We are anonymous, we are legion

National Cyber Defence Summit 2016

praskrishna — 2016-10-10T12:54:29Z

National Cyber Defence Summit – 2016 was organized by the National Cyber Safety and Security Standards in association with State & Central Governments, Ministry of Defence, Government of India, AICTE & Anna University on 30 September and 1 October 2016 in Chennai. Vanya Rakesh attended the summit.

The Summit focused on multiple issues linked with the current use of cyberspace by the various stake holders and creating awareness of the responsibility associated with the judicious use of this significant and powerful tool, without endangering the fragile security and social framework. The mission of the Summit is to establish a multi-stakeholder consortium that brings together Industry, Government, and Academic interests in an effort to improve the state of Cyber Security on both a domestic and international level. Primarily, the Summit focuses on multiple issues linked with the current use of cyberspace by the various stake holders and creating awareness of the responsibility associated with the judicious use of this significant and powerful tool, without endangering the fragile security and social framework.

In fact this is the one and only High Level Summit which gathers the presence of Multi-Stakeholders from State/Central Governments, Defence, MNCs, PSUs, Academics, PSBs, Intelligence Agencies, Enforcement Agencies and etc. For more info see the website here. Agenda can be viewed here.

For more details visit https://cis-india.org/internet-governance/news/national-cyber-defence-summit-2016

Internet Democratisation: IANA Transition Leaves Much to be Desired

vidushi — 2016-11-03T07:52:37Z

At best, the IANA transition is symbolic of Washington’s oversight over ICANN coming to an end. It is also symbolic of the empowerment of the global multistakeholder community. In reality, it fails to do either meaningfully.

The article was published in the Hindustan Times on October 6, 2016.

Many suspect Washington’s 2014 announcement of handing over control of the IANA contract to be fuelled by the outcry following Edward Snowden’s revelations of the extent of US government surveillance. Source: AFP

September 30, 2016, marked the expiration of a contract between the US government and the Internet Corporation for Assigned Names and Numbers (ICANN) to carry out the Internet Assigned Numbers Authority (IANA) functions.

In simpler, acronym-free terms, Washington’s formal oversight over the Internet’s address book has come to an end with the expiration of this contract, with control now being passed on to the “global multistakeholder community”.

ICANN was incorporated in California in 1998 to manage the backbone of the Internet, which included the domain name system (DNS), allocation of IP addresses and root servers. After an agreement with the US National Telecommunications and Information Administration (NTIA), ICANN was tasked with operating the IANA functions, which includes maintenance of the root zone file of the DNS. Over the years Washington has rejected calls to hand over the control of IANA functions, but in March 2014 it announced its intentions to do so and laid down conditions for the handover. Many suspect the driving force behind this announcement to be the outcry following Edward Snowden’s revelations of the extent of US government surveillance.

The conditions laid down by the NTIA were met, and the US government accepted the transition proposal, amidst much political pressure and opposition, most notably from Senator Ted Cruz.

This transition is a step in the right direction, but in reality, it changes very little as it fails to address two critical issues: Of jurisdiction and accountability.

Jurisdiction is important while considering the resolution of contractual disputes, application of labour and competition laws, disputes regarding ICANN’s decisions, consumer protection, financial transparency, etc. Many of these questions, although not all, will depend on where ICANN is located. ICANN’s new bylaws mention that it will continue to be incorporated in California, and subject to California law just as it was pre-transition. Having the DNS subject to the laws of a single country can only lend to its fragility. ICANN’s US jurisdiction also means that it is not free from the political pressures from the US Senate and in turn, the toxic effect of American party politics that were made visible in the events leading up to September 30.

Another critical issue that the transition does not address is that of ICANN accountability. Post-transition, ICANN’s board will continue to be the ultimate decision-making authority, thus controlling the organisation’s functioning, and ICANN staff will be accountable to the board alone.

To put things in perspective, look at the board’s track record in the recent past. In August, an Independent Review Panel (IRP) found that ICANN’s board had violated ICANN’s own bylaws and had failed to discharge its transparency obligations when it failed to look into staff misbehaviour. Following this, in September, ICANN decided to respond to such allegations of mismanagement, opacity and lack of accountability by launching a review. The review however, would not look into the issues, failures and false claims of the board, but instead focus on the process by which ICANN staff was able to engage in such misbehaviour. This ironically, will be in the form of an internal review that will pass through ICANN staff — the subjects of the investigation — before being taken up to the board.

At best, the transition is symbolic of Washington’s oversight over ICANN coming to an end. It is also symbolic of the empowerment of the global multistakeholder community. In reality, it fails to do either meaningfully.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-october-6-2016-vidushi-marda-internet-democratisation

If all goes well, Indian IT Act may enter 21st century

praskrishna — 2016-10-06T16:49:12Z

The government is aiming to refresh the main law governing information technology by giving it a revamp which it hopes will bring it in tune with the times and address criticisms about its weaknesses, a senior official said on condition of anonymity.

The article by Surabhi Agarwal was published in the Economic Times on October 6, 2016. Sunil Abraham was quoted.

The move is triggered by the realisation that the Information Technology Act passed in 2000 and last amended eight years ago may be wanting in many respects due to advances in technology and its ubiquitousness in nearly every aspect of life.

