" title="criticised"><span>criticised</span></a><span> for not coming forth itself and </span><a href="https://topclassactions.com/lawsuit-settlements/lawsuit-news/32647-target-data-breach-class-action-lawsuit-trial-set-april-2016/" rel="external nofollow" target="_blank" title="faced"><span>faced</span></a><span> several lawsuits. In the US, most states and jurisdictions </span><a href="http://www.reuters.com/article/us-target-data-notification-idUSBREA0F1LO20140116" rel="external nofollow" target="_blank" title="have"><span>have</span></a><span> laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must </span><a href="http://bits.blogs.nytimes.com/2015/10/14/deadline-to-disclose-data-breaches-raises-concerns-in-europe/" rel="external nofollow" target="_blank" title="report"><span>report</span></a><span> a breach within 24 hours and other organisations have 72 hours.</span></p>
<p style="text-align: justify; "><span>India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added. </span></p>
<p style="text-align: justify; "><span>According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.</span></p>
<p style="text-align: justify; "><span>Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has </span><a href="http://www.assocham.org/newsdetail.php?id=5669" rel="external nofollow" target="_blank" title="grown"><span>grown</span></a><span> rapidly in India, a study in 2014 by <i>YourStory</i> and Kalaari Capital </span><a href="http://yourstory.com/2014/06/infographic-indian-e-commerce-consumers-want-2014/" rel="external nofollow" target="_blank" title="found"><span>found</span></a><span> that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase. </span></p>
<p style="text-align: justify; "><span>When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.</span></p>
<p style="text-align: justify; "><span>As the KPMG report states, cyber attacks are only going to become more common. Despite </span><a href="http://thediplomat.com/2014/06/india-scrambles-on-cyber-security/" rel="external nofollow" target="_blank" title="multiple"><span>multiple</span></a> <a href="http://www.firstpost.com/business/danger-india-faces-shortage-lakh-cyber-security-pros-2482958.html" rel="external nofollow" target="_blank" title="warnings"><span>warnings</span></a><span>, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks'>http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-09-22T00:57:02ZNews ItemThe Big Debit Card Breach: Three Things Card Holders Need To Understand
http://editors.cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach
<b>A total of 32 lakh debit cards across 19 banks could have been compromised on account of a purported fraud, the National Payment Corporation of India said in a statement.</b>
<p style="text-align: justify; ">The article by Alex Mathew was <a class="external-link" href="http://www.bloombergquint.com/business/2016/10/20/indias-biggest-security-breach-32-lakh-debit-cards-across-19-banks-may-have-been-compromised">published by Bloomberg</a> on October 20, 2016. Udbhav Tiwari was quoted.</p>
<hr />
<p style="text-align: justify; ">The issue was brought to light when State Bank of India blocked the debit cards of 6 lakh customers on October 14. This was done after the bank was alerted to a possible fraud by the National Payment Corporation of India, MasterCard and Visa, said Managing Director Rajnish Kumar in a telephonic interview with BloombergQuint.</p>
<p style="text-align: justify; ">In a statement released on Thursday evening, the NPCI clarified that the problem was brought to their attention when they received complaints from a few banks that customers’ cards were used fraudulently, mainly in China and the U.S., while those cardholders were in India.</p>
<p style="text-align: justify; ">“The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI,” the payments corporation said.</p>
<div class="story__element__wrapper">
<div class="story__element__image story__element"><figure> <img src="http://editors.cis-india.org/home-images/Card.png" alt="Card" class="image-inline" title="Card" /><br /> </figure></div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p style="text-align: justify; ">SISA Security, a Bengaluru-based company is currently undertaking a forensic study to identify the extent of the problem and will submit a final report in November.</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-blockquote">
<div>
<blockquote>Based on the advisory issued by NPCI and other schemes, it is gathered that banks have advised their customers to change their debit card PIN. In situations where customers could not be contacted, the cards have been blocked and fresh cards are being issued by member banks.</blockquote>
<span class="attribution">NPCI statement</span></div>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p style="text-align: justify; ">State Bank of India has blocked 6 lakh cards, while other banks have sent notifications to customers advising them to change their personal identification numbers.</p>
<h3>How The Breach Could Have Occured</h3>
<p>The breach that has apparently given hackers access to the PIN codes of several bank customers is likely to be on account of a malware attack. This attack is believed to have originated at an ATM.</p>
<p style="text-align: justify; ">The actual modus operandi of the hackers will only become clear once the forensic audit is released in November, but BloombergQuint spoke to cyber security expert Udbhav Tiwari to find out how the attack could have been orchestrated.</p>
<p style="text-align: justify; ">First, the hacker would have had to gain physical access to an ATM. The malware was then likely injected by connecting a laptop or another special device to a port on the cash disbursing machine, said Tiwari, a consultant at Centre For Internet & Society in Bengaluru.</p>
<p style="text-align: justify; ">Once the malware is injected, it automatically spreads across the network and infects other devices that are not protected against it. In this case, the malware could have infected a payment switch provider’s network.</p>
<p style="text-align: justify; ">A payment switch provider is an entity that facilitates a transaction either from an ATM or an online payment gateway. The service provider decides to whom the request for authorisation will be sent and then transmits the request back to the merchant or the ATM where the transaction originated.</p>
<p style="text-align: justify; ">In this case, one payment switch provider, Hitachi Payment Services, which manages close to 50,000 ATMs across the country, was asked by banks to investigate 30 of its ATMs on account of around 400 suspicious transactions that took place outside India, Managing Director Loney Antony told BloombergQuint in a telephonic interview.</p>
<p>The company had earlier said in a statement that an interim report by the audit agency does not suggest any breach or compromise in its systems.</p>
<h3>The Scale Of The Breach</h3>
<p style="text-align: justify; ">According to a study conducted by NPCI in collaboration with the banks, the number of debit cards that were infected by the malware has been set at 32 lakh. But Tiwari said this number could be higher.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div>
<blockquote>The hypothetical limit to how much the malware can spread is dependent on the vulnerability of the systems, and if one of the payment switch provider’s systems was vulnerable and they still haven’t decided how many systems are vulnerable, it is quite possible that the malware is spreading at this point.</blockquote>
</div>
<p><span class="attribution">Udbhav Tiwari, Consultant, Centre For Internet & Society</span></p>
<h3><span class="attribution">What A Customer Should Do</span></h3>
<p>The first, and most important step a customer should take is to immediately change their debit card PIN, Tiwari pointed out.</p>
<p style="text-align: justify; ">State Bank of India has said that its customers can opt to restrict the usage of their debit cards, for example whether it can be used both internationally and domestically or only domestically. Also, the daily limit of the debit card can be changed.</p>
<p style="text-align: justify; ">Once these steps have been taken, according to Tiwari, it is most important that customers stay vigilant and keep monitoring their bank statements. If an unauthorised transaction takes place, a customer should immediately contact their bank and block their card.</p>
</div>
</div>
</div>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach'>http://editors.cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-10-21T13:43:17ZNews ItemHow Long Have Banks Known About The Debit Card Fraud?
http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud
<b>The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.</b>
<p>The article was <a class="external-link" href="http://www.bloombergquint.com/opinion/2016/10/21/how-long-have-banks-known-about-the-debit-card-fraud">published by Bloomberg</a> on October 22, 2016.</p>
<hr />
<p style="text-align: justify; ">The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.</p>
<p style="text-align: justify; ">Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.</p>
<h3 style="text-align: justify; ">The Modus Operandi</h3>
<p style="text-align: justify; ">According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Malware.jpg/@@images/13c6e6b2-e9be-4056-bd2d-ad540cff88dc.jpeg" alt="Malware" class="image-inline" title="Malware" /></p>
<p style="text-align: justify; ">The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.</p>
<h3 style="text-align: justify; ">Massive Financial Implications</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p><img src="http://editors.cis-india.org/home-images/Bank.png/@@images/5a9bda35-ccdc-4895-a841-609c4c7c0958.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News) <br /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.</p>
<p style="text-align: justify; ">This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.</p>
<h3 style="text-align: justify; ">Are Banks Concealing Information?</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_Bank.png/@@images/0f5235cb-4909-4885-b12e-d83bb4202230.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.</p>
<p style="text-align: justify; ">Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud'>http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud</a>
</p>
No publishertiwariCyber SecurityInternet GovernancePrivacy2016-10-22T08:06:51ZBlog EntryCII Conference on "ACT": Achieve Cyber Security Together"
http://editors.cis-india.org/internet-governance/blog/cii-conference-on-act
<b>The Confederation of Indian Industries (CII) organized a conference on facing cyber threats and challenges at Hotel Hilton in Chennai on July 13, 2013. Kovey Coles attended this conference and shares a summary of the event in this blog post.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.</p>
<p style="text-align: justify; ">Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.</p>
<p style="text-align: justify; ">With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.</p>
<p style="text-align: justify; ">In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cii-conference-on-act'>http://editors.cis-india.org/internet-governance/blog/cii-conference-on-act</a>
</p>
No publisherkoveyCyber SecurityInternet GovernancePrivacy2013-07-26T08:17:40ZBlog Entry11th India Knowledge Summit 2013
http://editors.cis-india.org/news/eleventh-india-knowledge-summit-2013
<b>The Associated Chambers of Commerce and Industry in India (ASSOCHAM) is organizing the 11th Knowledge Summit 2013 in Hotel Shangri-La, New Delhi on October 14 and 15, 2013. The Centre for Internet and Society is supporting this event.</b>
<hr />
<p style="text-align: justify; ">Click to read the original <a class="external-link" href="http://www.assocham.org/events/showevent.php?id=888">published by ASSOCHAM here</a> , <a class="external-link" href="http://www.assocham.org/downloads/?filename=11th-India-Knowledege-Summit-Tentative-Agenda.docx">read the tentative agenda here</a> and the <a class="external-link" href="http://www.assocham.org/docs/11th-Konwledge-Summit-CyberSecurityBrochure_13.pdf">event brochure here</a>.</p>
<hr />
<p style="text-align: justify; ">The lack of a national-level doctrine has created an environment where we are entirely reactive in our cyber posture. Indeed, battlefield transcends physical borders and boundaries. The power of a nation-state is not required to inflict widespread damage to critical infrastructure systems; a single malicious actor can wreak havoc. The starkest difference, however, is that today both the private sector and individual citizens have unprecedented access to a myriad of infrastructure systems that can provide entry into sensitive systems – yet they are largely unaware of, and unaccountable for, their responsibilities in defending them.</p>
<p style="text-align: justify; ">As cyber networks rapidly transition from a mere utility to the undercurrent of our entire societal infrastructure, this reliance becomes a vulnerability. The modern Cyber Era demands a national-level doctrine that can be adopted by government agencies, armed forces, private sector organizations and individual citizens alike to establish a collective sense of purpose for our Cyber Security.</p>
<p style="text-align: justify; ">The Chamber is providing a forum to bring executive leaders, policymakers and academia together with the scientists and practitioners that intimately understand cyber technology to collaborate and begin a debate about the complex issues.<span> </span></p>
<p style="text-align: justify; ">The time has come when we should consider not only the military impact of the new cyber world, but also what role cyber defense will hold in shaping the future of our country’s economy, education, foreign affairs policies and critical infrastructure initiatives. Only then can our government, industry, and private citizens align under common goals to shape a safe and prosperous future.</p>
<p style="text-align: justify; ">ASSOCHAM India's Apex Chamber for Commerce & Industry was set up in 1920. Today the Chamber is proud to have more than 450,000 Companies as it's esteemed Member which includes many of the big global technology companies.</p>
<p style="text-align: justify; ">ASSOCHAM is privileged to be a Member of the <b>“Cyber Regulation Advisory Committee” </b>set up by <b>Ministry of Communications and IT, </b>and the <b>Joint Working Group (JWG) on Cyber Security </b>set up by the <b>National Security Council Secretariat, </b>Government of India.</p>
<p style="text-align: justify; ">The ASSOCHAM’s flagship program the Annual <b>INDIA KNOWLEDGE SUMMIT, </b>organized since 1999 has been Addressed in the past by Noble Laureates, as the Distinguished ‘Key Note Speaker’ including – Dr. Craig Venter, Sir Harry Kroto, Prof. Aaron Ciechanover, Dr. Raj Reddy, Dr. A P J Abdul Kalam, Dr. Kirsty Duncan, Prof. John A Pickett to name a few.</p>
<p style="text-align: justify; ">This year the <b>11th INDIA KNOWLEDGE SUMMIT </b>is being organized from <b>14-15 October, 2013 in Hotel </b><b>Shangri-La, New Delhi.</b></p>
<p style="text-align: justify; ">The Theme for this year’s Summit is <b>“Cyber Era - Securing the Future”</b>.</p>
<p align="left"><b>Registration Fees: </b></p>
<blockquote><b>International Delegates</b>: $ 200/- for both days<b><br />Indian Delegates</b>: Rs. 5,000/- per day<b><br />Students</b>: Rs. 2,000/- per day
<p>The Delegate Registration Fee include:<br /> Tea & Coffee<br /> Copy of Background Paper / <br /> Copy of Workshop Study Material</p>
</blockquote>
<p align="left"><b>For more details please contact: </b></p>
<blockquote>
<p>Ajay Sharma, Senior Director, M: 9899188488 , eMail: <a href="mailto:ajay.sharma@assocham.com">ajay.sharma@assocham.com</a><br /> Varun Aggarwal, Joint Director, M: 9910613815 , eMail: <a href="mailto:varun.aggarwal@assocham.com">varun.aggarwal@assocham.com</a><br /> Himanshu Rewaria, Executive, M: 9654251077 , eMail: <a href="mailto:himanshu.rewaria@assocham.com">himanshu.rewaria@assocham.com</a><br /> Sahil Goswami Executive, M: 9871962311 , eMail: <a href="mailto:sahil.goswami@assocham.com">sahil.goswami@assocham.com</a><br /><br /> <b>Corporate Office</b><br /> The Associated Chambers of Commerce and Industry of India<br /> ASSOCHAM Corporate Office, 5, Sardar Patel Marg<br />Chanakyapuri, New Delhi – 110021<br /> Phone: 46550555 (Hunting Line)<br /> Fax: 01123017008/9<br /> <br /> Email: <a class="newslink" href="mailto:assocham@nic.in">assocham@nic.in</a></p>
</blockquote>
<p>
For more details visit <a href='http://editors.cis-india.org/news/eleventh-india-knowledge-summit-2013'>http://editors.cis-india.org/news/eleventh-india-knowledge-summit-2013</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2013-09-26T07:15:29ZNews ItemIT companies in Bengaluru on high alert over WannaCry ransomware
http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware
<b>In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.</b>
<p style="text-align: justify; ">The article by <span><a href="http://www.newindianexpress.com/author/Kiran-Parashar-K-M-&-Shruthi-H-M" target="_blank">Kiran Parashar K M & Shruthi H M</a> was published in the <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/17/it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware-1605705--1.html">New Indian Express</a> on May 17, 2017. Pranesh Prakash was quoted.<br /></span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.</p>
<p style="text-align: justify; ">A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”<br /> “Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.</p>
<p style="text-align: justify; ">Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”</p>
<p style="text-align: justify; ">Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.<br /> “Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.</p>
<p style="text-align: justify; ">Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”</p>
<p style="text-align: justify; "><b>WannaCry under reported</b></p>
<p style="text-align: justify; ">The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware'>http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceDigital Media2017-05-19T09:05:46ZNews ItemWhat’s Hard To Digest About The Zomato Hacking
http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking
<b>Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.</b>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>The blog post by Aayush Ailawadi was published by <a class="external-link" href="https://www.bloombergquint.com/technology/2017/05/18/whats-hard-to-digest-about-the-zomato-hacking">Bloomberg Quint</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p>The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in <a href="http://blog.zomato.com/post/160791675411/security-notice" target="_blank">its blog</a> that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.</p>
</div>
</div>
</div>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.</p>
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Late on Thursday night, the story took an interesting turn when the company updated <a href="http://blog.zomato.com/post/160807042556/security-notice-update" target="_blank">its blog post yet again</a>. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.</p>
</div>
</div>
</div>
</div>
<div class="card-block-qsection-technology card">
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.</p>
</div>
</div>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Disclose To Confuse?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>What’s So Scary About The Zomato Hacking?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.</p>
<p>What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Genuine Disclosures Vs False Promises</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Where’s My Privacy And Security?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.</p>
<p>Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking'>http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-19T09:22:37ZNews ItemHacker steals 17 million Zomato users’ data, briefly puts it on dark web
http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web
<b>Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.</b>
<p style="text-align: justify; ">The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was <a class="external-link" href="http://timesofindia.indiatimes.com/india/hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web/articleshow/58742129.cms">published in the Times of India</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">According to information security blog and news website <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/HackRead">HackRead</a>, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/Zomato">Zomato</a> claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".</p>
<p style="text-align: justify; ">In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.</p>
<p style="text-align: justify; ">The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.</p>
<p style="text-align: justify; ">Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.</p>
<p style="text-align: justify; ">However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.</p>
<p style="text-align: justify; ">Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.</p>
<p style="text-align: justify; ">"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.</p>
<p style="text-align: justify; ">Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.</p>
<p style="text-align: justify; ">In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."</p>
<p style="text-align: justify; ">HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.</p>
<p style="text-align: justify; ">According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.</p>
<p style="text-align: justify; ">What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."</p>
<p style="text-align: justify; ">Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web'>http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web</a>
</p>
No publisherpraskrishnaCyber SecurityHackingInternet GovernancePrivacy2017-05-20T05:57:14ZNews ItemExperts stress on need for enhanced security
http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security
<b>With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/06/experts-stress-on-need-for-enhanced-security-1601631.html">published in the New Indian Express</a> on May 6, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.</p>
<p style="text-align: justify; ">“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.</p>
<p style="text-align: justify; ">The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.</p>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.</p>
<p style="text-align: justify; ">He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”</p>
<p style="text-align: justify; ">Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security'>http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-20T06:13:19ZNews ItemCybersecurity Visuals Media Handbook: Launch Event
http://editors.cis-india.org/internet-governance/blog/cybersecurity-visuals-media-handbook-launch-event
<b>6th December | 6 pm | Centre for Internet and Society, Bangalore</b>
<p> </p>
<p>The existing cybersecurity imagery in media publications has been observed to be limited in its communication of the discourse prevailing in cybersecurity policy circles, relying heavily on stereotypes such as hooded men, padlocks, and binary codes.</p>
<p><br />In order to enable a clearer, more nuanced representation of cybersecurity concepts, we, at CIS, along with <a class="external-link" href="http://designbeku.in/">Design Beku</a> are launching the Cybersecurity Visuals Media Handbook. This handbook has been conceived to be a concise guide for media publications to understand the specific concepts within cybersecurity and use it as a reference to create visuals that are more informative, relevant, and look beyond stereotypes.</p>
<p>We will be launching the interactive digital handbook on 6th December, 2019, at the Centre for Internet and Society, Bangalore, at 6 pm. The event would include a discussion on the purpose, process, and concepts behind this illustrated guide by CIS researchers and Design Beku.</p>
<p>The launch will be followed by a panel discussion on Digital Media Illustrations & the Politics of Technology. We will be joined by Padmini Ray Murray, Paulanthony George, and Kruthika N S in the panel. It will be moderated by Saumyaa Naidu.</p>
<p dir="ltr"><strong>Padmini Ray Murray</strong></p>
<p dir="ltr">Padmini founded the Design Beku collective in 2018 to help not-for-profit organisations explore their potential through research-led design and digital development. Trained as an academic researcher, Padmini currently as the head of communications at Obvious, a design studio. She regularly gives talks and publishes on the necessity of technology and design to be decolonial, local, and ethical. <strong><br /></strong></p>
<p dir="ltr"><strong>Paulanthony George</strong></p>
<p dir="ltr">Paulanthony hates writing bios in the third person.<br />My research focuses on the relationships between made objects, the maker and the behaviour of making, in the context of spreadable digital media (and behaviours stemming from it). I study internet memes inside and outside of India and phenomenon such as dissent, satire, free expression and ambivalent behaviour fostered by them. The research is at the intersection of digital ethnography, culture studies, human-computer interaction, humour studies and critical theory. I spend my time watching people. I draw them, the way they are, the way some people want to be and sometimes I have interesting conversations with them.</p>
<p><span id="gmail-docs-internal-guid-5cb9e515-7fff-777e-6b99-8a216379ee39">
</span></p>
<p dir="ltr"><strong>Kruthika N S</strong></p>
<p dir="ltr">Kruthika NS is a lawyer at LawNK and researcher at the Sports Law & Policy Centre, Bengaluru. She uses art as a medium to explore the intersections of the law and society, with gender justice featuring as the central theme of her work. Her art has included subjects such as the #MeToo movement in India, and the feminist principles of the internet, among several other doodles.</p>
<p dir="ltr"><strong>Saumyaa Naidu</strong></p>
<p dir="ltr">Saumyaa is a designer and researcher at the Centre for Internet and Society. <strong> </strong></p>
<p> </p>
<p><br /><strong>Agenda</strong><br />6:00 - 6:15 pm - Introduction <br />6:15 - 6:45 pm - Presentation on the Media Handbook by Paulanthony George<br />6:45 - 7:00 pm - Tea/ Coffee <br />7:00 - 8:00 pm - Panel discussion on Digital Media Illustrations & the Politics of Technology<br />8:00 - 8:30 pm - Tea/ Coffee and Snacks</p>
<p>The interactive version of handbook can be accessed <a class="external-link" href="http://cis-india.github.io/cybersecurityvisuals/index">here</a>. The print versions of the handbook can be accessed at: <a class="external-link" href="https://drive.google.com/file/d/13Llq1vD5Eb-yo2YE3X6dRPaZ_WsMYhfa/view?usp=sharing">Single Scroll Printing</a>, <a class="external-link" href="https://drive.google.com/file/d/1mK_lxA0Eeb7GWxqZk4IM3cBxKdWakKS9/view?usp=sharing">Tiled-Paste Printing</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cybersecurity-visuals-media-handbook-launch-event'>http://editors.cis-india.org/internet-governance/blog/cybersecurity-visuals-media-handbook-launch-event</a>
</p>
No publishersaumyaaCybersecurityCyber SecurityEventInternet Governance2019-12-06T09:27:37ZEvent