We are anonymous, we are legion

Hammered government offers Virtual ID firewall to protect your Aadhaar

Admin — 2018-01-16T23:34:12Z

Days after reports surfaced claiming security breaches, the Unique Identification Authority of India (UIDAI) on Wednesday announced the implementation of a new security protocol that would remove the need to divulge Aadhaar numbers during authentication processes and limit third-party access to KYC details.

The article was published in New Indian Express on January 11, 2018.

Admitting that the “collection and storage of Aadhaar numbers by various entities has heightened privacy concerns”, the UIDAI circular said Authentication User Agencies (AUAs) providing Aadhaar services have to be ready to implement the protocol from March 1, 2018. From June 1 use of Virtual ID for authentication would be mandatory.

The linchpin of the new protocol will be the virtual ID (VID) — a “temporary, revocable 16-digit random number” that can be used instead of Aadhaar to verify or link services. VIDs will have a limited validity and can be generated only by the Aadhaar holder. “UIDAI will provide various options to generate, retrieve and replace VIDs… these will be made available via UIDAI’s resident portal, Aadhaar Enrolment Centre, mAadhaar mobile application, etc.,” it said. While only one VID per Aadhaar number will be valid at a time, users can revoke and generate new VIDs as many times as desired.

UIDAI will also limit KYC details accessible by AUAs by classifying them as Global AUAs, which are required to use Aadhaar e-KYC by law, and Local AUAs. Only the former will have full access to e-KYC details and can store Aadhaar numbers. Local AUAs will only have access to limited KYC details and be prohibited from storing Aadhaar numbers. UIDAI will also generate UID tokens which will be used to identify customers within agencies’ systems, but these will not be usable by other AUAs.

However, cybersecurity experts say that even if the new “patch” is effective, verification processes will have to be redone to prevent misuse of already-leaked Aadhaar numbers. “The concept is attractive, but the devil is in the details,” observed Pavan Duggal, cyberlaw expert, adding that the new system does not address those who have already gained unauthorised access to Aadhaar numbers. Sunil Abraham, executive director, Centre for Internet and Society, was more categorical. “If it has to be effective, they will have to redo (Aadhaar-KYC) from scratch.”

For more details visit https://cis-india.org/internet-governance/news/indian-express-january-11-2018-

Hakon 2016

praskrishna — 2016-10-15T10:04:41Z

Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project.

Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at http://www.hakonindia.org/ for further details, including a look at past editions of the conference.

The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for Chuck Easttom Williams, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.

For more details visit https://cis-india.org/internet-governance/news/hakon-2016

Hacking without borders: The future of artificial intelligence and surveillance

maria — 2013-07-12T15:30:27Z

In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.

Combat Zones That See (CTS)

Source: swanksalot on flickr

Ten years ago DARPA started funding the Combat Zones That See (CTS) project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.

Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that 40 million surveillance cameras were already in use around the world by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. Police in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.

However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.

Mind´s Eye

Source: watchingfrogsboil on flickr

A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a thinking camera. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with ´visual intelligence´. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to predict future human activities and situations.

Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. General James Cartwright, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying operationally significant activity and predicting outcomes.

Mounting these smart cameras on drones is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?

SyNAPSE

Source: A Health Blog on flickr

The Terminator could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) programme. Is DARPA funding the creation of the Terminator? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.

SyNAPSE is a programme which aims to develop electronic neuromorphic machine technology which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received $102.6 million in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create biological neural systems which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s cognitive computers would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.

Although this original type of computational device could be beneficial to predict natural disasters and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.

Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.

Brain-Computer Interface (BCI)

Remember Orwell's ´Thought Police´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in 1984. Unlike the ´Thought Police´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can literally read our thoughts.

Once again, DARPA appears to be funding one of the world´s most innovative projects: the Brain-Computer Interface (BCI). The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph - an EEG) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely thinking of the action.

Ten years ago it was reported that the brains of rats and monkeys could control robot arms through the use of such technologies. A few years later brainstem implants were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as to control robotic limbs with their thoughts. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally thinking about them, while using a BCI.

Brain-controlled robotic limbs could change the lives of disabled persons, but ethical concerns have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out sensitive data, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the P300 response, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to DARPA:

´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´

This constitutes the human brain as a new warfighting domain of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.

Security expert, Barnaby Jack, of IOActive demonstrated the vulnerability of biotechnological systems, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.

Will BCI be used in the future to interrogate terrorists and suspects? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our thoughts - can potentially be hacked? Human rights are essential because they protect us from those in power; but the privacy of our thoughts is even more important, because without it, we can have no human rights, no individuality.

Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.

Apparently, anyone can buy Emotiv or Neurosky BCI online to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.

For more details visit https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance

Hacking of SIM card by spy agencies raises fears of sensitive documents being leaked

praskrishna — 2015-03-09T01:31:39Z

The hacking of SIM-card and digital security services provider Gemalto by American and British spy agencies has raised fears that sensitive communications, by the Indian government and hundreds of domestic companies, may have been at the risk of being spied on.

The article by PK Jayadevan and Neha Alawadhi was published in the Economic Times on February 25, 2015. Pranesh Prakash and Sunil Abraham were quoted.

The Netherlands-based Gemalto was jointly hacked by the US National Security Agency and Britain's Government Communications Headquarters, and encryption keys were stolen to monitor mobile communications, according to a news report published last week.

India's largest telecom vendors including Airtel, Vodafone and Idea Cellular use SIM cards supplied by Gemalto, the world's biggest maker of mobile-phone chips and provider of secure devices such as smart cards and tokens. Online publisher The Intercept in its report named Idea Cellular as one of the networks from which the spy agencies accessed encryption keys.

"Phone calls and text messages by military, government, diplomats, spy corporations and by ordinary citizen of India - all of those get affected by this hack," said Pranesh Prakash, Policy Director at research and advocacy firm Centre for Internet and Society.

The Intercept, which accessed top secret documents provided by NSA whistleblower Edward Snowden, said American and British spies dug into the private communications of Gemalto engineers and other employees to steal encryption keys.