The government will take a first step by constituting a committee whose job will be to make suggestions to refresh the law. The magnitude of fraud, terrorism, bullying and stalking in cyber space has grown along with advances in technology and its adoption, and these are some of the areas where the law could do with an update.

The government's massive push on Digital India is also leading to significant digitisation of government services and records. In 2000, when the Act was first passed, there were a mere 5 million internet users in the country. India has surpassed the US to become the second-largest Internet market with 436 million users as of June 2016.

"It has been realised that we need more provisions on things such as mobile security, internet of things," the official said. "The last amendment came in 2008, so almost a decade has passed." This person said that there is confusion among various law enforcement agencies regarding the ambit of the IT Act.

Fresh provisions are also required in fields such as how long agencies – both state as well as private – should hold citizens' information, which has been shared by them, for any kind of authentication through means such as emails. Supreme Court advocate and cyber security expert Pavan Duggal called the IT Act an "outdated" piece of legislation.

"The Act and the amendments are in the pre-social media era. Current realities, challenges and the policy aspects of cyberspace have not been addressed," he said. There are no provisions, for instance, for mandatory reporting of cyber-crime and cyber-security breaches, he said. Besides, there are the challenges posed by the dark net where everything from weapons to drugs are being peddled.

"Cyber bullying is the number one problem in Indian schools and universities which is not addressed in the Act. There have been no convictions for cyber stalking which is extremely prevalent in India," Duggal said, suggesting measures such as the setting up of special courts for cyber crime and terror.

In the past couple of years, the government has come under fire for several attempts to bring in laws on encryption, contain pornography and the spread of obscene material online. The Internet and Mobile Association of India (IAMAI) said that while the move to change the Act is welcome, it should be done in an "inclusive" manner with the "widest possible public consultation" and not by a committee which consists only of government representatives.

Subho Ray, president of IAMAI said that while the definition of intermediaries needs to be reviewed and the list expanded, citizens' fundamental rights need to kept in mind while trying to bring back a modified form of Section 66A (it dealt with offences on the internet), which was struck down by the Supreme Court as unconstitutional.

The ministry of electronics and IT is currently trying to form a committee with experts from the private sector, the source said, and cautioned about the prospect of a "long-haul" before changes come about. Sunil Abraham, director of the Centre for Internet and Society (CIS) said that India's data protection laws under Section 43A of the IT Act must be upgraded and this would help Indian companies which export IT-enabled services.

"We also need to apply the principle of equivalence more clearly, which says that if something is illegal offline, it should also be illegal online," said Abraham.

For more details visit https://cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-october-6-2016-if-all-goes-well-indian-it-act-may-enter-twenty-first-century

Services like TwitterSeva aren’t the silver bullets they are made out to be

sunil — 2016-10-06T16:31:51Z

TwitterSeva is great, but it should not be considered a sufficient replacement for proper e-governance systems. This is because there are several serious shortcomings with the TwitterSeva approach, and it is no wonder that enthusiastic police officers and bureaucrats are somewhat upset with the slow deployment of e-governance applications. They are also right in being frustrated with the lack of usability and scalability of existing applications that hold out the promise of adopting private sector platforms to serve citizens better.

Sunil Abraham, executive director of the Centre for Internet and Society, wrote this in response to the FactorDaily story on TwitterSeva, a special feature developed by Twitter’s India team to help citizens connect better with government services. Sunil's article in FactorDaily can be read here.

Let’s take a look at why the TwitterSeva approach is not adequate:

1. Vendor and Technology Neutrality: Providing a level ground for competing technologies in e-governance has been a globally accepted best practice for about 15 years now. This is usually done by using open standards policies and interoperability frameworks.

India does have a national open standards policy, but the National Informatics Centre (NIC) has only published one chapter of the Interoperability Framework for e-Governance .

The thing is, while Twitter might be the preferred choice for urban elites and the middle class, it might not be the choice of millions of Indians coming online. By implicitly signaling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter. Ideally, all interactions that the state has with citizens should be such that citizens can choose which vendor and technology they would like to use. Ideally, the government should have its own work-flow so that it can harvest complaints, feedback and other communications from all social media platforms be it Twitter or Identica, Facebook or Diaspora, and publish responses back onto them.

By implicitly signalling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter

Apart from undermining the power of choice for citizens, lack of vendor and technology neutrality in government use of technology undermines the efficient functioning of a competitive free market, which is the bedrock of future innovation.

When it comes to micro-blogging, Twitter has established a near monopoly in India. There are no clear signs of harm and therefore it would not be wise to advocate that the Competition Commission of India investigate Twitter. However, if the government helps Twitter tighten its grip over the Indian market, it is preventing the next cycle of creative destruction and disruption. Therefore, e-governance applications should ideally only “loosely couple” with the APIs of private firms so that competition and innovation are protected.

2. Holistic Approach and Accountability: Ideally, as the Electronic Service Delivery Bill 2011 had envisaged, every agency within the government was supposed to (within 180 days of the enactment of the Act) do several things: publish a list of services that will be delivered electronically with a deadline for each service; commit to service-level agreements for each service and provide details of the manner of delivery; provide an agency-level grievance redressal mechanism for citizens unhappy with the delivery of these electronic services.

