The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 51 to 65.
First Look: CIS Cybersecurity documentary film
http://editors.cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer
<b>CIS presents the trailer of its documentary film DesiSec: Cybersecurity & Civil Society in India</b>
<p>The Centre for Internet and Society is pleased to release the trailer of its first documentary film, on cybersecurity and civil society in India. </p>
<p>The documentary is part of the CIS Cybersecurity Series, a work in progress which may be found <a class="external-link" href="http://cismetamedia.tumblr.com">here</a>.</p>
<iframe src="//www.youtube.com/embed/3134xVvMmfc" frameborder="0" height="315" width="560"></iframe>
<p><strong>DesiSec: Cybersecurity and Civil Society in India</strong></p>
<p>The trailer of <em>DesiSec: Cybersecurity and Civil Society in India</em> was shown at the Internet Governance Forum in Bali on October 24. It was a featured presentation at the Citizen Lab workshop, <em>Internet Governance For The Next Billion Users.</em></p>
<p>The transcript of the workshop is available here: <a href="http://www.intgovforum.org/cms/component/content/article/121-preparatory-process/1476-ws-344-internet-governance-for-the-next-billion-users">http://www.intgovforum.org/cms/component/content/article/121-preparatory-process/1476-ws-344-internet-governance-for-the-next-billion-users</a> </p>
<p><strong><em>This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.</em></strong></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer'>http://editors.cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer</a>
</p>
No publisherpurbaCybersecurityInternet Governance ForumInternet GovernanceCyber Security FilmCyberculturesCyber Security2013-12-17T08:16:42ZBlog EntryFinancial CERT to combat cyber threats, says MoS home affairs
http://editors.cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs
<b>To tackle cyber threats to India’s financial institutions, the central government is mulling to establish a financial Computer Emergency Response Team (CERT).</b>
<p style="text-align: justify; ">This was published by <a class="external-link" href="https://www.cisomag.com/financial-cert-combat-cyber-threats-says-mos-home-affairs/">CISO MAG</a> on November 17, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Addressing the 15th Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in New Delhi on November 15, 2017, IT Secretary Ajay Prakash Sawhney said, “right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors. It will oversee the entire financial sector including banks and financial institutions.”<br /><br />In March this year, the power ministry had announced to create four sectoral CERTs for cybersecurity in power systems: CERT (Transmission), CERT (Thermal), CERT (Hydro), and CERT (Distribution).<br /><br />Udbhav Tiwari, program manager at the Centre for Internet and Society, a Bengaluru-based think tank, highlighted the responsibilities of the financial CERT in a conversation with Live Mint. “The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack, normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” he said.<br /><br />Cybersecurity Chief Gulshan Rai, who was also present at the event, said “from April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries.”<br /><br />On August 1, 2017, MoS home affairs Hansraj Gangaram Ahir had said “as per the information by the Indian computer emergency response team (CERT-In), 50 incidents affecting 19 financial organizations have been reported during the period of November, 2016 to June, 2017.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs'>http://editors.cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-23T16:07:21ZNews ItemFair process frameworks for cross-border online spaces
http://editors.cis-india.org/news/igf-2013-workshop-42-fair-process-frameworks-for-cross-border-online-spaces
<b>This workshop is being organised by the Internet & Jurisdiction Project, Civil Society of France, Western Europe and Others Group and Internet & Jurisdiction Project, Civil Society of Germany, Western Europe and Others Group. Sunil Abraham is one of the panelists for this workshop.</b>
<p style="text-align: justify; "><i>The Internet Governance Forum 2013 is being held at Bali from October 22 to 25. The overarching theme for the 2013 IGF meeting is: "Building Bridges"- Enhancing Multistakeholder Cooperation for Growth and Sustainable Development"</i>.</p>
<p><a class="external-link" href="http://www.intgovforum.org/cms/wks2013/workshop_2013_status_list_view.php?xpsltipq_je=42">Read the original published on IGF website</a>. Also <a class="external-link" href="http://www.internetjurisdiction.net/igf-2013-workshop/">read it on Internet & Jurisdiction website</a>.</p>
<hr />
<h2>Theme: Legal Frameworks and Cyber-crime (Spam, Cyber-security, etc.)</h2>
<p style="text-align: justify; ">This workshop is organized by the Internet & Jurisdiction Project, a global multi-stakeholder dialogue process launched in January 2012, which engages key actors from states, international organizations, companies, civil society, academia and the technical community from all around the world to address the tension between the cross-border Internet and national jurisdictions.</p>
<p style="text-align: justify; ">Over 2,5 billion Internet users interact in shared cross-border online spaces where they can post content potentially accessible worldwide. On the one hand platforms’ Terms of Service try to set transnational rules on acceptable postings, but on the other hand content that is legal in one jurisdiction can be illegal or sensitive in other territories. No clear frameworks exist yet to handle the tensions between these competing normative orders or values and enable peaceful cohabitation in cross-border cyberspaces. This challenge constitutes a rare issue of common concern for all stakeholder groups.</p>
<p style="text-align: justify; ">Building upon the intersessional work conducted by the Internet & Jurisdiction Project since the 2012 IGF, the roundtable will address the following topics:</p>
<ul>
<li style="text-align: justify; "> Can commonly agreed interoperability procedures ensure fair process in interactions between platforms, public authorities, technical operators and users regarding seizures, content takedowns and access to user data? regarding seizures, content takedowns and LEA access to user data? - See more at: <a class="external-link" href="http://www.internetjurisdiction.net/igf2013-workshop/#sthash.q6PQ3uMn.dpuf">http://www.internetjurisdiction.net/igf2013-workshop/#sthash.q6PQ3uMn.dpuf</a></li>
</ul>
<ul>
<li style="text-align: justify; "> How could appropriate multi-stakeholder frameworks be developed?</li>
</ul>
<p style="text-align: justify; ">Note: This roundtable is listed above under the “legal frameworks and cybercrime” track. However it equally touches upon other thematic areas: Human Rights/ Freedom of Expression on the Internet (addressing takedown procedures); Internet Governance Principles (eg. fair process and accountability) and Principles of Multi-Stakeholder Cooperation (the development of mutual frameworks).</p>
<p style="text-align: justify; "><b>Has the proponent organised a workshop with a similar subject during past IGF meetings?</b></p>
<p style="text-align: justify; ">Yes</p>
<p style="text-align: justify; "><b>Indication of how the workshop will build on but go beyond the outcomes previously reached</b></p>
<p style="text-align: justify; ">At the IGF 2012, after a year of interaction with different stakeholders, the Internet & Jurisdiction Project organized two workshops titled: “What is the Geography of Cyberspace?” and “What frameworks for cross-border online communities and services?” These sessions explored the roots of the tension between the Internet and the patchwork of national jurisdictions and examined how to address this common concern. Both these two workshops and the ongoing dialogue facilitated by the I&JProject in 2013 (including several preparatory meetings around the world) confirmed the need to explore how to develop appropriate frameworks to handle the tension in a multi-stakeholder setting. Therefore, the I&J Project will gather involved stakeholders at the 2013 workshop “Fair process frameworks for cross-border online spaces” to discuss the way forward: How could appropriate frameworks be developed and what commonly agreed interoperability procedures could ensure fair process?</p>
<p style="text-align: justify; ">Background Paper: No background paper provided</p>
<p style="text-align: justify; ">Session Type: Roundtable</p>
<ul>
<li style="text-align: justify; ">Mr. Bertrand De La Chapelle, Internet & Jurisdiction Project, Civil Society, France, Western Europe and Others Group - WEOG</li>
</ul>
<ul>
<li style="text-align: justify; ">Mr. Paul Fehlinger, Internet & Jurisdiction Project, Civil Society, Germany, Western Europe and Others Group - WEOG</li>
</ul>
<p><b>Have the Proponent or any of the co-organisers organised an IGF workshop before? </b></p>
<p>Yes</p>
<p>The link(s) to the workshop report(s):</p>
<ul>
<li><a href="http://wsms1.intgovforum.org/content/no154-internet-jurisdiction-what-frameworks-cross-border-online-communities-and-services">http://wsms1.intgovforum.org/content/no154-internet-jurisdiction-what-frameworks-cross-border-online-communities-and-services</a></li>
<li><a href="http://wsms1.intgovforum.org/content/no171-what-geography-cyberspace">http://wsms1.intgovforum.org/content/no171-what-geography-cyberspace</a></li>
<li><a href="http://www.intgovforum.org/cms/rio_reports/WS_27_Short_Report.pdf">http://www.intgovforum.org/cms/rio_reports/WS_27_Short_Report.pdf</a></li>
<li><a href="http://www.intgovforum.org/cms/2008-igf-hyderabad/event-reports/72-workshops/366-workshop-81-national-multi-stakeholder-processes-and-their-relation-to-the-igf">http://www.intgovforum.org/cms/2008-igf-hyderabad/event-reports/72-workshops/366-workshop-81-national-multi-stakeholder-processes-and-their-relation-to-the-igf</a></li>
</ul>
<h3>Panelists</h3>
<p>Please click on biography to view the biography of the panelist:</p>
<ol>
<li>Fiona Alexander, Department of Commerce, NTIA, Female, Government, United States, Western Europe and Others Group – WEOG<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=213" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Anne Carblanc, OECD, Female, Intergovernmental Organizations, France, Western Europe and Others Group – WEOG<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=255" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Elvana Thaci, Council of Europe, Female, Intergovernmental Organizations, France, Western Europe and Others Group – WEOG<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=287" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Sunil Abraham, Centre for Internet & Society, Male, Civil Society, India, Asia-Pacific Group<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=108" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Anriette Esterhuysen, Association for Progressive Communications, Female, Civil Society, South Africa, African Group<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=74" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Carlos Affonso Pereira Da Souza, Fundacao Getulio Vargas, Male, Technical Community, BRAZIL, Latin American and Caribbean Group – GRULAC<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=286" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Ross Lajeunesse, Google, Male, Private Sector, United States, Western Europe and Others Group – WEOG <a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=264" target="_blank"><span>Biography</span></a></li>
<li>Ebele Okobi, Yahoo, Female, Private Sector, United States, Western Europe and Others Group – WEOG<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=435" target="_blank"><span><i><br /></i>Biography</span></a></li>
<li>Linda Corugedo Steneberg, European Commission, Belgium, Western Europe and Others Group – WEOG<a href="http://www.intgovforum.org/cms/wks2013/panellist_2013_list_view.php?qbofmmjtu_je=256" target="_blank"><span><i><br /></i>Biography</span></a></li>
</ol>
<h3>Agenda</h3>
<ol>
<li style="text-align: justify; ">Can commonly agreed interoperability procedures ensure fair process in interactions between platforms, public authorities, technical operators and users regarding seizures, content takedowns and access to user data?</li>
<li style="text-align: justify; ">How could appropriate multi-stakeholder frameworks be developed?</li>
</ol>
<h3>Inclusiveness of the Session</h3>
<p style="text-align: justify; ">The format of the workshop is going to be an open roundtable discussion between a diverse group of stakeholders on the basis of a structured agenda, without formal presentations. Taking stock of the preparatory process with meetings around the world, the participants will be able to discuss the outcomes of the multi-stakeholder dialogue process, explore the components of possible frameworks and how to move forward. The objective is to produce a structured but fluid and dynamic discussion that includes the audience in the debate.</p>
<h3 style="text-align: justify; ">Suitability for Remote Participation</h3>
<p style="text-align: justify; ">In addition to the remote participation tools provided by the IGF, the session will be covered live on Twitter with a dedicated hashtag and questions can also be submitted through tweets to open the discussion and engage new stakeholders. Moreover, participants of the Internet & Jurisdiction dialogue process around the world will be encouraged to participate remotely in the discussion.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/igf-2013-workshop-42-fair-process-frameworks-for-cross-border-online-spaces'>http://editors.cis-india.org/news/igf-2013-workshop-42-fair-process-frameworks-for-cross-border-online-spaces</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2013-10-21T09:02:02ZNews ItemExtra-Territorial Surveillance and the Incapacitation of Human Rights
http://editors.cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights
<b>This paper was published in Volume 12 (2) of the NUJS Law Review. </b>
<div> </div>
<div>Our
networked data trails dictate, define, and modulate societies in hitherto
inconceivable ways. The ability to access and manipulate that data is a
product of stark power asymmetry in geo-politics, leading to a dynamic
that privileges the interests of a few over the right to privacy and
dignity of the many. I argue that the persistent de facto violation of
human rights norms through extraterritorial surveillance conducted by
western intelligence agencies, compounded by the failure of judicial
intervention in the West has lead to the incapacitation of international
human rights law. Despite robust jurisprudence including case law,
comments by the United Nations, and widespread state practice on the
right to privacy and the application of human rights obligations to
extraterritorial stakeholders, extraterritorial surveillance continues
with aplomb. Procedural safeguards and proportionality tests regularly
sway towards a ‘ritual incantation’ of national security even in
scenarios where a less intrusive option is available. The vulnerable
citizen abroad is unable to challenge these processes and becomes an
unwitting victim of nefarious surveillance practices that further widens
global power asymmetry and entrenches geo-political fissures.</div>
<div><br />The full article can be found <a href="http://editors.cis-india.org/internet-governance/extraterritorial-algorithmic-surveillance-and-the-incapacitation-of-international-human-rights-law" class="internal-link" title="EXTRATERRITORIAL ALGORITHMIC SURVEILLANCE AND THE INCAPACITATION OF INTERNATIONAL HUMAN RIGHTS LAW">here</a>.</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights'>http://editors.cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights</a>
</p>
No publisherArindrajit BasuCybersecurityCyber SecurityInternet Governance2020-01-02T11:02:26ZBlog EntryExperts stress on need for enhanced security
http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security
<b>With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/06/experts-stress-on-need-for-enhanced-security-1601631.html">published in the New Indian Express</a> on May 6, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.</p>
<p style="text-align: justify; ">“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.</p>
<p style="text-align: justify; ">The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.</p>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.</p>
<p style="text-align: justify; ">He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”</p>
<p style="text-align: justify; ">Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security'>http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-20T06:13:19ZNews ItemEuropean Summer School on Internet Governance
http://editors.cis-india.org/internet-governance/news/european-summer-school-on-internet-governance
<b>The 13th European Summer School on Internet Governance was held at Meissen in Germany from 13 - 20 July 2019. Akriti Bopanna attended the school. The event was organized by EuroSSIG. </b>
<p>More information on the event can be <a class="external-link" href="https://eurossig.eu/eurossig/2019-edition/programme-2019/">accessed on this page</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/european-summer-school-on-internet-governance'>http://editors.cis-india.org/internet-governance/news/european-summer-school-on-internet-governance</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceInternet Freedom2019-07-23T00:30:15ZNews ItemEuropean E-Evidence Proposal and Indian Law
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law
<b>In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.</b>
<p style="text-align: justify; ">The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (<b>EPOs</b>) and European Preservation Orders (<b>EPROs</b>) to entities in any other EU member country (together the “<b>Data Orders</b>”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.</p>
<p style="text-align: justify; ">In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.</p>
<p><b>Part I - E-evidence Directive and Regulation </b></p>
<p style="text-align: justify; ">The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a> Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.</p>
<p style="text-align: justify; ">While EPOs to produce subscriber data<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> and access data<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a> can be issued for any criminal offence an EPO for content data<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a> and transactional data<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a> may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.</p>
<p style="text-align: justify; ">To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.</p>
<p><i><span>Grounds on which EPOs can be issued</span></i></p>
<p style="text-align: justify; ">The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></p>
<p style="text-align: justify; ">The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”</p>
<p><b> </b></p>
<p><i><span>Grounds to Challenge EPOs</span></i></p>
<p style="text-align: justify; ">Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a <i>de facto</i> impossibility or <i>force majeure</i>, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.<a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a> In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.<a href="#_ftn8" name="_ftnref8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; ">If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:</p>
<p>(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;</p>
<p>(b) the European Production Order has not been issued for an offence provided for by Article 5(4);</p>
<p>(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;</p>
<p>(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;</p>
<p>(e) the service is not covered by this Regulation;</p>
<p>(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.</p>
<p style="text-align: justify; ">In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.<a href="#_ftn9" name="_ftnref9"><sup><sup>[9]</sup></sup></a></p>
<p style="text-align: justify; ">A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests <i>other than</i> fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.<a href="#_ftn10" name="_ftnref10"><sup><sup>[10]</sup></sup></a></p>
<p><i><span>Service Provider “Offering Services in the Union”</span></i></p>
<p style="text-align: justify; ">As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.</p>
<p>The term service provider has been defined in Article 2(2) of the Directive as follows:</p>
<p>“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:</p>
<p>(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];<a href="#_ftn11" name="_ftnref11"><sup><sup>[11]</sup></sup></a></p>
<p style="text-align: justify; ">(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council<a href="#_ftn12" name="_ftnref12"><sup><sup>[12]</sup></sup></a> for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;</p>
<p>(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”</p>
<p style="text-align: justify; ">Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a <i>main characteristic</i> and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.<a href="#_ftn13" name="_ftnref13"><sup><sup>[13]</sup></sup></a></p>
<p style="text-align: justify; ">This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:</p>
<p>“‘offering services in the Union’ means:</p>
<p>(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and</p>
<p>(b) having a substantial connection to the Member State(s) referred to in point (a);”</p>
<p style="text-align: justify; ">Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.<a href="#_ftn14" name="_ftnref14"><sup><sup>[14]</sup></sup></a></p>
<p><b>Part II - EU Directive and Service Providers located in India</b></p>
<p style="text-align: justify; ">In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.</p>
<p style="text-align: justify; ">Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.</p>
<p style="text-align: justify; ">There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.<a href="#_ftn15" name="_ftnref15"><sup><sup>[15]</sup></sup></a> If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,<a href="#_ftn16" name="_ftnref16"><sup><sup>[16]</sup></sup></a> it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,<a href="#_ftn17" name="_ftnref17"><sup><sup>[17]</sup></sup></a> then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.</p>
<p style="text-align: justify; ">The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).<a href="#_ftn18" name="_ftnref18"><sup><sup>[18]</sup></sup></a></p>
<p style="text-align: justify; ">In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“<b>SPDI Rules</b>”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with <i>Government agencies mandated under the law</i> to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“<b>IT Act</b>”) as under:</p>
<p>“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”<a href="#_ftn19" name="_ftnref19"><sup><sup>[19]</sup></sup></a></p>
<p style="text-align: justify; ">Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.</p>
<p><b>Conclusion</b></p>
<p style="text-align: justify; ">The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:</p>
<ul>
<li style="text-align: justify; ">Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;</li>
<li>Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;</li>
<li style="text-align: justify; ">In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.</li>
<li style="text-align: justify; ">If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.</li>
</ul>
<p style="text-align: justify; "><span>Disclaimer</span>: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.</p>
<hr />
<p><a href="#_ftnref1" name="_ftn1"><sup><sup>[1]</sup></sup></a> Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN</a>.</p>
<p><a href="#_ftnref2" name="_ftn2"><sup><sup>[2]</sup></sup></a> Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:</p>
<p>“‘subscriber data’ means any data pertaining to:</p>
<p>(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;</p>
<p>(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”</p>
<p><a href="#_ftnref3" name="_ftn3"><sup><sup>[3]</sup></sup></a> The term access data has been defined in Article 2(8) as follows:</p>
<p>“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”</p>
<p><a href="#_ftnref4" name="_ftn4"><sup><sup>[4]</sup></sup></a> The term content data has been defined in Article 2 (10) as follows:</p>
<p>“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”</p>
<p><a href="#_ftnref5" name="_ftn5"><sup><sup>[5]</sup></sup></a> The term transactional data has been defined in Article 2(9) as follows:</p>
<p>“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”</p>
<p><a href="#_ftnref6" name="_ftn6"><sup><sup>[6]</sup></sup></a> Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN</a>.</p>
<p><a href="#_ftnref7" name="_ftn7"><sup><sup>[7]</sup></sup></a> Articles 9(4) and 10(5) of the Regulation.</p>
<p><a href="#_ftnref8" name="_ftn8"><sup><sup>[8]</sup></sup></a> Article 10(5) of the Regulation.</p>
<p><a href="#_ftnref9" name="_ftn9"><sup><sup>[9]</sup></sup></a> Article 15 of the Regulation.</p>
<p><a href="#_ftnref10" name="_ftn10"><sup><sup>[10]</sup></sup></a> Article 16 of the Regulation. Also see <a href="https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/">https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/</a>.</p>
<p><a href="#_ftnref11" name="_ftn11"><sup><sup>[11]</sup></sup></a> Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:</p>
<p>‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”</p>
<p><a href="#_ftnref12" name="_ftn12"><sup><sup>[12]</sup></sup></a> Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”</p>
<p><a href="#_ftnref13" name="_ftn13"><sup><sup>[13]</sup></sup></a> Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN</a>.</p>
<p><a href="#_ftnref14" name="_ftn14"><sup><sup>[14]</sup></sup></a> Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN</a>.</p>
<p><a href="#_ftnref15" name="_ftn15"><sup><sup>[15]</sup></sup></a> Hotstar already has an active customer base of 75 million, as of December, 2017; <a href="https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500">https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500</a></p>
<p><a href="#_ftnref16" name="_ftn16"><sup><sup>[16]</sup></sup></a> <a href="https://en.wikipedia.org/wiki/Malta">https://en.wikipedia.org/wiki/Malta</a></p>
<p><a href="#_ftnref17" name="_ftn17"><sup><sup>[17]</sup></sup></a> <a href="https://en.wikipedia.org/wiki/France">https://en.wikipedia.org/wiki/France</a></p>
<p><a href="#_ftnref18" name="_ftn18"><sup><sup>[18]</sup></sup></a> Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN</a>.</p>
<p><a href="#_ftnref19" name="_ftn19"><sup><sup>[19]</sup></sup></a> Section 2(y) of the Information Technology Act, 2000.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law</a>
</p>
No publishervipulCyber SecurityInternet Governance2018-12-23T16:45:02ZBlog EntryElectoral Databases – Privacy and Security Concerns
http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns
<b>In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.</b>
<p></p>
<p> </p>
<p style="text-align: justify; ">The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.<a href="#_edn1" name="_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> After due consideration, the ECI has decided to drop the plan.<a href="#_edn2" name="_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a></p>
<p style="text-align: justify; ">The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.</p>
<p style="text-align: justify; "><b>Publication of Electoral Rolls</b><br />The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.</p>
<p style="text-align: justify; ">The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document<a href="#_edn3" name="_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> given that the roll is published and can be circulated on the direction of the ECI.</p>
<p style="text-align: justify; ">With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.<a href="#_edn4" name="_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> In addition to that, the electoral rolls for the entire country are available on the ECI website.<a href="#_edn5" name="_ednref5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.<a href="#_edn6" name="_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a></p>
<p style="text-align: justify; "><b>Security Concerns</b><br />The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.</p>
<p style="text-align: justify; ">In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “<i>With Great Computing Power Comes Great Surveillance”</i><a href="#_edn7" name="_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a> Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain</p>
<p style="text-align: justify; ">For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.</p>
<p style="text-align: justify; "><b>Current IT Laws does not mandate the protection of the electoral database</b><br />A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”<a href="#_edn8" name="_ednref8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> However, the appropriate Government has not notified the electoral database as a protected system<a href="#_edn9" name="_ednref9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a>. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.</p>
<p style="text-align: justify; ">The Information Technology Rules (IT Rules) are also not applicable to electoral databases, <i>per se</i>. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (<i>hereinafter </i>Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”<a href="#_edn10" name="_ednref10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> and should arguably be made subject to the Rules.</p>
<p style="text-align: justify; ">The intent of the ECI for hosting the entire country’s electoral database online <i>inter alia</i> is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”<a href="#_edn11" name="_ednref11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.</p>
<p style="text-align: justify; ">The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.</p>
<p style="text-align: justify; ">It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.</p>
<div>
<hr align="left" size="1" width="100%" />
<div id="edn1">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref1" name="_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at <a class="external-link" href="http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss">http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss</a></p>
</div>
<div id="edn2">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref2" name="_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
<div id="edn3">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref3" name="_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> Section 74, Indian Evidence Act, 1872</p>
</div>
<div id="edn4">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref4" name="_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/the_function.aspx">eci.nic.in/eci_main1/the_function.aspx</a></p>
</div>
<div id="edn5">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref5" name="_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx">http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx</a></p>
</div>
<div id="edn6">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref6" name="_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a> “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at e<a class="external-link" href="http://eci.nic.in/eci_main/eroll&epic/ins06012010.pdf">ci.nic.in/eci_main/eroll&epic/ins06012010.pdf</a><span dir="RTL"></span></p>
</div>
<div id="edn7">
<p class="MsoEndnoteText"><a href="#_ednref7" name="_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a><a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf"><span><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"> </span></span></span>http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/</a></p>
</div>
<div id="edn8">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref8" name="_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> Section 70, Information Technology Act, 2000</p>
</div>
<div id="edn9">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref9" name="_edn9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a> Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure</p>
</div>
<div id="edn10">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref10" name="_edn10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
</div>
<div id="edn11">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref11" name="_edn11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns'>http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns</a>
</p>
No publishersnehashishDigital GovernancePrivacyCybersecurityData ProtectionInternet GovernanceSafetyInformation TechnologyCyber SecuritySecuritye-GovernanceTransparency, PoliticsE-Governance2014-01-16T11:07:21ZBlog EntryEconomics of Cybersecurity: Literature Review Compendium
http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity
<b>The twenty first century has witnessed an unprecedented conflation of everyday experiences and technosocial practices. The emergence of technologies like the Internet of Things, Cloud Computing, Digital Payment infrastructures are all emblematic of this conflation of technology with economic, social and political modes of existence.</b>
<hr />
<p style="text-align: justify;" class="moz-quote-pre">Authored by Natallia Khaniejo and edited by Amber Sinha</p>
<hr />
<p style="text-align: justify;" class="moz-quote-pre">Politics and economics are increasingly being amalgamated with Cybernetic frameworks and consequently Critical infrastructure has become intrinsically dependent on Information and Communication Technology (ICTs). The rapid evolution of technological platforms has been accompanied by a concomitant rise in the vulnerabilities that accompany them. Recurrent issues include concerns like network externalities, misaligned incentives and information asymmetries. Malignant actors use these vulnerabilities to breach secure systems, access and sell data, and essentially destabilize cyber and network infrastructures. Additionally, given the relative nascence of the realm, establishing regulatory policies without limiting innovation in the space becomes an additional challenge as well. The lack of uniform understanding regarding the definition and scope of what can be defined as Cybersecurity also serves as a barrier preventing the implementation of clear guidelines. Furthermore, the contrast between what is convenient and what is ‘sanitary’ in terms of best practices for cyber infrastructures is also a constant tussle with recommendations often being neglected in favor of efficiency. In order to demystify the security space itself and ascertain methods of effective policy implementation, it is essential to take stock of current initiatives being proposed for the development and implementation of cybersecurity best practices, and examine their adequacy in a rapidly evolving technological environment. This literature review attempts to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same.</p>
<p style="text-align: justify;" class="moz-quote-pre">Click on the below links to read the entire story:</p>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-i">Economics of Cybersecurity Part I</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-ii">Economics of Cybersecurity Part II</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iii">Economics of Cybersecurity Part III</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iv">Economics of Cybersecurity Part IV</a></li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity'>http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity</a>
</p>
No publisherNatallia KhaniejoCyber SecurityInternet Governance2021-05-01T06:09:09ZBlog EntryDraft Security Standards for The Financial Technology Sector in India
http://editors.cis-india.org/internet-governance/blog/draft-security-standards-for-the-financial-technology-sector-in-india
<b>Information security standards provide a framework for the secure development, implementation and maintenance of information systems and technology architecture. This document includes draft information security standards, which seek to ensure that not only the data of users is dealt with in a secure and safe manner but also that the smaller businesses in the fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches.
</b>
<p id="docs-internal-guid-d14bad43-7fff-1d2b-c873-9850851b223a" dir="ltr"> </p>
<p dir="ltr">By: <strong>Vipul Kharbanda</strong></p>
with inputs from: <strong>Prem Sylvester
</strong>
<p> </p>
<hr />
<p id="docs-internal-guid-47476e0d-7fff-b341-0372-b39d8cd99bcb" style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Information security standards provide a framework for the secure development, implementation and maintenance of information systems and technology architecture. Regulatory policies often cite several information security standards as a baseline that is to be complied with in order to ensure the adequate protection of information systems as well as associated architecture. Information security standards for the financial industry provide consideration to the specific risks and threats that financial institutions may face, making them an integral part of the process of ensuring business and operational sanctity.</p>
<p> </p>
<p style="text-align: justify;" dir="ltr">There is an urgent economic interest in ensuring robust security of the financial technology sector within the country. This interest is amplified considerably due to the policy push seeking to shift India towards the realisation of a ‘cashless society’. This recent policy push has in part led to the ubiquitous adoption of technology-centric financial services such as PayTM, PhonePe, Mobikwik and others. The current landscape with respect to security standards for financial institutions in India appears to be multi-pronged; with multiple standards in place for companies to implement.</p>
<hr />
<p><br /><strong>The report can be accessed in full <a href="https://cis-india.org/internet-governance/resources/security-standards-for-the-financial-technology-sector-in-india">here.</a></strong></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/draft-security-standards-for-the-financial-technology-sector-in-india'>http://editors.cis-india.org/internet-governance/blog/draft-security-standards-for-the-financial-technology-sector-in-india</a>
</p>
No publisherVipul KharbandaCyber SecuritySecurity StandardsFinancial Technology2019-11-18T09:51:36ZBlog EntryDr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (Delhi, April 07)
http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07
<b>We are proud to announce that Dr. Madan M. Oberoi will be the speaker at the inaugural #FirstFriday@cis_india event at the Delhi office. These events, held on the first Friday of each month, will facilitate open and in-depth discussion and learning on topics crucial to our understanding of internet and society. The event will comprise of the speaker's presentation followed by an open discussion. If you are joining us, please RSVP at the soonest as we have only limited space in our office.</b>
<p> </p>
<h3><strong>RSVP</strong></h3>
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLScDm11yYFioyB6ayVih_duMqmKE7qSkwfTefAf76HRjMtF91g/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="400" width="700">Loading...</iframe>
<p> </p>
<h3><strong>Dr. Madan M. Oberoi</strong></h3>
<p><img src="http://editors.cis-india.org/internet-governance/files/madanoberoi.jpg/image_preview" alt="Dr. Madan M. Oberoi" class="image-inline" title="Madan Oberoi" /></p>
<p>Dr. Madan M. Oberoi is an Indian Police Service (IPS) officer of 1992 batch. He is a Fulbright Scholar in the area of "Cyber Security" from University of Washington. He also holds a PhD in the area of cybercrime from Indian Institute of Technology (IIT), Delhi. He also holds a Master’s Degree in ‘Management and Systems’ from IIT Delhi and another Master’s Degree in Police Management.</p>
<p>Till January 2017, he was deployed as Director Cybercrime in INTERPOL in Singapore with global jurisdiction. As part of this, he supervised ‘Cyber Fusion Centre’, ‘Cyber Investigation Support’, ‘Cyber Strategy’ and ‘Cyber Training’ ‘Cyber Research Lab”, “Digital Forensics Lab’ and ‘Innovation Centre’ units of INTERPOL.</p>
<p>Dr. Oberoi has worked as Inspector General of Police, Deputy Inspector General of Police and as Superintendent of Police with Central Bureau of Investigation (CBI), where he has headed the Cyber-Crime Cell. He has also worked in Delhi Police and in his last posting he was heading Delhi Police’s Special Cell, which is responsible for Anti-Terror Operations.</p>
<p>Dr. Oberoi has served in two UN Peace Keeping Missions. He was head of the Management Information Unit of UN Mission in Bosnia and Herzegovina at Mission HQ in Sarajevo. He has also served as Head of Data Centre in Mission HQ of UN Mission in Kosovo at Pristina.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07'>http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07</a>
</p>
No publishersaikatCyber SecurityDigital Forensics#FirstFriday@cis_indiaInternet Governance2017-04-04T12:06:26ZEventDon't dive headlong into money-making schemes on the internet
http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet
<b>If you do fall victim to fraud, file your complaint at RBI's Sachet web site.</b>
<p>The article by Sanjay Kumar Singh was <a class="external-link" href="http://www.business-standard.com/article/current-affairs/don-t-dive-headlong-into-money-making-schemes-on-the-internet-117020600689_1.html">published in the Business Standard</a> on February 7, 2017. Udbhav Tiwari was quoted.</p>
<hr />
<p style="text-align: justify; ">By now you have surely read the news about a Noida-based company called Ablaze Info Solutions, which is said to have defrauded about 700,000 people of Rs 3,700 crore. In this scheme, participants first had to pay a substantial subscription fee to join it, after which they were compensated for clicking on links. There were also incentives for bringing in other members, which made it akin to a multi-level marketing (MLM) scheme. Experts advise that investors should do the due diligence before putting their money in such schemes. According to cyber experts, this scheme took off because the activity it was pursuing was a legitimate one per se. There is an entire industry on the Internet, wherein you can earn money by clicking on links: This improves the traffic on websites and allows them to demand higher advertising rates. Many websites outsource the task of improving traffic to third parties, which in turn recruit people in countries like India for the task. You can also earn money through activities like filling up forms, answering surveys, etc.</p>
<p style="text-align: justify; ">The mistake participants made in this case was to join the scheme without exploring other options. "Many players would have offered a similar level of compensation without demanding a subscription fee. Moreover, the very fact that the company was demanding a substantial subscription fee should have made people suspicious," says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru. Before participating in such money-making schemes, spend time doing a detailed background check of the company's credentials, especially if the promised returns are realistic or not. "If the return offered by the company is high compared to the market rates of return, or the company is new, you should be extra cautious. Check various blogs and forums on the internet for possible complaints against the company and its key stakeholders," says Mukul Shrivastava, partner, fraud investigation and dispute services, EY India.</p>
<p style="text-align: justify; ">If you join such a programme, be warned the moment the company defaults on payments, delays them, or avoids your queries. Stop all interactions with it and lodge a complaint with the police. If the company had used forged documents, especially the ones claiming that the scheme had the approval of a regulator like Sebi, submit them.</p>
<p style="text-align: justify; ">You can also file a complaint at Sachet, a website set up by the Reserve Bank of India (see box). Another option is to contact the Serious Fraud Investigation Office (SFIO) under the Ministry of Corporate Affairs. As the police take up a case usually when many complaints pour in against an entity, motivate other victims to complain, too. The state fights the case on your behalf. Your task after complaining is to cooperate with the investigation and depose in court. Nowadays victims can be compensated under the Criminal Procedure Code as well. They also have the option to file a civil suit for recovering their money.</p>
<p style="text-align: justify; ">Finally, there is a need for new laws to tackle online frauds. "There is a gap both in terms of legislation and effective enforcement. We only have a central 1978 Act for Prize Chits and allied rules in states, which need to be updated," says Nishant Joshi, partner, Shardul Amarchand Mangaldas.</p>
<p style="text-align: justify; ">Word box<br />Turn to Sachet</p>
<ul>
<li style="text-align: justify; ">RBI has launched a website, sachet.rbi.org.in, where you can complain if you have been cheated by an entity that has illegally collected money from you</li>
<li>The website also provides information on legitimate entities that are authorised to collect money</li>
<li>Many regulators and enforcement agencies take up the complaints filed on this site</li>
<li>Investors don’t have to know the regulator under whose jurisdiction the company they want to complain against falls</li>
<li>You will get an email informing you about the regulator/entity that will take up your case</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet'>http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2017-02-07T15:02:24ZNews ItemDiscussion at CyFy on Technology, Policy and National Security: Building 21st Century Curricula in India’s Law Schools
http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools
<b>Arindrajit Basu attended the session and gave comments on the course outline which included thoughts on:</b>
<ol>
<li>Threshold of technical knowledge-comparison with WTO law</li>
<li>Need for India-centric approaches both in domestic and foreign policy</li>
<li>Possibility of executive training of senior diplomats</li>
<li>Need to include fintech security in the syllabus</li>
<li>Necessity of international law as a tool of conflict 6. Sustained collaboration between think-tanks and universities</li>
</ol>
<p> </p>
<p style="text-align: justify; ">The event was organized by Centre for Communication Governance at National Law University Delhi and Observer Research Foundation at Villa Medici, Taja Mahal Hotel, Man Singh Road, New Delhi.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools'>http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceFinancial Technology2019-10-20T07:23:11ZNews ItemDigital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression
http://editors.cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression
<b>Michael Oghia will give a presentation which will show why cyber security and online privacy are vital for democracy and freedom of expression.</b>
<p style="text-align: justify; ">In the time when Edward Snowden is fighting for both clemency and to be known as a brave whistle blower that exposed government wrongdoing, cyber security and online privacy have never been more important. As <a class="external-link" href="https://www.youtube.com/watch?feature=player_embedded&v=H0I7wi3ZLG8&noredirect=1">Jacob Applebaum discussed in May last year</a>, and CIS’ Maria Xynou <a href="http://editors.cis-india.org/internet-governance/events/big-democracy-big-surveillance-a-talk-by-maria-xynou" class="external-link">presented recently in December</a>, surveillance throughout the world is increasing. With security apparatus’ likethe NSA and now India’s Central Monitoring System, coupled with corporate data centers around the world storing our e–mails, address books, preferences, and passwords, it is easy to see how our online privacy is increasingly being threatened and often, violated.</p>
<p style="text-align: justify; ">Indeed, online privacy is inextricably linked to freedom of expression, and freedom of expression is a fundamental civil liberty imperative to democracy. Moreover, online security and privacy are essential to good, transparent, and accountable democratic governance. This is largely because surveillance, censorship, and monitoring ultimately create environments where self-censorship is the norm, as is the fear of the government instead of spaces that allow for freedom of expression and democratic dialogue and dissent.</p>
<p style="text-align: justify; ">What I would like to accomplish my speaking at CIS is not to merely educate about the dangers posed to Internet security or to world democracy, but rather to:</p>
<ol>
<li style="text-align: justify; ">Reiterate the importance of digital privacy and cyber security to the success of democracy and the continued protection of free expression.</li>
<li style="text-align: justify; ">Encourage citizens, technology specialists, Internet and privacy advocates, and others to see themselves as part of a larger system of democratic governance and civic participation. This means understanding how technical capabilities intersect with civil society, and then use them to advocate for a more open, accessible, and private cyberspace.</li>
<li style="text-align: justify; ">Reinforce that digital media literacy education is vital to ensuring a free, open, accessible, and democratic Internet.</li>
</ol>
<p style="text-align: justify; ">Additionally, I want to present ideas and recommendations for what you can do to engage with these problems, and how we can collaborate together to address them.</p>
<h3 style="text-align: justify; ">About the Public Intelligence Project</h3>
<p style="text-align: justify; ">The Public Intelligence Project is an independent, non-partisan, not-for-profit think tank conducting research, education, and advocacy on the importance of diversity, critical thinking, dialogue, and freedom of expression. We seek to promote more robust systems of participatory democracy, civic engagement, and conflict prevention in order to create a culture of democracy.</p>
<h3 style="text-align: justify; ">Michael Oghia</h3>
<p style="text-align: justify; ">Michael is responsible for a new project at Meta-Culture called the Public Intelligence Project, which focuses on expanding participatory democracy, civic engagement, and conflict prevention by conducting research, education, and advocacy on the intersections between diversity, dialogue, critical thinking, and freedom of expression. While new to the conflict resolution field, as a poet, musician, editor, writer, blogger, and activist, he is well-versed in the importance of freedom of expression and participating in the democratic process. He was born in Kentucky to Lebanese-Syrian parents, and after graduating with a BS in sociology from the University of Louisville, he moved to Lebanon to pursue an MA in sociology from the American University of Beirut. There, he had the opportunity to witness the Arab Revolutions first-hand while research about topics such as Internet ownership in the Middle East, social movements, Arab media, globalization, Arab youth and family, and his thesis subject, romantic love in the Arab world. Michael enjoys engaging Twitter conversations, and has an unnatural affinity for crunchy peanut butter.</p>
<hr />
<p>Date: Tuesday, January 14, 2014<br />Time: 6.30 p.m. to 8.00 p.m.<br />Talk by: Michael Oghia<br />Title: Research & Advocacy Consultant, and Project Manager<br />Organisation: Meta-Culture / Public Intelligence Project<br />Websites: <a class="moz-txt-link-abbreviated" href="http://www.meta-culture.in">www.meta-culture.in</a> <a class="moz-txt-link-rfc2396E" href="http://www.meta-culture.in"><http://www.meta-culture.in></a> & <a class="moz-txt-link-abbreviated" href="http://www.publicintelligenceproject.org">www.publicintelligenceproject.org</a> <a class="moz-txt-link-rfc2396E" href="http://www.publicintelligenceproject.org"><http://www.publicintelligenceproject.org></a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression'>http://editors.cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression</a>
</p>
No publisherpraskrishnaSocial MediaPrivacyInternet GovernanceCyber SecurityEvent2014-01-08T04:59:10ZEventDeveloper team fixed vulnerabilities in Honorable PM's app and API
http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog Entry