Gemalto provides security services such as two-factor authentication and access management, and has hundreds of clients in India. The company in 2012 said it provided 25 million e-driver's licences and vehicle registration certificates in India that let the government "consolidate driver and vehicle registration information across the population in a central repository".

"We believe that the biggest risk stands for the large number of Vodafone users in the country as the company has deployed Gemalto's Near Field Communication services solutions to provide secure and convenient 'wave and pay' contactless transactions via mobile phone," said Sanchit Vir Gogia, Chief Analyst and Group CEO, Greyhound Research.

"We have no further details of these allegations, which are industry-wide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations," said a Vodafone spokesperson in an email response.

Emails to Idea and Airtel were unanswered till the time of going to Press.

"Indian operators typically go for cheaper Chinese vendors that are anyway low on security. Among the European SIM vendors, Gemalto has the largest share in India," said a senior mobile services executive, requesting anonymity.

The report on the hack comes at a time when Gemalto was looking to tap the Indian market, including e-governance initiatives. The company in a recent email to ET said it had plans to expand its center of excellence in India to develop multiple products, offer tech support and provide security solutions for the domestic market.

"We take this (breach) very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated attacks to obtain SIM card data," a Gemalto spokesperson said. "The target was not Gemalto, per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible."

Initial investigations indicate that SIM products as well as banking cards, passports and other products and platforms are secure, the company said. Gemalto is expected to announce the results of its investigation on Wednesday. British and US spy agencies have been under fire for hacking and spying on citizens after Snowden in mid-2013 began leaking documents that revealed massive surveillance programmes by the two governments. At the time, the Indian government said the NSA was only collecting meta-data and had no access to the actual contents of phone calls or text messages.

Experts suggest a multinational consensus or treaty that strikes a balance between national security concerns and privacy.

"Governments will have to debate this in the United Nations and some kind of rules for surveillance, maybe treaties, are relevant in the future," said Kamlesh Bajaj, Chief Executive at Data Security Council of India. "They shall have to have some kind of a limit to surveillance. They can't be vacuuming all data in the name of finding a needle in the haystack."

Sunil Abraham, Executive Director at Center for Internet and Society, suggested the Indian government should replace proprietary operating systems and Android on phones with pure free software projects, use of virtual private network on phones to carry voice and data traffic, and encrypt voice and data payloads separately.

"When it comes to all the other services provided by Gemalto, the India government should insist that they will do key management on their own. This will also mitigate the compromise of Gemalto's enterprise networks by the NSA," he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-jayadevan-pk-neha-alawadhi-february-25-2015-hacking-of-sim-card-by-spy-agencies-raises-fears-of-sensitive-documents-being-leaked

Hackers Take Protest to Indian Streets and Cyberspace

praskrishna — 2012-06-18T04:02:21Z

First there was self-styled Gandhian activist Anna Hazare who took to the streets to protest corruption. Now a group agitating against censorship on the Internet has arrived in India.

This article by Shreya Shah was published in the Wall Street Journal on June 8, 2012 Pranesh Prakash is quoted in this article.

Only this time, the location is cyberspace and their modus operandi hacking.

In the last few months, Anonymous –a group of hackers, or hacktivists as they like to call themselves –has gone after Web sites of political parties, government sites and Internet service providers, the latest being MTNL, to protest censorship on the Internet.

The group says they are opposing laws including the 2008 Information Technology (Amendment) Act and the Information Technology (Intermediaries Guidelines) Rules of 2011, which they say unfairly restrict Internet freedom.

On Saturday, the hackers will take their protest to the streets, with an Occupy Wall Street-style march called ”Operation Occupy India” planned in 17 cities including Mumbai, Delhi, Indore in Madhya Pradesh, Nagpur in Maharashtra and Kundapur in Karnataka. The group has requested all protestors to wear Guy Fawkes masks, the symbol of Anonymous.

“This time the common man wants to help us,” an “anon,” which is what members of the group call themselves, told India Real Time.

Anonymous, which has a global presence, catapulted to fame with its attacks on Visa, Mastercard and Paypal.

This is how the group attacks Web sites: It overwhelms them with thousands of requests from different computer systems simultaneously. The Web site is unable to handle the load and crashes.

The group intensified its attacks after Internet Service Providers like Reliance, MTNL and Airtel temporarily blocked file sharing sites like Vimeo, Dailymotion, Patebin and Pirate bay, citing a Court order.

But many question the method used by Anonymous.

“I don’t believe in defacing or hacking government Web sites to prove a point,” says Ankit Fadia, a cyber security expert. “You can’t hold the government ransom,” he adds.

In an open letter to the government, Anonymous India defended its actions. It wrote that traditional ways of protesting are losing meaning and this is a new method to pressure the politicians.

Members of the group say that like a regular protest on the street, they too block the infrastructure of their opponents. Except in this case, the infrastructure is located in cyberspace.

This is a “geek method of attacking,” said the anon who spoke to India Real Time. The group does not plan to attacks sites like that of the Indian railways, for instance, which is used by the masses, he explained.

But not everyone is convinced.

The group attacked the Web site of India’s Supreme Court even when it says it does not attack Web sites used by the common man, says Pranesh Prakash, Program Director of the Center for Internet and Society.

The IT Act is another reason Anonymous is protesting. The Act gives the government the power to remove content it finds offensive. The government can also restrict public access to a Web site.

Anonymous is also protesting the Intermediary Guidelines of 2011. According to this Act, a site that hosts offensive content will have to remove it within 36 hours of a complaint against it.

As a result, Web sites like Google and Facebook are facing criminal cases for hosting objectionable content on their site.

“This government does not stand for censorship; this government does not stand for infringement of free speech. Indeed, this government does not stand for regulation of free speech,” Kapil Sibal, the Communications and Information Technology Minister told the Rajya Sabha, or the upper house of the Indian Parliament, last month.

Pranesh Prakash, of the Center for Internet and Society told India Real Time that he does not believe that Anonymous will influence policy makers. He says that the main aim of a protest is to get media attention, and in turn get the attention of the people.

But he agrees that India’s cyber laws are “hopelessly flawed” and create a framework by which not only the government but everyone can censor.

He adds, “The laws are a greater threat than Anonymous.”