Notwithstanding the 180-day commitment, the Bill required that “all public services shall be delivered in electronic mode within five years” after the enactment of the Bill with a potential three-year extension if the original deadline was not met. The Bill also envisaged the constitution of a Central Electronic Service Delivery Commission with a team of commissioners who “monitor the implementation of this Bill on a regular basis” and publish an annual report which would include “the number of electronic service requests in response to which service was provided in accordance with the applicable service levels and an analysis of the remaining cases.”

The Electronic Service Delivery Bill 2011 had a much more comprehensive and accountable plan for e-governance adoption in the country

Citizens suffering from non-compliance with the provisions of the Bill and unsatisfied with the response from the agency level grievance redressal mechanism could appeal to the Commission. The state or central commissioners after giving the government officials an opportunity to be heard were empowered to impose a fine of Rs 5000.

Unlike the piecemeal approach of TwitterSeva, the Bill had a much more comprehensive and accountable plan for e-governance adoption in the country.

3. Right To Transparency: Some of the interactions that the government has with citizens and firms may have to be disclosed under the obligation emerging from the Right to Information Act for disclosure to the public or to the requesting party. Therefore it is important that the government take its own steps for the retention of all data and records — independent of the goodwill and lifecycles of private firms.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests? Even if the government is not keen on pushing for data portablity as a right for consumers (just like mobile number portability in telecom, so that consumers can seamlessly shift between competing service providers), it absolutely should insist on data portability for all government use.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests?

This will allow it to shift to a) support multiple services, b) shift to competing/emerging services c) incrementally build its own infrastructure and also comply with the requirements of the Right to Information Act.

4. Privacy: Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology.” There is an obsession with collecting as much data as possible from citizens, storing it in centralized databases and providing “dashboards” to bureaucrats and politicians. This is diametrically opposed to the view of the security community.

Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology”

For example, Bruce Schneier posted on his blog in March this year (in a piece titled ‘Data is a Toxic Asset‘) saying: “What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous. This idea has always been part of the data protection law starting with the 2005 EU Data Protection Directive expressed as the principle of “Data Minimization” or “Collection Limitation”. More recently technologists and policy makers also use the phrase “Privacy by Design”. Introducing an unnecessary intermediary or gate-keeper between what is essentially transactions between citizens and the state is an egregious violation of a key privacy principle.”

5. Middle Class and Elite Capture: The use of Twitter amplifies the voices of the English-speaking, elite, and middle class citizens at the expense of the voices of the poor. While elites don’t exhibit fear when tagging police IDs and making public complaints from the comforts of their gated communities with private security guards shielding them the violence of the state, this might be a very intimidating option for the poor and disempowered.

While elites don’t fear tagging police IDs and making public complaints from the comforts of their gated communities, it’s intimidating for the disempowered

While the system may not be discriminatory in its design, it will have disparate impact on different sections of our society. In other words, the introduction of TwitterSeva will exacerbate power asymmetries in our society rather than ameliorating them.

The canonical scholarly reference for this is Kate Crawford’s analysis of City of Boston’s StreetBump smartphone, which resulted in an over-reporting of potholes in elite neighbourhoods and under-reporting from poor and elderly residents. This meant that efficiency in the allocation of the city’s resources was only a cover for increased discrimination against the powerless.

6. Security: The most important conclusion to draw from the Snowden disclosure is that the tin-foil conspiracy theorists who we used to dismiss as lunatics were correct. What has been established beyond doubt is that the United States of America is the world leader when it comes to conducting mass surveillance on netizens across the globe. It is still completely unclear how much access the NSA has to the databases of American social media giants. When the complete police force of a state starts to use Twitter for the delivery of services to the public, then it may be possible for foreign intelligence agencies to use this information to undermine our sovereignty and national security.

For more details visit https://cis-india.org/internet-governance/blog/factordaily-sunil-abraham-october-6-2016-services-like-twitterseva-are-not-the-silver-bullets-they-are-made-out-to-be

Not Everyone Plays by the Rules in the Digital Playground: Addressing Online Child Sexual Exploitation

praskrishna — 2016-10-05T15:08:40Z

Japreet Grewal spoke at a panel on 'Prevention through Awareness and Education' at a meeting titled 'Not Everyone Plays by the Rules in the Digital Playground:Addressing Online Child Sexual Exploitation' that was organised by the International Centre for Missing and Exploited Children, Singapore (ICMEC) and TULIR - Centre for the Prevention and Treatment of Child Sexual Abuse, India on October 3-4, 2016 at India Habitat Centre, New Delhi.

Click the links below to access:

For more details visit https://cis-india.org/internet-governance/news/not-everyone-plays-by-the-rules-in-the-digital-playground-addressing-online-child-sexual-exploitation

An 'app'ening world

praskrishna — 2016-10-05T00:24:19Z

A ‘forward’ has been doing the rounds on WhatsApp about the privacy concerns relating to that instant messaging app; it’s asking for permission to share user data with Facebook.

The article by Chetana Divya Vasudev was published in Deccan Herald on October 4, 2016. Rohini was quoted.

In the WhatsApp notification, asking users to agree to the terms and conditions again, the option to share these user details to help improve ads on Facebook is already selected. Those who are uncomfortable parting with this information have to uncheck it before clicking on the ‘I agree’ button.

“Agreeing to this would mean Facebook can see who you’re chatting with and what you’re talking about,” says tech expert Chinmayi S K. “So if you’re talking about cat adoption, the ads displayed on the side could be relevant to that.”

When it comes to other smartphone apps, she cites Zomato as an example. “It has been asking for user history — previous orders and other such details — to make recommendations,” she says. “This comes with the app update. Tinder, too, is asking for your location using wifi, which is more accurate than the GPRS location.”
It’s alright to agree to these permissions, she says, so long as you’re aware of what you’re signing up for and how that data is going to be used.

If you have qualms about agreeing to this, there are usually alternatives you can find, adds Rohini Lakshane, program officer, Centre for Internet and Society. “If not, it’s usually a trade-off: you have to see how much you want the app,” she points out.

There are, however, other apps that might be duplicates asking for access to your device or files, cautions Chinmayi.

“If a cooking app, a simple one that gives you recipes, asks for your call logs or other files, for example,” she says.

A discerning user, interjects Rohini, will check for permission to access files or functions that are not strictly necessary for the features the app supports. “I don’t want to name anything but some e-commerce and travel apps ask to access your browsing history and the other apps or networks you’re connect to. It could be to serve you contextual ads or content, like Zomato, or to sell it to someone. You never know,” she says. However, some devices or versions of the Android OS let you control what permissions you enable, she informs.

Aeronautical engineer Pavan Raj P V says he takes care not to compromise on his safety, whenever possible. “But there are a few apps that I have on my phone no matter what — Facebook, WhatsApp, LinkedIn, Instagram. Most of them auto-update and require no extra permissions.”

However, he has noticed that LinkedIn asks for access to Gmail contacts that you could accidentally accept “if you’re logging in mechanically”.

Varsha C V, communications specialist at Karnataka State Highways Improvement Project, says, “Last month, my husband asked me to download a Google app for free calls that required all sorts of permissions, such as access to your phone logs. When Skype offers the same features without asking for all this, why should anyone use this app?”

She believes privacy in India is not taken as seriously as it should be. “You should keep in mind that if you’re giving them access to your contacts, you’re also compromising on others’ privacy,” she points out.

Lokanand, a sound engineer, admits to not paying attention to what he’s giving apps access to. “I’m no expert but if you ask me, you download apps because they are useful. So I don’t really bother about what I’m saying yes to.”

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-chetana-divya-vasudev-october-4-2016-an-appening-world

Eye on Mumbai

praskrishna — 2016-10-02T10:22:20Z

The feeds will be beamed to a video wall that stretches 21 feet across at the police’s command and control room.

The article by Tariq Engineer was published in Mumbai Mirror today. Sunil Abraham was quoted.

When seven bombs exploded on local trains between Khar and Borivali killing 209 people and injuring 714 in 2006, the Maharashtra police looked for CCTV footage but couldn’t find any because no cameras existed at railway stations back then.

When terrorists landed near Machimar colony in Cuffe Parade in 2008 and proceeded to slaughter hundreds of people in the city, CCTV footage was found only at the Taj and Trident hotels, Chhatrapati Shivaji Terminus and near the Times of India building. Places like Cama Hospital, Nariman House and Leopold Café were simply off the grid.

When Mumbai journalist J Dey was gunned down in Powai in 2011, the police obtained CCTV footage from a shopping centre nearby but it was so blurry, it was useless.

In each of these situations, a fully functioning high-definition CCTV system could have altered the outcome or aided the investigation in critical ways. That glaring gap in Mumbai’s security has now been filled by the Mumbai City Surveillance Project, which officially goes live today.

Over the last 20 months, a total of 4697 cameras have been installed at 1510 locations around Mumbai city. In addition to these, another 146 will survey the Bandra Kurla Complex. The tender for the project was issued in 2015 and won by a consortium led by construction major Larsen & Toubro with MTNL, CMS Computers and Infinova, which supplied the cameras, as partners.

The project is actually an outcome of the 26/11 attacks, having been recommended by the Ram Pradhan Committee, which was appointed to evaluate the city administration’s responses to the terror strike. According to Additional Chief Secretary (Home) KP Bakshi these cameras will ensure roughly 80 per cent of Mumbsi will be watched 24 hours a day, seven days a week. The city’s inhabitants will now have to be on their best behaviour.

“It was the police’s call to decide what they want to observe,” Bakshi said. “Do they want to look at the traffic or at a place where people gamble or do a lot of drinking?” The policeman in charge of selection of spots for installation of cameras was former additional commissioner of police Vasant Dhoble. Calling him a “game-changer”, one of the project managers said it was thanks to Dhoble that all the locations were surveyed in just twoand-a-half months. Dhoble was also instrumental in ensuring that the cameras were installed at the appropriate angles.

While the initial estimate was for 6,000 cameras, it was eventually determined that 4,697 were sufficient at this stage. The cameras have been placed on poles similar to street lights — 2290 of them — some with multiple cameras. “Let’s say there is a pole at Haji Ali Juice Center,” Bakshi said. “It may have three cameras — one looking towards Heera Panna, the other looking towards Mahalaxmi, the third looking towards Worli.”