Photo Source: Joel Saget/Agence France-Presse/Getty Images

For more details visit https://cis-india.org/news/hackers-take-protest-to-indian-streets-and-cyberspace

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Hack Night in CIS ― A Meeting of Java Script Hackers

Tom Dane — 2011-10-27T11:36:26Z

CIS hosted a hack night in conjunction with the tech-event organizers HasGeek at its office on 24 September 2011. The event brought together local java script hackers on a common platform. Tom Dane and Kiran Jonnalagadda participated in the event.

The idea behind hosting the event was to have fun building cool stuff. The participants met in the afternoon to decide on projects and group into teams, and then Sudar Muthu gave an explanation of node.js and its usage for the hack. There were also some very cool free t-shirts. Much code was written and caffeine shared until the morning when the projects were uploaded online.

One project was a game allowing players to pass a ball between computers. The source code is available here on GitHub. Aditya Yadav also worked on the beautiful jsFoo website during the night. Our friends from HasGeek made a short video showing a snippet of the event:

Below is the full list of participants:

Kiran Jonnalagadda
Aditya Yadav
Ritesh Kadmawala
MS Prakas Kumar Chakka
Amarjit Singh
Arun Kumar
Sudar Muthu
Aravinda VK
Ciju Cherian and
Pradip Caulagi

If you feel sad missing an event like this, be excited because HasGeek is hosting Droidcon India next month.
About Hasgeek
HasGeek is a developer-led initiative, and has been un-organising the unconference scene since 2010. HasGeek is an attempt to solve the problem of insipid conferences organised around buzzwords by uninterested, soulless corporate entities who pitch them as company training events or as places for companies to pick up hot developers.

For more info on Hasgeek, click here
For info on jsFoo, click here

For more details visit https://cis-india.org/internet-governance/hacking-cis

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

Habeas Data in India

Vipul Kharbanda and edited by Elonnai Hickok — 2016-12-10T04:01:40Z

Habeas Data is a latin word which can be loosely translated to mean “have the data”. The right has been primarily conceptualized, designed, ratified, and implemented by various nation-states in the background of a shared common history of decades of torture, terror, and other repressive practices under military juntas and other fascist regimes.

Download the Paper (PDF)

Introduction

The writ of habeas data was a distinct response to these recent histories which provided individuals with basic rights to access personal information collected by the state (and sometimes byprivate agencies of a public nature) and to challenge and correct such data, requiring the state to safeguard the privacy and accuracy of people's personal data.[1]

The origins of Habeas Data are traced back, unsurprisingly, to the European legal regime since Europe is considered as the fountainhead of modern data protection laws. The inspiration for Habeas Data is often considered to be the Council of Europe's 108th Convention on Data Protection of 1981.[2] The purpose of the Convention was to secure the privacy of individuals regarding the automated processing of personal data. For this purpose, individuals were granted several rights including a right to access their personal data held in an automated database.[3]

Another source or inspiration behind Habeas Data is considered to be the German legal system where a constitutional right to information self-determination was created by the German Constitutional Tribunal by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.[4]

Habeas Data is essentially a right or mechanism for an individual complaint presented to a constitutional court, to protect the image, privacy, honour, information self-determination and freedom of information of a person. [5]

A Habeas Data complaint can be filed by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public.[6]

Habeas Data in different jurisdictions

Habeas Data does not have any one specific definition and has different characteristics in different jurisdictions. Therefore, in order to better understand the right, it will be useful to describe the scope of Habeas Data as it has been incorporated in certain jurisdictions in order to better understand what the right entails:[7]

Brazil

The Constitution of Brazil grants its citizens the right to get a habeas data “a. to assure knowledge of personal information about the petitioner contained in records or data banks of government agencies or entities of a public character; b. to correct data whenever the petitioner prefers not to do so through confidential judicial or administrative proceedings;[8]

The place or tribunal where the Habeas Data action is to be filed changes depending on who is it presented against, which creates a complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:

The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
The Superior Justice Tribunal for actions against Ministers or itself;
The regional federal judges for actions against federal authorities;
State tribunals according to each state law;
State judges for all other cases.[9]

Paraguay
The Constitution of Paraguay grants a similar right of habeas data in its constitution which states:

"All persons may access the information and the data that about themselves, or about their assets, [that] is [obren] in official or private registries of a public character, as well as to know the use made of the same and of their end. [All persons] may request before the competent magistrate the updating, the rectification or the destruction of these, if they were wrong or illegitimately affected their rights."[10]

Compared to the right granted in Brazil, the text of the Paraguay Constitution specifically recognises that the citizen also has the right to know the use his/her data is being put to.

Argentina

Article 43 of the Constitution of Argentina grants the right of habeas data, though it has been included under the action of “amparo”,[11] the relevant portion of Article 43 states as follows:

"Any person may file an amparo action to find out and to learn the purpose of data about him which is on record in public registries or data banks, or in any private [registers or data banks] whose purpose is to provide information, and in case of falsity or discrimination, to demand the suppression, rectification, confidentiality, or updating of the same. The secrecy of journalistic information sources shall not be affected."[12]

The version of Habeas Data recognised in Argentina includes most of the protections seen in Brazil and Paraguay, such as the right to access the data, rectify it, update it or destroy it, etc. Nevertheless, the Argentinean constitution also includes certain other features such as the fact that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. Another feature of the Argentinean law is that it specifically excludes the press from the action, which may be considered as reasonable or unreasonable depending upon the context and country in which it is applied.[13]

Venezuela
Article 28 of the Constitution of Venezuela established the writ of habeas data, which expressly permits access to information stored in official and private registries. It states as follows:

"All individuals have a right to access information and data about themselves and about their property stored in official as well as private registries. Secondly, they are entitled to know the purpose of and the policy behind these registries. Thirdly, they have a right to request, before a competent tribunal, the updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements. The law shall establish exceptions to these principles. By the same token, any person shall have access to information that is of interest to communities and groups. The secrecy of the sources of newspapers-and of other entities or individuals as defined by law-shall be preserved."[14]

The Venezuelan writ of habeas data expressly provides that individuals "are entitled to know the purpose of and the policy behind these registries." Also, it expresses a right to "updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements." Article 28 also declares that the “secrecy of the sources of newspapers and of other entities or individuals as defined by law-shall be preserved."[15]

Philippines

It is not as if the remedy of Habeas Data is available only in Latin American jurisdictions, but even in Asia the writ of Habeas Data has been specifically granted by the Supreme Court of the Philippines vide its resolution dated January 22, 2008 which provides that “The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.” According to the Rule on Writ of Habeas Data, the petition is to be filed with the Regional Trial Court where the petitioner or respondent resides, or which has jurisdiction over the place where the data or information is gathered, collected or stored, at the option of the petitioner. The petition may also be filed with the Supreme Court or the Court of Appeals or the Sandiganbayan when the action concerns public data files of government offices.[16]

Two major distinctions are immediately visible between the Philippine right and that in the latin jurisdictions discussed above. One is the fact that in countries such as Bazil, Argentina and Paraguay, there does not appear to be a prerequisite to filing such an action asking for the information, whereas in Philippines it seems that such a petition can only be filed only if an individual’s “right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission”. This means that the Philippine concept of habeas data is much more limited in its scope and is available to the citizens only under certain specific conditions. On the other hand the scope of the Philippine right of Habeas Data is much wider in its applicability in the sense that this right is available even against private individual and entities who are “engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence”. In the Latin American jurisdictions discussed above, this writ appears to be available only against either public institutions or private institutions having some public character.

Main features of Habeas Data

Thus from the discussion above, the main features of the writ of habeas data, as it is applied in various jurisdictions can be culled out as follows: [17]

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[18]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

Since the writ of Habeas Data has been established and evolved primarily in Latin American countries, there is not too much literature on it available freely in the English language and that is a serious hurdle in researching this area. For example, this author did not find many article mentioning the scope of the writ of habeas data, for example whether it is an absolute right and on what grounds can it be denied. The Constitution of Venezuela, for example, specifies that the law shall establish exceptions to these principles and infact mentions the secrecy of sources for newspapers as an exception to this rule.[19]

Similarly in Argentina, there exists a public interest exception to the issuance of the writ of Habeas Data.[20]

That said, although little literature on the specific exceptions to habeas data is freely available in English, references can still be found to exceptions such as state security (Brazil), secrecy of newspaper sources (Argentina and Venezuela), or other entities defined by law (Venezuela).[21]

This suggests that the, as would be expected, the right to ask for the writ of habeas data is not an absolute right but would also be subject to certain exceptions and balanced against other needs such as state security and police investigations.

Habeas Data in the context of Privacy

Data protection legislation and mechanisms protect people against misuse of personal information by data controllers. Habeas Data, being a figure for use only by certain countries, gives the individuals the right to access, correct, and object to the processing of their information.

In general, privacy is the genus and data protection is the species, data protection is a right to personal privacy that people have against the possible use of their personal data by data controllers in an unauthorized manner or against the requirements of force. Habeas Data is an action that is brought before the courts to allow the protection of the individual’s image, privacy, honour, self-determination of information and freedom of information of a person. In that sense, the right of Habeas Data can be found within the broader ambit of data protection. It does not require data processors to ensure the protection of personal data processed but is a legal action requiring the person aggrieved, after filing a complaint with the courts of justice, the access and/or rectification to any personal data which may jeopardize their right to privacy.[22]

Habeas Data in the Indian Context

Although a number of judgments of the Apex Court in India have recognised the existence of a right to privacy by interpreting the fundamental rights to life and free movement in the Constitution of India,[23]

the writ of habeas data has no legal recognition under Indian law. However, as is evident from the discussion above, a writ of habeas data is very useful in protecting the right to privacy of individuals and it would be a very useful tool to have in the hands of the citizens. The fact that India has a fairly robust right to information legislation means that atleast some facets of the right of habeas data are available under Indian law. We shall now examine the Indian Right to Information Act, 2005 (RTI Act) to see what facets of habeas data are already available under this Act and what aspects are left wanting. As mentioned above, the writ of habeas data has the following main features:

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[24]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

We shall now take each of these features and analyse whether the RTI Act provides any similar rights and how they differ from each other.

Right to seek his/her information contained with a data registry

Habeas data enables the individual to seek his or her information contained in any data registry. The RTI Act allows citizens to seek “information” which is under the control of or held by any public authority. The term information has been defined under the RTI Act to mean “any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force”.[25]

Further, the term “record” has been defined to include “(a) any document, manuscript and file; (b) any microfilm, microfiche and facsimile copy of a document; (c) any reproduction of image or images embodied in such microfilm (whether enlarged or not); and (d) any other material produced by a computer or any other device”. It is quite apparent that the meaning given to the term information is quite wide and can include various types of information within its fold. The term “information” as defined in the RTI Act has been further elaborated by the Supreme Court in the case of Central Board of Secondary Education v. Aditya Bandopadhyay,[26]

where the Court has held that a person’s evaluated answer sheet for the board exams held by the CBSE would come under the ambit of “information” and should be accessible to the person under the RTI Act.[27]

An illustrative list of items that have been considered to be “information” under the RTI Act would be helpful in further understanding the concept:

Asset declarations by Judges;[28]
Copy of inspection report prepared by the Reserve Bank of India about a Co-operative Bank;[29]
Information on the status of an enquiry;[30]
Information regarding cancellation of an appointment letter;[31]
Information regarding transfer of services;[32]
Information regarding donations given by the President of India out of public funds.[33]

The above list would indicate that any personal information relation to an individual that is available in a government registry would in all likelihood be considered as “information” under the RTI Act.

However, just because the information asked for is considered to come within the ambit of section 2(h) does not mean that the person will be granted access to such information if it falls under any of the exceptions listed in section 8 of the RTI Act. Section 8 provides that if the information asked falls into any of the categories specified below then such information shall not be released in an application under the RTI Act, the categories are:

"(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;
(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;
(c) information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;
(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;
(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;
(f) information received in confidence from foreign Government;
(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;
(h) information which would impede the process of investigation or apprehension or prosecution of offenders;
(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:
Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:
Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person."