The vast majority of the cameras — roughly 4200 — will be fixed and stare unblinkingly in one direction. The other 500 will be PTZ, or pan/tilt/zoom cameras, so those watching can scan an area or take a closer look at something that seems suspicious. All of the cameras can see in high definition, with visibility ranging from 50m to 120m. Some of them also have thermal imaging and night vision.

According to those involved in the project, the cameras have been built to withstand the rigours of Mumbai’s weather — specifically the heat and rain. Larsen & Toubro and CMS Computers are responsible for the maintenance of the system. Once the system is fully operational, the target is to have 99% of the cameras live at all times barring accidents. The responsibility for this lies with the service providers.

A smart system

The software that runs the cameras includes a Picture Intelligence Unit (PIU) that will conduct facial recognition analysis. If there is an image of a wanted person in the database, the program will scan the footage for matches and send a signal if it finds any. It will also send an alert if it notices a suspicious object, say one that has been left unattended for a pre-specified amount of time, so the cops can check it out. Tracking police vehicles — like you can follow the path of an Uber or Ola — is yet another feature, so if there is trouble, the nearest vehicle can be dispatched.

By Bakshi’s reckoning, if it is a small crime, then the police should be on the scene in five to ten minutes. If it is something like a bomb blast, then a Quick Response Team will be deployed, which will take a little longer – say 10 to 15 minutes.

Who will be watching you?

The feeds from these cameras will be fed to a video wall that stretches 21 feet across in a control room that has been set up in the Commissioner of Police Headquarters at Crawford Market. The footage will be monitored by about 20 observers who have been specially trained for the job.

However, a project manager said, watching the wall for more than eight minutes “would make anyone mad” because it is so chaotic. Therefore, each observer has his own workstation with three computer screens where he can only watch the feeds he has been assigned.

Entry to the control room is also strictly monitored. It requires five fingerprint access just to get in the room and a thumb print to turn individual workstations on. Mobile phones and personal effects are banned and the computers have no USB ports, so data can’t be copied.

In addition, there are viewing screens in each of the additional commissioner’s zonal offices and in all 23 police stations and roughly 200 observers will eventually be required to operate them. A project manager said he hoped to have a 60-40 or 50-50 split between male and female observers. The observers are monitored by the police, who will decide what actions to take depending on what alerts are generated.

The manpower is being provided by CMS Computers, with applicants having their resumes verified by the police. Observers will spend anywhere from four to six weeks in training before they get on the job, one of the project managers said.

Keeping the data secure

The images from the standard cameras will be stored for 90 days, while those taken with PTZ cameras will be stored for 30 days. “If you store for longer periods, it involves more cost,” Bakshi said. “We feel that if something has to be reported to us, it will be reported within 90 days.”

MTNL has set up a data centre in Worli and a disaster recovery centre in Belapur. If something goes wrong in Worli, there will still be connectivity via Belapur. Both centres have been “tied-up” to make the data as safe as possible. At the test lab at Larsen & Toubro’s project headquarters in Mallet Bunder, they even have a rodent detection device that broadcasts an ultrasonic frequency to drive away rats and stop them from chewing up the wires.

False starts

The project took some time to get off the ground because getting the details worked out was a painstaking elaborate process, former Maharashtra chief secretary ( home) Amitabh Rajan, told Mumbai Mirror. The committee wanted to make sure everything was transparent and that there were no allegations against the project. Control and security were also zealously guarded. “No compromise on security, not even cost,” Rajan said. “Like titration in chemistry, we eventually got the right concentration.”

There was also a battle between a lobby that wanted the system to be set up using dedicated fibre optic cables, and a lobby of technology providers that wanted to use wireless technology. The cops backed cables, which are not only safer but make it easy to add additional bandwidth, whereas wireless networks have limited bandwidth. It was a battle the cops would eventually win but at the cost of time.

The tender process didn’t go smoothly either. Larsen and Toubro were actually the winners of the fourth tender the Maharashtra government put forward. The first tender had to be cancelled because the winning consortium had not properly disclosed its ownership structure — one of the companies turned out to be controlled by a subsidiary of Reliance Industries. The second was cancelled when the vendor’s bank guarantee cheque of Rs 2 crore bounced and the owner disappeared. He was eventually found and arrested two years later.

The third tender received no bidders because it did not offer up-front payment for capital expenditure, according to then IT secretary Rajesh Aggarwal, who was part of the committee. It was finally on the fourth occasion, when the committee decided to offer a certain percentage of the project cost at the start and the rest over the remaining five years as maintenance fees, that a deal could be sealed.

Coordination headache

The next hurdle was coordinating the work between all the different organisations that populate Mumbai. The final total was around 35 or 40 bodies, including the Municipal Corporation of Greater Mumbai (MCGM), BEST and Reliance Power, the police, MMRDA, the Government of India and the High Court. “To explain to everyone that it is a security project and please don’t go by normal rules, you have to give concessions for all these things, all this co-ordination was a big job,” Bakshi said.

It led to delays, which is why the project had to take the extraordinary step of getting permission from the MCGM to dig up roads during the monsoon to lay the fibre-optic cables. It was the only way the project could make its deadline.