The above mentioned exceptions seem fairly reasonable and infact are important since public records may contain information of a private nature which the data subject would not want revealed, and that is exactly why personal information is a specific exception mentioned under the RTI Act. When comparing this list to the recognised exceptions under habeas data, it must be remembered that a number of the exceptions listed above would not be relevant in a habeas data petition such as commercial secrets, personal information, etc. The exceptions which could be relevant for both the RTI Act as well as a habeas data writ would be (a) national security or sovereignty, (b) prohibition on publication by a court, (c) endangering the physical safety of a person, (d) hindrance in investigation of a crime. It is difficult to imagine a court (especially in India) granting a habeas data writ in violation of these four exceptions.

Certain other exceptions that may be relevant in a habeas data context but are not mentioned in the common list above are (a) information received in a fiduciary relationship; (b) breach of legislative privilege, (c) cabinet papers; and (d) information received in confidence from a foreign government. These four exceptions are not as immediately appealing as the others listed above because there are obviously competing interests involved here and different jurisdictions may take different points of view on these competing interests.[34]

Available only against public (government) entities or entities having public character.

A habeas corpus writ is maintainable in a court to ask for information relating to the petitioner held by either a public entity or a private entity having a public character. In India, the right to information as defined in the RTI Act means the right to information accessible under the Act held by or under the control of any public authority. The term "public authority" has been defined under the Act to mean “any authority or body or institution of self-government established or constituted—

(a) by or under the Constitution;
(b) by any other law made by Parliament;
(c) by any other law made by State Legislature;
(d) by notification issued or order made by the appropriate Government, and includes any— (i) body owned, controlled or substantially financed; (ii) non-Government organisation substantially financed, directly or indirectly by funds provided by the appropriate Government;"[35]

Therefore most government departments as well as statutory as well as government controlled corporations would come under the purview of the term "public authority". For the purposes of the RTI Act, either control or substantial financing by the government would be enough to bring an entity under the definition of public authority.[36]

The above interpretation is further bolstered by the fact that the preamble of the RTI Act contains the term “governments and their instrumentalities".[37]

Right to correct wrong information
While certain sectoral legislations such as the Representation of the People Act and the Collection of Statistics Act, etc. may provide for correction of inaccurate information, the RTI Act does not have any such provisions. This stands to reason because the RTI Act is not geared towards providing people with information about themselves but is instead a transparency law which is geared at dissemination of information, which may or may not relate to an individual.

Available upon approaching a single judicial forum
While the right of habeas data is available only upon approaching a judicial forum, the right to information under the RTI Act is realised entirely through the bureaucratic machinery. This also means that the individuals have to approach different entities in order to get the information that they need instead of approaching just one centralised entity.

Conclusion

There is no doubt that habeas data, by itself cannot end massive electronic surveillance of the kind that is being carried out by various governments in this day and age and the excessive collection of data by private sector companies, but providing the citizenry with the right to ask for such a writ would provide a critical check on such policies and practices of vast surveillance.[38]

An informed citizenry, armed with a right such as habeas data, would be better able to learn about the information being collected and kept on them under the garb of law and governance, to access such information, and to demand its correction or deletion when its retention by the government is not justified.

As we have discussed in this paper, under Indian law the RTI Act gives the citizens certain aspects of this right but with a few notable exceptions. Therefore, if a writ such as habeas data is to be effectuated in India, it might perhaps be a better idea to approach it by amending/tweaking the existing structure of the RTI Act to grant individuals the right to correct mistakes in the data along with creating a separate department/mechanism so that the applications demanding access to one’s own data do not have to be submitted in different departments but can be submitted at one central place. This approach may be more pragmatic rather than asking for a change in the Constitution to grant to the citizens the right to ask for a writ in the nature of habeas data.

There may be calls to also include private data processors within the ambit of the right to habeas data, but it could be challenging to enforce this right. This is because it is still feasible to assume that the government can put in place machinery to ensure that it can find out whether information about a particular individual is available with any of the government’s myriad departments and corporations, however it would be almost impossible for the government to track every single private database and then scan those databases to find out how many of them contain information about any specific individual. This also throws up the question whether a right such as habeas data, which originated in a specific context of government surveillance, is appropriate to protect the privacy of individuals in the private sector. Since under Indian law section 43A and the Rules thereunder, which regulate data protection, already provide for consent and notice as major bulwarks against unauthorised data collection, and limit the purpose for which such data can be utilised, privacy concerns in this context can perhaps be better addressed by strengthening these provisions rather than trying to extend the concept of habeas data to the private sector.

[1]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[2]. Article 8 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981, available at https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37

[3]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[4]. Id.

[5]. Speech by Chief Justice Reynato Puno, Supreme Court of Philippines delivered at the UNESCO Policy Forum and Organizational Meeting of the Information for all Program (IFAP), Philippine National Committee, on November 19, 2007, available at http://jlp-law.com/blog/writ-of-habeas-data-by-chief-justice-reynato-puno/

[6]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[7]. The author does not purport to be an expert on the laws of these jurisdictions and the analysis in this paper has been based on a reading of the actual text or interpretations given in the papers that have been cited as the sources. The views in this paper should be viewed keeping this context in mind.

[8]. Article 5, LXXII of the Constitution of Brazil, available at https://www.constituteproject.org/constitution/Brazil_2014.pdf

[9]. Guadamuz A, 'Habeas Data vs the European Data Protection Directive', Refereed article, 2001 (3) The Journal of Information, Law and Technology (JILT).

[10]. Article 135 of the Constitution of Paraguay, available at https://www.constituteproject.org/constitution/Paraguay_2011.pdf?lang=en

[11]. The petition for a writ of amparo is a remedy available to any person whose right to life, liberty and security is violated or threatened with violation by an unlawful act or omission of a public official or employee, or of a private individual or entity.

[12]. Article 43 of the Constitution of Argentina, available at https://www.constituteproject.org/constitution/Argentina_1994.pdf?lang=en

[13]. https://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_3/guadamuz/

[14]. Article 28 of the Venezuelan Constitution, available at http://www.venezuelaemb.or.kr/english/ConstitutionoftheBolivarianingles.pdf

[15]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[16]. Rule on the Writ of Habeas Data Resolution, available at http://hrlibrary.umn.edu/research/Philippines/Rule%20on%20Habeas%20Data.pdf

[17]. The characteristics of habeas data culled out in this paper are by no means exhaustive and based only on the analysis of the jurisdictions discussed in this paper. This author does not claim to have done an exhaustive analysis of every jurisdiction where Habeas Data is available and the views in this paper should be viewed in that context.