“If we had done it like a normal project, it would have taken five years,” an engineer said.

A question of privacy

Two experts in privacy issues that Mirror spoke to said that such a system is in the public interest, but safeguards must be built to prevent abuse. “If the data falls into the wrong hands, it can create havoc,” said Pavan Duggal, an expert in the field of cyber law. “Large scale surveillance of the public should not be the norm, it should be the exemption to the norm.” he said. “It can create unease and lessen the enjoyment of living in a democratic society.”

According to Sunil Abraham, director of the Centre for Internet and Society, the biggest problem is that India does not have an “omnibus privacy law”.

Instead, it has about 50 different laws across sectors and therefore privacy regulations are not consistent, which has created a legal thicket. “110 countries have passed privacy laws to European Union standards. India is really far behind,” he said.

He also listed a number of principles that he hoped the project would abide by, such as the principles of notice (CCTV cameras should be advertised as such), of openness (details of the system should be made public), security (“if you don’t have security, you can’t ensure privacy”) and of access (“we should have a right to get the footage of ourselves”). He also warned against the footage being shared between different security agencies without due process.

Additional Chief Secretary (Home) Bakshi said most of these principles were part of the system. There would be boards demarcating the CCTV cameras, the system would be publicly launched, it was being made as secure as possible and footage could be handed over depending on the circumstances. “If it is your own, then no problem,” Bakshi said. “If it is someone else’s then there are privacy issues. Is it because of criminal intent or you want to track your girlfriend’s other boyfriend to see if he is following her? These are issues. If you want yours, on merit we can give. No issue.”

Another concern Abraham raised is unique to India and the Aadhaar card, which uses biometric data as passwords, not identification. Since the CCTV cameras are high resolution, it raises the risk of someone recreating your iris or finger prints from a captured image and then “somebody could empty your Aadhaarlinked bank accounts,” Abraham said.

This is not as far-fetched as it sounds. Abraham pointed out that in 2014 a member of the Chaos Collective Club, the largest association of hackers in Europe, recreated the finger print of a German minister from a photograph they took of her hand.

“Other risks are smaller, a revealing photograph or someone trying to blackmail you,” Abraham said.

Not just for crime

The camera feed has other applications too, beginning with traffic management. An automatic number plate recognition system will be installed as well. If you look around the corner, don’t see a cop and jump a light, you could still get in trouble. “6000 [sic] police in the sky are watching you and you will get a challan sitting at home,” Aggarwal said. Other uses include tracking of encroachments by the Municipal Corporation of Greater Mumbai which will have an additional viewing centre. Also garbage disposal and other civic issues such as water logging and a subject dear to Mumbai citizens — potholes. “Somebody complains that this road has a pothole, immediately you can zoom in and see that yes, there is a pothole on this road,” Bakshi said.

There is also a provision to allow a further 103 locations to plug-in and play. For example, if the Taj Mahal Hotel wants the police to survey the hotel for a period of time, the hotel’s CCTV system can be hooked up to the main control room within 48 hours. The same goes for the airport or the railway stations.

Effect of CCTV surveillance

Worldwide the academic literature on CCTV surveillance suggests its effectiveness, especially on crime prevention, is uncertain or limited. “Post crime it really, really helps,” Aggarwal said, “but for prevention, we have to wait and watch. If it reduces sexual harassment for example, then that is priceless. Time will tell how people try to beat the system and how the system tries to catch up.”

Joint Commissioner of Police, Law and Order, Deven Bharti said he was already seeing an improvement in traffic management and in prevention and detection of crimes thanks to the 3000-plus cameras that were live when Mirror spoke to him two days ago, though he said he could not provide details. “The system is working to our satisfaction,” Bharti said.

Bakshi said the effects of the system should start showing roughly a month after the project is fully operational. “In Pune, results started being seen within a month. Once all 4700 [cameras] are live, you will start seeing the results on traffic violations, street crimes, and at general discipline level. [First] Let the people know they are under surveillance, that they are completely covered in Mumbai by CCTV.”

The total cost of the project is Rs 1008 crore. Out of this, about Rs 400 crore has already been spent. The balance will be paid out in regular installments until October 2021. At that point the Maharashtra government and Mumbai police will take complete control of the project. “We presume that in five years’ time, we will have enough trained people to run it ourselves,” Bakshi said.

For more details visit https://cis-india.org/internet-governance/news/mumbai-mirror-tariq-engineer-october-2-2016-eye-on-mumbai

WhatsApp ruling: Experts seek privacy law

praskrishna — 2016-09-27T02:35:06Z

On August 25, Whatsapp updated its policy to share user content with social network; the decision opened new monetisation models for the messaging app.

The article by Apurva Venkat and Moulishree Srivastava quoted Sunil Abraham. It was published in the Business Standard on September 24, 2016.

The recent Delhi High Court ruling that messaging app Whatsapp cannot share user data highlights the need for legislation on privacy, according to experts.

On August 25, Whatsapp, a platform with 70 million users in India that was acquired by Facebook in 2014, updated its policy to share user content with the social network. The decision opened new monetisation models for the messaging app.