[18]. Except in the case of the Philippines and Venezeula. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[19]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[20]. The case of Ganora v. Estado Nacional, Supreme Court of Argentina, September 16, 1999, cf.http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-Argentin.html

[21]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[22]. http://www.oas.org/dil/data_protection_privacy_habeas_data.htm

[23]. Even the scope of the right to privacy is currently under review in the Supreme Court of India. See “Right to Privacy in Peril”, http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[24]. Except in the case of the Philippines. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[25]. Section 2(f) of the Right to Information Act, 2005.

[26]. 2011 (106) AIC 187 (SC), also available at http://judis.nic.in/supremecourt/imgst.aspx?filename=38344

[27]. The exact words of the Court were: “The definition of `information' in section 2(f) of the RTI Act refers to any material in any form which includes records, documents, opinions, papers among several other enumerated items. The term `record' is defined in section 2(i) of the said Act as including any document, manuscript or file among others. When a candidate participates in an examination and writes his answers in an answer-book and submits it to the examining body for evaluation and declaration of the result, the answer-book is a document or record. When the answer-book is evaluated by an examiner appointed by the examining body, the evaluated answer-book becomes a record containing the `opinion' of the examiner. Therefore the evaluated answer-book is also an `information' under the RTI Act.”

[28]. Secretary General, Supreme Court of India v. Subhash Chandra Agarwal, AIR 2010 Del 159, available at https://indiankanoon.org/doc/1342199/

[29]. Ravi Ronchodlal Patel v. Reserve Bank of India, Central Information Commission, dated 6-9-2006.

[30]. Anurag Mittal v. National Institute of Health and Family Welfare, Central Information Commission, dated 29-6-2006.

[31]. Sandeep Bansal v. Army Headquarters, Ministry of Defence, Central Information Commission, dated 10-11-2008.

[32]. M.M. Kalra v. DDA, Central Information Commission, dated 20-11-2008.

[33]. Nitesh Kumar Tripathi v. CPIO, Central Information Commission, dated 4-5-2012.

[34]. A similar logic may apply to the exceptions of (i) cabinet papers, and (ii) parliamentary privilege.

[35]. Section 2 (h) of the Right to Information Act, 2005.

[36]. M.P. Verghese v. Mahatma Gandhi University, 2007 (58) AIC 663 (Ker), available at https://indiankanoon.org/doc/1189278/

[37]. Principal, M.D. Sanatan Dharam Girls College, Ambala City v. State Information Commissioner, AIR 2008 P&H 101, available at https://indiankanoon.org/doc/1672120/

[38]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

For more details visit https://cis-india.org/internet-governance/blog/habeas-data-in-india

Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India

praskrishna — 2013-08-28T10:19:23Z

The Research Center of Media and Communication at the University of Hamburg organized the Summer School 2013 at Hamburg, Germany from July 29 to August 2, 2013. Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".

The Summer School Book of Abstracts/Information brochure can be downloaded here

This year’s Summer School offered by the Research Center of Media and Communication at the University of Hamburg picked up upon a crucial issue for current media development – a topic relevant to academia, media practice and media policy. In the age of digitisation, the landscape of media and communications is being increasingly influenced by phenomena that can be viewed as reappropriations of previously published media communications. The Summer School pursued central questions about the kinds of reappropriated media communications that were being developed and the relationship between ‘old’ and ‘new’ shaping them. This repurposing was analysed from four different perspectives: repurposing as recombination, as reactualisation, as piracy and as plagiarism.

For more details visit https://cis-india.org/news/repeat-remix-remediate-summer-school-2013

Guidelines for the Protection of National Critical Information Infrastructure: How Much Regulation?

jon — 2013-08-01T04:48:01Z

July has been a busy month for cyber security in India. Beginning with the release of the country’s first National Cyber Security Policy on July 2 and followed just this past week by a set of guidelines for the protection of national critical information infrastructure (CII) developed under the direction of the National Technical Research Organization (NTRO), India has made respectable progress in its thinking on national cyber security.

Yet the National Cyber Security Policy, taken together with what little is known of the as-yet restricted guidelines for CII protection, raises troubling questions, particularly regarding the regulation of cyber security practices in the private sector. Whereas the current Policy suggests the imposition of certain preferential acquisition policies, India would be best advised to maintain technology neutrality to ensure maximum security.

According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to “prescribe the information security practices and procedures for such protected system[s].” These two paragraphs form the legal basis for the regulation of cyber security within the private sector.

Such basis notwithstanding, private cyber security remains almost completely unregulated. According to the Intermediary Guidelines [pdf], intermediaries are required to report cyber security incidents to India’s national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. Last year the Reserve Bank of India mandated that each bank in India appoint a chief information officer (CIO) and a steering committee on information security. The finance sector is also the only sector of the four designated “critical” by the Department of Electronics and Information Technology (DEIT) Cyber Security Strategy to have established a sector-level CERT, which released a set of non-compulsory guidelines [pdf] for information security governance in late 201

The new guidelines for CII protection seek to reorganize the government’s approach to CII. According to a Times of India article on the new guidelines, the NTRO will outline a total of eight sectors (including energy, aviation, telecom and National Stock Exchange) of CII and then “monitor if they are following the guidelines.” Such language, though vague and certainly unsubstantiated, suggests the NTRO may ultimately be responsible for enforcing the “[mandated] security practices related to the design, acquisition, development, use and operation of information resources” described in the Cyber Security Policy. If so, operators of systems deemed critical by the NTRO or by other authorized government agencies may soon be subject to cyber security regulation—with teeth.

To be sure, some degree of cyber security regulation is necessary. After all, large swaths of the country’s CII are operated by private industry, and poor security practices on the part of one operator can easily undermine the security of the rest. To quote security expert Bruce Schneier, “the externalities in cybersecurity are so great that even the freest free market would fail.” In less academic terms, networks are only as secure as their weakest links. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.

Yet regulation may well extend beyond the simple “fiscal schemes and incentives” outlined in section IV of the Policy and “provide for procurement of indigenously manufactured ICT products that have security implications.” Such, at least, was the aim of the Preferential Market Access (PMA) Policy recently put on hold by the Prime Minister’s Office (PMO). Under pressure from international industry groups, the government has promised to review the PMA Policy, with the PMO indicating it may strike out clauses “regarding preference to domestic manufacturer[s] on security related products that are to be used by private sector.” If the government’s aim is indeed to ensure maximum security (rather than to grow an infant industry), it would be well advised to extend this approach to the Cyber Security Policy and the new guidelines for CII protection.

Although there is a national security argument to be made in favor of such policies—namely that imported ICT products may contain “backdoors” or other nefarious flaws—there are equally valid arguments to be made against preferential acquisition policies, at least for the private sector. First and foremost, it is unlikely that India’s nascent cyber security institutions will be able to regulate procurement in such a rapidly evolving market. Indeed, U.S. authorities have been at pains to set cyber security standards, especially in the past several years. Secondly, by mandating the procurement of indigenously manufactured products, the government may force private industry to forgo higher quality products. Absent access to source code or the ability to effectively reverse engineer imported products, buyers should make decisions based on the products’ performance records, not geo-economic considerations like country of origin. Finally, limiting procurement to a specific subset of ICT products likewise restricts the set of security vulnerabilities available to hackers. Rather than improve security, however, a smaller, more distinct set of vulnerabilities may simply make networks easier targets for the sorts of “debilitating” attacks the Policy aims to avert.

As India broaches the difficult task of regulating cyber security in the private sector, it must emphasize flexibility above all. On one hand, the government should avoid preferential acquisition policies which risk a) overwhelming limited regulatory resources, b) saddling CII operators with subpar products, and/or c) differentiating the country’s attack surface. On the other hand, the government should encourage certain performance standards through precisely the sort of “fiscal schemes and incentives” alluded to in the Cyber Security Policy. Regulation should focus on what technology does and does not do, not who made it or what rival government might have had their hands in its design. Ultimately, India should adopt a policy of technology neutrality, backed by the simple principle of trust but verify. Only then can it be truly secure.

For more details visit https://cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure

GSMA Research Outputs

elonnai — 2015-04-06T14:18:18Z

This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome.

Indian Law and the Necessary Proportionate Principles

The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.

Click to download the PDF

Security, Surveillance and Data Sharing Schemes and Bodies in India

Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.

Click to download the PDF

Export and Import of Security Technologies in India: QA

The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.

Click to download the PDF

Regulation of CCTV’s in India

In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.

Click to download the PDF

Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India

It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.

Click to download the PDF

Composition of Service Providers in India

Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.

Click to download the PDF

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.

Click to download the PDF

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.

Click to download the PDF

Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles

The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.

Click to download the PDF

The Surveillance Industry in India

India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.

Click to download the PDF

State of Cyber Security and Surveillance in India: A Review of the Legal Landscape

The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.

Click to download the PDF

For more details visit https://cis-india.org/internet-governance/blog/gsma-research-outputs

Growing Wikipedia: The India Chronicles

praskrishna — 2011-10-14T09:17:08Z

Tory Read, a professional researcher, writer and journalist was commissioned by the Wikimedia Foundation to create a vivid description of its work in India. This was done in the interest of transparency and to ensure that it captured lessons from this new approach. Tory travelled for a couple of weeks across Mumbai, Pune, Bangalore and some towns in Kerala — attending community meet-ups speaking with a host of individual community members in these cities. Tory has given a journalistic account and analysis, based on document review, interviews and observations conducted between November 2010 and June 2011, including 16 days in India in June 2011.The views expressed herein are his own and do not necessarily reflect the views of Wikimedia Foundation.

Sunil Abraham, Executive Director of the Centre for Internet and Society has been quoted in this report. The following are some direct quotes extracted out from this report:

"Feuding and flaming is an integral part of free software culture.” “You can’t imagine a mailing list without flaming." [The Chapter and the Community Tangle, page 16]

"The crisis on the mailing list was ultimately a great thing.” “There was conflict, dozens of offline conversations, private and public negotiation and airing of views and doubts, followed by a public commitment to work together for a shared purpose." [Necessity Breeds Collaboration, page 19]

"The Foundation’s job is having meetings and growing and holding the consensus." "It should be creating situations in which trust is gained, and you do this through radical transparency and participation. The point of the Foundation’s work is to build the community." [For the Foundation, page 24]

Download the entire report here [PDF, 2.9 MB]

For more details visit https://cis-india.org/news/the-india-chronicles

Ground Zero Summit 2014

praskrishna — 2014-12-05T00:42:17Z

Geeta Hariharan participated in this event organized by India Infosec Consortium on November 13 and 14, 2014 in New Delhi.

Living from the successes of last year and our recent conference in Colombo, Ground Zero Summit 2014, in its second year promises to be Asia's largest information security gathering and proposes to be the ultimate platform for showcasing researches and sharing knowledge in the field of cyber security. The event will feature a panel discussion on cyber diplomacy.

Click to read more about the event

For more details visit https://cis-india.org/internet-governance/news/ground-zero-summit-2014

Ground Zero Summit

Amber Sinha — 2016-01-03T06:06:56Z

The Ground Zero Summit which claims to be the largest collaborative platform in Asia for cyber-security was held in New Delhi from 5th to 8th November. The conference was organised by the Indian Infosec Consortium (IIC), a not for profit organisation backed by the Government of India. Cyber security experts, hackers, senior officials from the government and defence establishments, senior professionals from the industry and policymakers attended the event.

Keynote Address

The Union Home Minister, Mr. Rajnath Singh, inaugurated the conference. Mr Singh described cyber-barriers that impact the issues that governments face in ensuring cyber-security. Calling the cyberspace as the fifth dimension of security in addition to land, air, water and space, Mr Singh emphasised the need to curb cyber-crimes in India, which have grown by 70% in 2014 since 2013. He highlighted the fact that changes in location, jurisdiction and language made cybercrime particularly difficult to address. Continuing in the same vein, Mr. Rajnath Singh also mentioned cyber-terrorism as one the big dangers in the time to come. With a number of government initiatives like Digital India, Smart Cities and Make in India leveraging technology, the Home Minister said that the success of these projects would be dependent on having robust cyber-security systems in place.

The Home Minister outlined some initiatives that Government of India is planning to take in order to address concerns around cyber security - such as plans to finalize a new national cyber policy. Significantly, he referred to a committee headed by Dr. Gulshan Rai, the National Cyber Security Coordinator mandated to suggest a roadmap for effectively tackling cybercrime in India. This committee has recommended the setting up of Indian Cyber Crime Coordination Centre (I-4C). This centre is meant to engage in capacity building with key stakeholders to enable them to address cyber crimes, and work with law enforcement agencies. Earlier reports about the recommendation suggest that the I-4C will likely be placed under the National Crime Records Bureau and align with the state police departments through the Crime and Criminal Tracking and Network Systems (CCTNS). I-4C is supposed to be comprised of high quality technical and R&D experts who would be engaged in developing cyber investigation tools.

Other keynote speakers included Alok Joshi, Chairman, NTRO; Dr Gulshan Rai, National Cyber Security Coordinator; Dr. Arvind Gupta, Head of IT Cell, BJP and Air Marshal S B Dep, Chief of the Western Air Command.

Technical Speakers

There were a number of technical speakers who presented on an array of subjects. The first session was by Jiten Jain, a cyber security analyst who spoke on cyber espionage conducted by actors in Pakistan to target defence personnel in India. Jiten Jain talked about how the Indian Infosec Consortium had discovered these attacks in 2014. Most of these websites and mobile apps posed as defence news and carried malware and viruses. An investigation conducted by IIC revealed the domains to be registered in Pakistan. In another session Shesh Sarangdhar, the CEO of Seclabs, an application security company, spoke about the Darknet and ways to break anonymity on it. Sarangdhar mentioned that anonymity on Darknet is dependent on all determinants of the equation in the communication maintaining a specific state. He discussed techniques like using audio files, cross domain on tor, siebel attacks as methods of deanonymization. Dr. Triveni Singh. Assistant Superintendent of Police, Special Task Force, UP Police made a presentation on the trends in cyber crime. Dr. Singh emphasised the amount of uncertainty with regard to the purpose of a computer intrusion. He discussed real life case studies such as data theft, credit card fraud, share trading fraud from the perspective of law enforcement agencies.

Anirudh Anand, CTO of Infosec Labs discussed how web applications are heavily reliant on filters or escaping methods. His talk focused on XSS (cross site scripting) and bypassing regular expression filters. He also announced the release of XSS labs, an XSS test bed for security professionals and developers that includes filter evasion techniques like b-services, weak cryptographic design and cross site request forgery. Jan Siedl, an authority on SCADA presented on TOR tricks which may be used by bots, shells and other tools to better use the TOR network and I2P. His presentation dealt with using obfuscated bridges, Hidden Services based HTTP, multiple C&C addresses and use of OTP. Aneesha, an intern with the Kerala Police spoke about elliptical curve cryptography, its features such as low processing overheads. As this requires elliptic curve paths, efficient Encoding and Decoding techniques need to be developed. Aneesha spoke about an algorithm called Generator-Inverse for encoding and decoding a message using a Single Sign-on mechanism. Other subjects presented included vulnerabilities that remained despite using TLS/SSL, deception technology and cyber kill-chain, credit card frauds, Post-quantum crypto-systems and popular android malware.

Panels

There were also two panels organised at the conference. Samir Saran, Vice President of Observer Research Foundation, moderated the first panel on Cyber Arms Control. The panel included participants like Lt. General A K Sahni from the South Western Air Command; Lt. General A S Lamba, Retired Vice Chief Indian Army, Alok Vijayant, Director of Cyber Security Operation of NTRO and Captain Raghuraman from Reliance Industries. The panel debated the virtues of cyber arms control treaties. It was acknowledged by the panel that there was a need to frame rules and create a governance mechanism for wars in cyberspace. However, this would be effective only if the governments are the primary actors with the capability for building cyber-warfare know-how and tools. The reality was that most kinds of cyber weapons involved non state actors from the hacker community. In light of this, the cyber control treaties would lose most of their effectiveness.

The second panel was on the Make for India’ initiatives. Dinesh Bareja, the CEO of Open Security Alliance and Pyramid Cyber Security was the moderator for this panel which also included Nandakumar Saravade, CEO of Data Security Council of India; Sachin Burman, Director of NCIIPC; Dr. B J Srinath, Director General of ICERT and Amit Sharma, Joint Director of DRDO. The focus of this session was on ‘Make in India’ opportunities in the domain of cyber security. The panelist discussed the role the government and industry could play in creating an ecosystem that supports entrepreneurs in skill development. Among the approaches discussed were: involving actors in knowledge sharing and mentoring chapters which could be backed by organisations like NASSCOM and bringing together industry and government experts in events like the Ground Zero Summit to provide knowledge and training on cyber-security issues.

Exhibitions

The conference was accompanied by a exhibitions showcasing indigenous cybersecurity products. The exhibitors included Smokescreen Technologies, Sempersol Consultancy, Ninja Hackon, Octogence Technologies, Secfence, Amity, Cisco Academy, Robotics Embedded Education Services Pvt. Ltd., Defence Research and Development Organisation (DRDO), Skin Angel, Aksit, Alqimi, Seclabs and Systems, Forensic Guru, Esecforte Technologies, Gade Autonomous Systems, National Critical Information Infrastructure Protection Centre (NCIIPC), Indian Infosec Consortium (IIC), INNEFU, Forensic Guru, Event Social, Esecforte Technologies, National Internet Exchange of India (NIXI) and Robotic Zone.

The conference also witnessed events such Drone Wars, in which selected participants had to navigate a drone, a Hacker Fashion Show and the official launch of the Ground Zero’s Music Album.

For more details visit https://cis-india.org/internet-governance/blog/ground-zero-summit