In response to a PIL, the court ordered WhatsApp to delete data of users who chose to opt out of its policy changes before September 25. It also orderedWhatsApp not to share data collected before September 25 with Facebook for users who had not opted out.

"The decision makes a strong statement on privacy," said Sunil Abraham, executive director of the Centre for Internet Society. According to him, a user trusts a platform and provides access to his data. As another firm acquires the platform, it gains access to the data.

"Facebook owns Whatsapp. It has to look at ways of monetising it," said Nikhil Pahwa, co-founder of SavetheInternet.in.

"With so much digital data being generated, there is a need for a privacy law in the country," said Pahwa.

"Facebook's consent interface is confusing. It can make a person who wants to opt out let the company access his data," said Abraham, adding a law would take care of such intricacies. The government is working on a privacy bill.

Saroj Kumar Jha, partner, SRGR Law Offices, said there were few judgments on privacy in India based on constitutional rights.

"While the Information Technology Act enables courts to pass judgments on global companies on privacy, enforcing the orders is difficult," he said.

"What is required is a privacy law that can protect user data and uphold the individual's right to privacy," he added.

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law

Right to Food Campaign, Ranchi Convention, 2016

sumandro — 2019-03-16T04:40:52Z

The Right to Food Campaign held its 2016 Convention in Ranchi during September 23-25, 2016. While three years have elapsed since the passage of the National Food Security Act, despite improvements in the Public Distribution System (PDS), large implementation gaps remain. This is what the Convention focused on, and gathered researchers and campaigners from across the country to share experiences and case studies on effectiveness and exclusions from the PDS. Sumandro Chattapadhyay took part in a session of the Convention to discuss how UID-linked welfare delivery is being rolled out across key programmes like provision of pension and rationed distribution of essential commodities, and their impact on people's right to welfare services.

Right to Food Campaign: Website.

Right to Food Campaign: Cash Transfers and UID: Our Main Demands.

Ranchi Convention, 2016: Programme.

For more details visit https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016

When the war’s on WhatsApp

praskrishna — 2016-09-25T16:36:01Z

Slick, jingoistic videos are whipping up pro-war rhetoric on social media after the Uri terror attack.

The article by Manju V was published in the Times of India on September 25, 2016. Nishant Shah was quoted.

It packs a meaner punch than any 140-character tweet. In 140 jingoistic seconds, the cleverly packaged YouTube film veers from Mohammed Rafi to Chandra Shekhar Azad drumming up pro-war rhetoric to avenge the Pathankot attack. Set to the tone of chirping crickets on a moonlit night somewhere along the western border that India shares with its neighbour, the short film has two armymen in fatigues deliberate over the absolute need to respond with a counter attack. It ends in a staccato military drumbeat with a voiceover quoting Azad: "If yet your blood does not rage, then it is water that flows in your veins."

Posted about 10 days after the Pathankot attack in January, the video was resurrected last week after the country woke up to the Uri attack that killed 18 Indian soldiers in the deadliest assault on security forces in Kashmir in over two decades. Even as photographs of a grenade smoke-filled valley, tricolour-draped coffins, grieving sons, daughters and widows made the rounds in media outlets scores of Indians marched onto social media, some armed with incendiary prose and other with slick videos that expressed more anger than anguish.

In another video doing the rounds, a jawan, or someone in uniform, sings a poem warning Pakistan. His mates join in the refrain: "Kashmir toh hoga, lekin Pakistan nahi hoga."

These videos of jawans threatening to decimate Pakistan were shared by thousands. WhatsApp profile pictures and statuses were changed, Facebook posts got longer and vitriolic, Twitter #UriAttack exploded with expletives as the enough-is-enough sentiment peaked. It heralded the beginning of an era where the dynamics of Indo-Pakistan relations will play out not just in the diplomatic corridors of Delhi and Islamabad, the valley of Kashmir or the barracks of security forces; but also on the mobile phones, tablets and laptops of millions of Indians.

When contacted for a comment, the makers of the war-mongering 'Pathankot Tolerance' video didn't endorse war outright. "My individual opinion is that war is not a solution," said producer Santosh Singh, who heads the Mumbai-based V Seven Pictures. "Before we resort to war, we have to solve our internal problems. How can we let infiltration take place so blatantly?" he asked. Why then does the video not talk about this? Singh said that when one hears about such attacks, the instant reaction is to retaliate. "The video is based on that sentiment."

An electronics engineer, Singh also owns an IT recruitment firm. His film production company, which he runs along with his friend Vivek Joshi, made the Mauka Mauka World Cup video that went viral and also produces short films and videos for clients. "We have no political affiliations, in fact we turned down a couple of political parties who approached us," says Singh, adding that his company has made 30-35 films in less than two years. "Of these, about 10 are on issues close to our heart, like those on Afzal Guru and the Pathankot attack. We upload them on YouTube, they are aired without ads. We don't earn money from them," he adds.

Ugly gets outlet

Nitin Pai, director of Takshashila Institution, an independent centre for research and education in public policy, says that social media and some television studios have enabled people to express their subconscious fears and desires. "It is not just today that the people of India have been angry with Pakistan for fomenting terrorism in our country. But it is only now that they have ways to express this anger; unfortunately, social media dynamics amplify this anger in a grotesque, distorted manner, allowing the ugly and less-sensible views to rise to the top of the public discourse," said Pai.

Tracing the many origins of this phenomenon, psychiatrist Harish Shetty says that in an angst-ridden, globalized world, we need a whipping boy. "With the Uri attacks, the entire nation had a common enemy. In expressing collective anger, there's catharsis." The current outpouring is not just over the deaths of soldiers; such an incident also opens up older wounds, he says. "For a long time, Indians have found their leaders to be helpless. It's like a family that is attacked again and again by a neighbour, but the father does nothing about it. There has been a lack of strong response from 'papa figures' across time, which has led to a sense of anger and rage. After the Uri attacks, the collective self-esteem of the country took a beating, and people felt a need to assert themselves on social media. At such times strong action is viewed as legitimate, valid and free of guilt," he adds.

Amplifying angst

If social media brought together protesters in Tunisia and Egypt during the Arab spring, in democratic India it has turned into a platform for expressing mass disenchantment with the government, especially in the wake of such attacks.

Social media plays several roles in times of crises, says Nishant Shah, professor of digital media and co-founder of the Centre for Internet & Society, Bengaluru. One, it amplifies what is already being said in friend circles and living-room conversations in front of the telly, but spreads it to a larger audience. "The second role it plays is distribution: social media allows people to inherit other people's opinions, thus exposing them to new ways of thinking but also find corroborators for their own viewpoints," he says. The third is catalysis — social media also has the capacity to generate new information. "The format creates new kinds of truths. Things that can be caught in Snapchat videos, or visuals which can be remixed, all become a part of this zeitgeist," Shah says.

Virtual wars

But in India at least, social media is no indicator of considered public opinion, points out Pai. Shah adds: "What we are seeing is a filter bubble of a privileged set of people who are engaging in this debate."

Then again, what's said on social media needn't be endorsed in real life. Vivek Joshi, who wrote and directed the Pathankot video, says nobody in the world would want a war. "But when it comes to the lives of our soldiers, an answer has to be given. If the government had taken any visible action, then there would have been no need to put out a video like this," Joshi adds. And therein probably comes the new-age heuristic of venting out on social media.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-september-25-2016-manju-vi-when-the-war-is-on-whatsapp

LITD 17 Committee, Bureau of Indian Standards Meeting

praskrishna — 2016-10-07T01:38:00Z

Vanya Rakesh attended the LITD-17 committee meeting (committee on Information Systems Security and Biometrics) organised by the Bureau of Indian Standards on 23 September 2016 in Bengaluru.

The agenda for the meeting included presentation of the draft data privacy standard for India which was proposed before the BIS and its members. Elonnai Hickok and Vanya are a part of the drafting committee for the same. The draft standard was accepted by BIS and would now be circulated for further comments. Click here to read the Agenda.

For more details visit https://cis-india.org/internet-governance/news/litd-17-committee-bureau-of-indian-standards-meeting

Young Scholars' Programme, CPRSouth 2016

praskrishna — 2016-09-23T01:03:13Z

Rohini Lakshané took part in the Young Scholars' Programme organized by Communication Policy Research South from September 6 to 7, 2016 in Zanzibar.

CPRsouth 2016 Young Scholar Awards

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar from 8-10 September. It will include sessions on cutting-edge developments in ICT policy and regulation in the South and discussion of the research-policy interface.

As part of the capacity building initiative, 30 Young Scholars from Africa and the Asia-Pacific region have been selected to participate in a tutorial programme. They will be taught by recognised scholars and practitioners from Africa and Asia, and will be attending the main conference thereafter. Congratulations to the Young Scholars of 2016. See the list here.

For more details visit https://cis-india.org/internet-governance/news/young-scholars-programme-cpr-south-2016

Internet Rights and Wrongs

pranesh — 2016-09-22T23:36:14Z

With a rise in PIL's for unwarranted censorship, do we need to step back and inspect if it's about time unreasonable trends are checked?

The article was published in India Today on September 1, 2016. The original piece can be read here.

Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.

Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.

In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.

In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.

The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?

For more details visit https://cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs

The Future of Privacy in the Age of Big Data

praskrishna — 2016-09-22T23:24:16Z

A study tour on privacy and big data was organised by Friedrich Naumann Foundation for Freedom from September 3 to 10, 2016 in Berlin and Hamburg. Vanya Rakesh was one of the participants from South Asia who went for the tour.

List of Participants

Shahid Ahmad, Deputy Director, Digital Empowerment Foundation
Shahzad Ahmad, Country Director, Bytes for All
Shivam Satnani, Senior Analyst, Data Security Council of India
Vanya Rakesh, Senior Policy Officer, Centre for Internet & Society
Anja Kovacs, Director, Internet Democracy Project
Tshering Cigay Dorji, CEO, Thimphu Tech Park
Vrinda Bhandari, Lawyer and Journalist, Chambers of Trideep Pais (Anwaltskanzlei)
Tahsin Ifnoor Sayeed, Head of Business Intelligence, DNet

Click to see the Agenda

For more details visit https://cis-india.org/internet-governance/news/study-tour-on-future-of-privacy-in-age-of-big-data

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks