We are anonymous, we are legion

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Hack Night in CIS ― A Meeting of Java Script Hackers

Tom Dane — 2011-10-27T11:36:26Z

CIS hosted a hack night in conjunction with the tech-event organizers HasGeek at its office on 24 September 2011. The event brought together local java script hackers on a common platform. Tom Dane and Kiran Jonnalagadda participated in the event.

The idea behind hosting the event was to have fun building cool stuff. The participants met in the afternoon to decide on projects and group into teams, and then Sudar Muthu gave an explanation of node.js and its usage for the hack. There were also some very cool free t-shirts. Much code was written and caffeine shared until the morning when the projects were uploaded online.

One project was a game allowing players to pass a ball between computers. The source code is available here on GitHub. Aditya Yadav also worked on the beautiful jsFoo website during the night. Our friends from HasGeek made a short video showing a snippet of the event:

Below is the full list of participants:

Kiran Jonnalagadda
Aditya Yadav
Ritesh Kadmawala
MS Prakas Kumar Chakka
Amarjit Singh
Arun Kumar
Sudar Muthu
Aravinda VK
Ciju Cherian and
Pradip Caulagi

If you feel sad missing an event like this, be excited because HasGeek is hosting Droidcon India next month.
About Hasgeek
HasGeek is a developer-led initiative, and has been un-organising the unconference scene since 2010. HasGeek is an attempt to solve the problem of insipid conferences organised around buzzwords by uninterested, soulless corporate entities who pitch them as company training events or as places for companies to pick up hot developers.

For more info on Hasgeek, click here
For info on jsFoo, click here

For more details visit https://cis-india.org/internet-governance/hacking-cis

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

Habeas Data in India

Vipul Kharbanda and edited by Elonnai Hickok — 2016-12-10T04:01:40Z

Habeas Data is a latin word which can be loosely translated to mean “have the data”. The right has been primarily conceptualized, designed, ratified, and implemented by various nation-states in the background of a shared common history of decades of torture, terror, and other repressive practices under military juntas and other fascist regimes.

Download the Paper (PDF)

Introduction

The writ of habeas data was a distinct response to these recent histories which provided individuals with basic rights to access personal information collected by the state (and sometimes byprivate agencies of a public nature) and to challenge and correct such data, requiring the state to safeguard the privacy and accuracy of people's personal data.[1]

The origins of Habeas Data are traced back, unsurprisingly, to the European legal regime since Europe is considered as the fountainhead of modern data protection laws. The inspiration for Habeas Data is often considered to be the Council of Europe's 108th Convention on Data Protection of 1981.[2] The purpose of the Convention was to secure the privacy of individuals regarding the automated processing of personal data. For this purpose, individuals were granted several rights including a right to access their personal data held in an automated database.[3]

Another source or inspiration behind Habeas Data is considered to be the German legal system where a constitutional right to information self-determination was created by the German Constitutional Tribunal by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.[4]

Habeas Data is essentially a right or mechanism for an individual complaint presented to a constitutional court, to protect the image, privacy, honour, information self-determination and freedom of information of a person. [5]

A Habeas Data complaint can be filed by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public.[6]

Habeas Data in different jurisdictions

Habeas Data does not have any one specific definition and has different characteristics in different jurisdictions. Therefore, in order to better understand the right, it will be useful to describe the scope of Habeas Data as it has been incorporated in certain jurisdictions in order to better understand what the right entails:[7]

Brazil

The Constitution of Brazil grants its citizens the right to get a habeas data “a. to assure knowledge of personal information about the petitioner contained in records or data banks of government agencies or entities of a public character; b. to correct data whenever the petitioner prefers not to do so through confidential judicial or administrative proceedings;[8]

The place or tribunal where the Habeas Data action is to be filed changes depending on who is it presented against, which creates a complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:

The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
The Superior Justice Tribunal for actions against Ministers or itself;
The regional federal judges for actions against federal authorities;
State tribunals according to each state law;
State judges for all other cases.[9]

Paraguay
The Constitution of Paraguay grants a similar right of habeas data in its constitution which states:

"All persons may access the information and the data that about themselves, or about their assets, [that] is [obren] in official or private registries of a public character, as well as to know the use made of the same and of their end. [All persons] may request before the competent magistrate the updating, the rectification or the destruction of these, if they were wrong or illegitimately affected their rights."[10]

Compared to the right granted in Brazil, the text of the Paraguay Constitution specifically recognises that the citizen also has the right to know the use his/her data is being put to.

Argentina

Article 43 of the Constitution of Argentina grants the right of habeas data, though it has been included under the action of “amparo”,[11] the relevant portion of Article 43 states as follows:

"Any person may file an amparo action to find out and to learn the purpose of data about him which is on record in public registries or data banks, or in any private [registers or data banks] whose purpose is to provide information, and in case of falsity or discrimination, to demand the suppression, rectification, confidentiality, or updating of the same. The secrecy of journalistic information sources shall not be affected."[12]

The version of Habeas Data recognised in Argentina includes most of the protections seen in Brazil and Paraguay, such as the right to access the data, rectify it, update it or destroy it, etc. Nevertheless, the Argentinean constitution also includes certain other features such as the fact that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. Another feature of the Argentinean law is that it specifically excludes the press from the action, which may be considered as reasonable or unreasonable depending upon the context and country in which it is applied.[13]

Venezuela
Article 28 of the Constitution of Venezuela established the writ of habeas data, which expressly permits access to information stored in official and private registries. It states as follows:

"All individuals have a right to access information and data about themselves and about their property stored in official as well as private registries. Secondly, they are entitled to know the purpose of and the policy behind these registries. Thirdly, they have a right to request, before a competent tribunal, the updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements. The law shall establish exceptions to these principles. By the same token, any person shall have access to information that is of interest to communities and groups. The secrecy of the sources of newspapers-and of other entities or individuals as defined by law-shall be preserved."[14]

The Venezuelan writ of habeas data expressly provides that individuals "are entitled to know the purpose of and the policy behind these registries." Also, it expresses a right to "updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements." Article 28 also declares that the “secrecy of the sources of newspapers and of other entities or individuals as defined by law-shall be preserved."[15]

Philippines

It is not as if the remedy of Habeas Data is available only in Latin American jurisdictions, but even in Asia the writ of Habeas Data has been specifically granted by the Supreme Court of the Philippines vide its resolution dated January 22, 2008 which provides that “The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.” According to the Rule on Writ of Habeas Data, the petition is to be filed with the Regional Trial Court where the petitioner or respondent resides, or which has jurisdiction over the place where the data or information is gathered, collected or stored, at the option of the petitioner. The petition may also be filed with the Supreme Court or the Court of Appeals or the Sandiganbayan when the action concerns public data files of government offices.[16]

Two major distinctions are immediately visible between the Philippine right and that in the latin jurisdictions discussed above. One is the fact that in countries such as Bazil, Argentina and Paraguay, there does not appear to be a prerequisite to filing such an action asking for the information, whereas in Philippines it seems that such a petition can only be filed only if an individual’s “right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission”. This means that the Philippine concept of habeas data is much more limited in its scope and is available to the citizens only under certain specific conditions. On the other hand the scope of the Philippine right of Habeas Data is much wider in its applicability in the sense that this right is available even against private individual and entities who are “engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence”. In the Latin American jurisdictions discussed above, this writ appears to be available only against either public institutions or private institutions having some public character.

Main features of Habeas Data

Thus from the discussion above, the main features of the writ of habeas data, as it is applied in various jurisdictions can be culled out as follows: [17]

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[18]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

Since the writ of Habeas Data has been established and evolved primarily in Latin American countries, there is not too much literature on it available freely in the English language and that is a serious hurdle in researching this area. For example, this author did not find many article mentioning the scope of the writ of habeas data, for example whether it is an absolute right and on what grounds can it be denied. The Constitution of Venezuela, for example, specifies that the law shall establish exceptions to these principles and infact mentions the secrecy of sources for newspapers as an exception to this rule.[19]

Similarly in Argentina, there exists a public interest exception to the issuance of the writ of Habeas Data.[20]

That said, although little literature on the specific exceptions to habeas data is freely available in English, references can still be found to exceptions such as state security (Brazil), secrecy of newspaper sources (Argentina and Venezuela), or other entities defined by law (Venezuela).[21]

This suggests that the, as would be expected, the right to ask for the writ of habeas data is not an absolute right but would also be subject to certain exceptions and balanced against other needs such as state security and police investigations.

Habeas Data in the context of Privacy

Data protection legislation and mechanisms protect people against misuse of personal information by data controllers. Habeas Data, being a figure for use only by certain countries, gives the individuals the right to access, correct, and object to the processing of their information.

In general, privacy is the genus and data protection is the species, data protection is a right to personal privacy that people have against the possible use of their personal data by data controllers in an unauthorized manner or against the requirements of force. Habeas Data is an action that is brought before the courts to allow the protection of the individual’s image, privacy, honour, self-determination of information and freedom of information of a person. In that sense, the right of Habeas Data can be found within the broader ambit of data protection. It does not require data processors to ensure the protection of personal data processed but is a legal action requiring the person aggrieved, after filing a complaint with the courts of justice, the access and/or rectification to any personal data which may jeopardize their right to privacy.[22]

Habeas Data in the Indian Context

Although a number of judgments of the Apex Court in India have recognised the existence of a right to privacy by interpreting the fundamental rights to life and free movement in the Constitution of India,[23]

the writ of habeas data has no legal recognition under Indian law. However, as is evident from the discussion above, a writ of habeas data is very useful in protecting the right to privacy of individuals and it would be a very useful tool to have in the hands of the citizens. The fact that India has a fairly robust right to information legislation means that atleast some facets of the right of habeas data are available under Indian law. We shall now examine the Indian Right to Information Act, 2005 (RTI Act) to see what facets of habeas data are already available under this Act and what aspects are left wanting. As mentioned above, the writ of habeas data has the following main features:

It is a right to the individual or citizen to ask for his/her information contained with any data registry;
It is available only against public (government) entities or employees; or private entities having a public character;[24]
Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
It is a remedy that is usually available by approaching any single judicial forum.

We shall now take each of these features and analyse whether the RTI Act provides any similar rights and how they differ from each other.

Right to seek his/her information contained with a data registry

Habeas data enables the individual to seek his or her information contained in any data registry. The RTI Act allows citizens to seek “information” which is under the control of or held by any public authority. The term information has been defined under the RTI Act to mean “any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force”.[25]

Further, the term “record” has been defined to include “(a) any document, manuscript and file; (b) any microfilm, microfiche and facsimile copy of a document; (c) any reproduction of image or images embodied in such microfilm (whether enlarged or not); and (d) any other material produced by a computer or any other device”. It is quite apparent that the meaning given to the term information is quite wide and can include various types of information within its fold. The term “information” as defined in the RTI Act has been further elaborated by the Supreme Court in the case of Central Board of Secondary Education v. Aditya Bandopadhyay,[26]

where the Court has held that a person’s evaluated answer sheet for the board exams held by the CBSE would come under the ambit of “information” and should be accessible to the person under the RTI Act.[27]

An illustrative list of items that have been considered to be “information” under the RTI Act would be helpful in further understanding the concept:

Asset declarations by Judges;[28]
Copy of inspection report prepared by the Reserve Bank of India about a Co-operative Bank;[29]
Information on the status of an enquiry;[30]
Information regarding cancellation of an appointment letter;[31]
Information regarding transfer of services;[32]
Information regarding donations given by the President of India out of public funds.[33]

The above list would indicate that any personal information relation to an individual that is available in a government registry would in all likelihood be considered as “information” under the RTI Act.

However, just because the information asked for is considered to come within the ambit of section 2(h) does not mean that the person will be granted access to such information if it falls under any of the exceptions listed in section 8 of the RTI Act. Section 8 provides that if the information asked falls into any of the categories specified below then such information shall not be released in an application under the RTI Act, the categories are:

"(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;
(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;
(c) information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;
(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;
(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;
(f) information received in confidence from foreign Government;
(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;
(h) information which would impede the process of investigation or apprehension or prosecution of offenders;
(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:
Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:
Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person."

The above mentioned exceptions seem fairly reasonable and infact are important since public records may contain information of a private nature which the data subject would not want revealed, and that is exactly why personal information is a specific exception mentioned under the RTI Act. When comparing this list to the recognised exceptions under habeas data, it must be remembered that a number of the exceptions listed above would not be relevant in a habeas data petition such as commercial secrets, personal information, etc. The exceptions which could be relevant for both the RTI Act as well as a habeas data writ would be (a) national security or sovereignty, (b) prohibition on publication by a court, (c) endangering the physical safety of a person, (d) hindrance in investigation of a crime. It is difficult to imagine a court (especially in India) granting a habeas data writ in violation of these four exceptions.

Certain other exceptions that may be relevant in a habeas data context but are not mentioned in the common list above are (a) information received in a fiduciary relationship; (b) breach of legislative privilege, (c) cabinet papers; and (d) information received in confidence from a foreign government. These four exceptions are not as immediately appealing as the others listed above because there are obviously competing interests involved here and different jurisdictions may take different points of view on these competing interests.[34]

Available only against public (government) entities or entities having public character.

A habeas corpus writ is maintainable in a court to ask for information relating to the petitioner held by either a public entity or a private entity having a public character. In India, the right to information as defined in the RTI Act means the right to information accessible under the Act held by or under the control of any public authority. The term "public authority" has been defined under the Act to mean “any authority or body or institution of self-government established or constituted—

(a) by or under the Constitution;
(b) by any other law made by Parliament;
(c) by any other law made by State Legislature;
(d) by notification issued or order made by the appropriate Government, and includes any— (i) body owned, controlled or substantially financed; (ii) non-Government organisation substantially financed, directly or indirectly by funds provided by the appropriate Government;"[35]

Therefore most government departments as well as statutory as well as government controlled corporations would come under the purview of the term "public authority". For the purposes of the RTI Act, either control or substantial financing by the government would be enough to bring an entity under the definition of public authority.[36]

The above interpretation is further bolstered by the fact that the preamble of the RTI Act contains the term “governments and their instrumentalities".[37]

Right to correct wrong information
While certain sectoral legislations such as the Representation of the People Act and the Collection of Statistics Act, etc. may provide for correction of inaccurate information, the RTI Act does not have any such provisions. This stands to reason because the RTI Act is not geared towards providing people with information about themselves but is instead a transparency law which is geared at dissemination of information, which may or may not relate to an individual.

Available upon approaching a single judicial forum
While the right of habeas data is available only upon approaching a judicial forum, the right to information under the RTI Act is realised entirely through the bureaucratic machinery. This also means that the individuals have to approach different entities in order to get the information that they need instead of approaching just one centralised entity.

Conclusion

There is no doubt that habeas data, by itself cannot end massive electronic surveillance of the kind that is being carried out by various governments in this day and age and the excessive collection of data by private sector companies, but providing the citizenry with the right to ask for such a writ would provide a critical check on such policies and practices of vast surveillance.[38]

An informed citizenry, armed with a right such as habeas data, would be better able to learn about the information being collected and kept on them under the garb of law and governance, to access such information, and to demand its correction or deletion when its retention by the government is not justified.

As we have discussed in this paper, under Indian law the RTI Act gives the citizens certain aspects of this right but with a few notable exceptions. Therefore, if a writ such as habeas data is to be effectuated in India, it might perhaps be a better idea to approach it by amending/tweaking the existing structure of the RTI Act to grant individuals the right to correct mistakes in the data along with creating a separate department/mechanism so that the applications demanding access to one’s own data do not have to be submitted in different departments but can be submitted at one central place. This approach may be more pragmatic rather than asking for a change in the Constitution to grant to the citizens the right to ask for a writ in the nature of habeas data.

There may be calls to also include private data processors within the ambit of the right to habeas data, but it could be challenging to enforce this right. This is because it is still feasible to assume that the government can put in place machinery to ensure that it can find out whether information about a particular individual is available with any of the government’s myriad departments and corporations, however it would be almost impossible for the government to track every single private database and then scan those databases to find out how many of them contain information about any specific individual. This also throws up the question whether a right such as habeas data, which originated in a specific context of government surveillance, is appropriate to protect the privacy of individuals in the private sector. Since under Indian law section 43A and the Rules thereunder, which regulate data protection, already provide for consent and notice as major bulwarks against unauthorised data collection, and limit the purpose for which such data can be utilised, privacy concerns in this context can perhaps be better addressed by strengthening these provisions rather than trying to extend the concept of habeas data to the private sector.

[1]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[2]. Article 8 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981, available at https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37

[3]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[4]. Id.

[5]. Speech by Chief Justice Reynato Puno, Supreme Court of Philippines delivered at the UNESCO Policy Forum and Organizational Meeting of the Information for all Program (IFAP), Philippine National Committee, on November 19, 2007, available at http://jlp-law.com/blog/writ-of-habeas-data-by-chief-justice-reynato-puno/

[6]. Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection',2000 (2) The Journal of Information, Law and Technology (JILT).

[7]. The author does not purport to be an expert on the laws of these jurisdictions and the analysis in this paper has been based on a reading of the actual text or interpretations given in the papers that have been cited as the sources. The views in this paper should be viewed keeping this context in mind.

[8]. Article 5, LXXII of the Constitution of Brazil, available at https://www.constituteproject.org/constitution/Brazil_2014.pdf

[9]. Guadamuz A, 'Habeas Data vs the European Data Protection Directive', Refereed article, 2001 (3) The Journal of Information, Law and Technology (JILT).

[10]. Article 135 of the Constitution of Paraguay, available at https://www.constituteproject.org/constitution/Paraguay_2011.pdf?lang=en

[11]. The petition for a writ of amparo is a remedy available to any person whose right to life, liberty and security is violated or threatened with violation by an unlawful act or omission of a public official or employee, or of a private individual or entity.

[12]. Article 43 of the Constitution of Argentina, available at https://www.constituteproject.org/constitution/Argentina_1994.pdf?lang=en

[13]. https://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_3/guadamuz/

[14]. Article 28 of the Venezuelan Constitution, available at http://www.venezuelaemb.or.kr/english/ConstitutionoftheBolivarianingles.pdf

[15]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[16]. Rule on the Writ of Habeas Data Resolution, available at http://hrlibrary.umn.edu/research/Philippines/Rule%20on%20Habeas%20Data.pdf

[17]. The characteristics of habeas data culled out in this paper are by no means exhaustive and based only on the analysis of the jurisdictions discussed in this paper. This author does not claim to have done an exhaustive analysis of every jurisdiction where Habeas Data is available and the views in this paper should be viewed in that context.

[18]. Except in the case of the Philippines and Venezeula. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[19]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[20]. The case of Ganora v. Estado Nacional, Supreme Court of Argentina, September 16, 1999, cf.http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-Argentin.html

[21]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

[22]. http://www.oas.org/dil/data_protection_privacy_habeas_data.htm

[23]. Even the scope of the right to privacy is currently under review in the Supreme Court of India. See “Right to Privacy in Peril”, http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

[24]. Except in the case of the Philippines. This paper has not done an analysis of the writ of habeas data in every jurisdiction where it is available and there may be jurisdictions other than the Philippines which also give this right against private entities.

[25]. Section 2(f) of the Right to Information Act, 2005.

[26]. 2011 (106) AIC 187 (SC), also available at http://judis.nic.in/supremecourt/imgst.aspx?filename=38344

[27]. The exact words of the Court were: “The definition of `information' in section 2(f) of the RTI Act refers to any material in any form which includes records, documents, opinions, papers among several other enumerated items. The term `record' is defined in section 2(i) of the said Act as including any document, manuscript or file among others. When a candidate participates in an examination and writes his answers in an answer-book and submits it to the examining body for evaluation and declaration of the result, the answer-book is a document or record. When the answer-book is evaluated by an examiner appointed by the examining body, the evaluated answer-book becomes a record containing the `opinion' of the examiner. Therefore the evaluated answer-book is also an `information' under the RTI Act.”

[28]. Secretary General, Supreme Court of India v. Subhash Chandra Agarwal, AIR 2010 Del 159, available at https://indiankanoon.org/doc/1342199/

[29]. Ravi Ronchodlal Patel v. Reserve Bank of India, Central Information Commission, dated 6-9-2006.

[30]. Anurag Mittal v. National Institute of Health and Family Welfare, Central Information Commission, dated 29-6-2006.

[31]. Sandeep Bansal v. Army Headquarters, Ministry of Defence, Central Information Commission, dated 10-11-2008.

[32]. M.M. Kalra v. DDA, Central Information Commission, dated 20-11-2008.

[33]. Nitesh Kumar Tripathi v. CPIO, Central Information Commission, dated 4-5-2012.

[34]. A similar logic may apply to the exceptions of (i) cabinet papers, and (ii) parliamentary privilege.

[35]. Section 2 (h) of the Right to Information Act, 2005.

[36]. M.P. Verghese v. Mahatma Gandhi University, 2007 (58) AIC 663 (Ker), available at https://indiankanoon.org/doc/1189278/

[37]. Principal, M.D. Sanatan Dharam Girls College, Ambala City v. State Information Commissioner, AIR 2008 P&H 101, available at https://indiankanoon.org/doc/1672120/

[38]. González, Marc-Tizoc, ‘Habeas Data: Comparative Constitutional Interventions from Latin America Against Neoliberal States of Insecurity and Surveillance’, (2015). Chicago-Kent Law Review, Vol. 90, No. 2, 2015; St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available at SSRN:http://ssrn.com/abstract=2694803

For more details visit https://cis-india.org/internet-governance/blog/habeas-data-in-india

Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India

praskrishna — 2013-08-28T10:19:23Z

The Research Center of Media and Communication at the University of Hamburg organized the Summer School 2013 at Hamburg, Germany from July 29 to August 2, 2013. Dr. Nishant Shah was a panelist in the session on "Guilty until Proven Innocent: Pirates, Pornographers, Terrorists and the IT Act in India".

The Summer School Book of Abstracts/Information brochure can be downloaded here

This year’s Summer School offered by the Research Center of Media and Communication at the University of Hamburg picked up upon a crucial issue for current media development – a topic relevant to academia, media practice and media policy. In the age of digitisation, the landscape of media and communications is being increasingly influenced by phenomena that can be viewed as reappropriations of previously published media communications. The Summer School pursued central questions about the kinds of reappropriated media communications that were being developed and the relationship between ‘old’ and ‘new’ shaping them. This repurposing was analysed from four different perspectives: repurposing as recombination, as reactualisation, as piracy and as plagiarism.

For more details visit https://cis-india.org/news/repeat-remix-remediate-summer-school-2013

Guidelines for the Protection of National Critical Information Infrastructure: How Much Regulation?

jon — 2013-08-01T04:48:01Z

July has been a busy month for cyber security in India. Beginning with the release of the country’s first National Cyber Security Policy on July 2 and followed just this past week by a set of guidelines for the protection of national critical information infrastructure (CII) developed under the direction of the National Technical Research Organization (NTRO), India has made respectable progress in its thinking on national cyber security.

Yet the National Cyber Security Policy, taken together with what little is known of the as-yet restricted guidelines for CII protection, raises troubling questions, particularly regarding the regulation of cyber security practices in the private sector. Whereas the current Policy suggests the imposition of certain preferential acquisition policies, India would be best advised to maintain technology neutrality to ensure maximum security.

According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to “prescribe the information security practices and procedures for such protected system[s].” These two paragraphs form the legal basis for the regulation of cyber security within the private sector.

Such basis notwithstanding, private cyber security remains almost completely unregulated. According to the Intermediary Guidelines [pdf], intermediaries are required to report cyber security incidents to India’s national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. Last year the Reserve Bank of India mandated that each bank in India appoint a chief information officer (CIO) and a steering committee on information security. The finance sector is also the only sector of the four designated “critical” by the Department of Electronics and Information Technology (DEIT) Cyber Security Strategy to have established a sector-level CERT, which released a set of non-compulsory guidelines [pdf] for information security governance in late 201

The new guidelines for CII protection seek to reorganize the government’s approach to CII. According to a Times of India article on the new guidelines, the NTRO will outline a total of eight sectors (including energy, aviation, telecom and National Stock Exchange) of CII and then “monitor if they are following the guidelines.” Such language, though vague and certainly unsubstantiated, suggests the NTRO may ultimately be responsible for enforcing the “[mandated] security practices related to the design, acquisition, development, use and operation of information resources” described in the Cyber Security Policy. If so, operators of systems deemed critical by the NTRO or by other authorized government agencies may soon be subject to cyber security regulation—with teeth.

To be sure, some degree of cyber security regulation is necessary. After all, large swaths of the country’s CII are operated by private industry, and poor security practices on the part of one operator can easily undermine the security of the rest. To quote security expert Bruce Schneier, “the externalities in cybersecurity are so great that even the freest free market would fail.” In less academic terms, networks are only as secure as their weakest links. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.

Yet regulation may well extend beyond the simple “fiscal schemes and incentives” outlined in section IV of the Policy and “provide for procurement of indigenously manufactured ICT products that have security implications.” Such, at least, was the aim of the Preferential Market Access (PMA) Policy recently put on hold by the Prime Minister’s Office (PMO). Under pressure from international industry groups, the government has promised to review the PMA Policy, with the PMO indicating it may strike out clauses “regarding preference to domestic manufacturer[s] on security related products that are to be used by private sector.” If the government’s aim is indeed to ensure maximum security (rather than to grow an infant industry), it would be well advised to extend this approach to the Cyber Security Policy and the new guidelines for CII protection.

Although there is a national security argument to be made in favor of such policies—namely that imported ICT products may contain “backdoors” or other nefarious flaws—there are equally valid arguments to be made against preferential acquisition policies, at least for the private sector. First and foremost, it is unlikely that India’s nascent cyber security institutions will be able to regulate procurement in such a rapidly evolving market. Indeed, U.S. authorities have been at pains to set cyber security standards, especially in the past several years. Secondly, by mandating the procurement of indigenously manufactured products, the government may force private industry to forgo higher quality products. Absent access to source code or the ability to effectively reverse engineer imported products, buyers should make decisions based on the products’ performance records, not geo-economic considerations like country of origin. Finally, limiting procurement to a specific subset of ICT products likewise restricts the set of security vulnerabilities available to hackers. Rather than improve security, however, a smaller, more distinct set of vulnerabilities may simply make networks easier targets for the sorts of “debilitating” attacks the Policy aims to avert.

As India broaches the difficult task of regulating cyber security in the private sector, it must emphasize flexibility above all. On one hand, the government should avoid preferential acquisition policies which risk a) overwhelming limited regulatory resources, b) saddling CII operators with subpar products, and/or c) differentiating the country’s attack surface. On the other hand, the government should encourage certain performance standards through precisely the sort of “fiscal schemes and incentives” alluded to in the Cyber Security Policy. Regulation should focus on what technology does and does not do, not who made it or what rival government might have had their hands in its design. Ultimately, India should adopt a policy of technology neutrality, backed by the simple principle of trust but verify. Only then can it be truly secure.

For more details visit https://cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure

GSMA Research Outputs

elonnai — 2015-04-06T14:18:18Z

This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome.

Indian Law and the Necessary Proportionate Principles

The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.

Click to download the PDF

Security, Surveillance and Data Sharing Schemes and Bodies in India

Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.

Click to download the PDF

Export and Import of Security Technologies in India: QA

The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.

Click to download the PDF

Regulation of CCTV’s in India

In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.

Click to download the PDF

Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India

It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.

Click to download the PDF

Composition of Service Providers in India

Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.

Click to download the PDF

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.

Click to download the PDF

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.

Click to download the PDF

Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles

The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.

Click to download the PDF

The Surveillance Industry in India

India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.

Click to download the PDF

State of Cyber Security and Surveillance in India: A Review of the Legal Landscape

The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.

Click to download the PDF

For more details visit https://cis-india.org/internet-governance/blog/gsma-research-outputs

Growing Wikipedia: The India Chronicles

praskrishna — 2011-10-14T09:17:08Z

Tory Read, a professional researcher, writer and journalist was commissioned by the Wikimedia Foundation to create a vivid description of its work in India. This was done in the interest of transparency and to ensure that it captured lessons from this new approach. Tory travelled for a couple of weeks across Mumbai, Pune, Bangalore and some towns in Kerala — attending community meet-ups speaking with a host of individual community members in these cities. Tory has given a journalistic account and analysis, based on document review, interviews and observations conducted between November 2010 and June 2011, including 16 days in India in June 2011.The views expressed herein are his own and do not necessarily reflect the views of Wikimedia Foundation.

Sunil Abraham, Executive Director of the Centre for Internet and Society has been quoted in this report. The following are some direct quotes extracted out from this report:

"Feuding and flaming is an integral part of free software culture.” “You can’t imagine a mailing list without flaming." [The Chapter and the Community Tangle, page 16]

"The crisis on the mailing list was ultimately a great thing.” “There was conflict, dozens of offline conversations, private and public negotiation and airing of views and doubts, followed by a public commitment to work together for a shared purpose." [Necessity Breeds Collaboration, page 19]

"The Foundation’s job is having meetings and growing and holding the consensus." "It should be creating situations in which trust is gained, and you do this through radical transparency and participation. The point of the Foundation’s work is to build the community." [For the Foundation, page 24]

Download the entire report here [PDF, 2.9 MB]

For more details visit https://cis-india.org/news/the-india-chronicles

Ground Zero Summit 2014

praskrishna — 2014-12-05T00:42:17Z

Geeta Hariharan participated in this event organized by India Infosec Consortium on November 13 and 14, 2014 in New Delhi.

Living from the successes of last year and our recent conference in Colombo, Ground Zero Summit 2014, in its second year promises to be Asia's largest information security gathering and proposes to be the ultimate platform for showcasing researches and sharing knowledge in the field of cyber security. The event will feature a panel discussion on cyber diplomacy.

Click to read more about the event

For more details visit https://cis-india.org/internet-governance/news/ground-zero-summit-2014

Ground Zero Summit

Amber Sinha — 2016-01-03T06:06:56Z

The Ground Zero Summit which claims to be the largest collaborative platform in Asia for cyber-security was held in New Delhi from 5th to 8th November. The conference was organised by the Indian Infosec Consortium (IIC), a not for profit organisation backed by the Government of India. Cyber security experts, hackers, senior officials from the government and defence establishments, senior professionals from the industry and policymakers attended the event.

Keynote Address

The Union Home Minister, Mr. Rajnath Singh, inaugurated the conference. Mr Singh described cyber-barriers that impact the issues that governments face in ensuring cyber-security. Calling the cyberspace as the fifth dimension of security in addition to land, air, water and space, Mr Singh emphasised the need to curb cyber-crimes in India, which have grown by 70% in 2014 since 2013. He highlighted the fact that changes in location, jurisdiction and language made cybercrime particularly difficult to address. Continuing in the same vein, Mr. Rajnath Singh also mentioned cyber-terrorism as one the big dangers in the time to come. With a number of government initiatives like Digital India, Smart Cities and Make in India leveraging technology, the Home Minister said that the success of these projects would be dependent on having robust cyber-security systems in place.

The Home Minister outlined some initiatives that Government of India is planning to take in order to address concerns around cyber security - such as plans to finalize a new national cyber policy. Significantly, he referred to a committee headed by Dr. Gulshan Rai, the National Cyber Security Coordinator mandated to suggest a roadmap for effectively tackling cybercrime in India. This committee has recommended the setting up of Indian Cyber Crime Coordination Centre (I-4C). This centre is meant to engage in capacity building with key stakeholders to enable them to address cyber crimes, and work with law enforcement agencies. Earlier reports about the recommendation suggest that the I-4C will likely be placed under the National Crime Records Bureau and align with the state police departments through the Crime and Criminal Tracking and Network Systems (CCTNS). I-4C is supposed to be comprised of high quality technical and R&D experts who would be engaged in developing cyber investigation tools.

Other keynote speakers included Alok Joshi, Chairman, NTRO; Dr Gulshan Rai, National Cyber Security Coordinator; Dr. Arvind Gupta, Head of IT Cell, BJP and Air Marshal S B Dep, Chief of the Western Air Command.

Technical Speakers

There were a number of technical speakers who presented on an array of subjects. The first session was by Jiten Jain, a cyber security analyst who spoke on cyber espionage conducted by actors in Pakistan to target defence personnel in India. Jiten Jain talked about how the Indian Infosec Consortium had discovered these attacks in 2014. Most of these websites and mobile apps posed as defence news and carried malware and viruses. An investigation conducted by IIC revealed the domains to be registered in Pakistan. In another session Shesh Sarangdhar, the CEO of Seclabs, an application security company, spoke about the Darknet and ways to break anonymity on it. Sarangdhar mentioned that anonymity on Darknet is dependent on all determinants of the equation in the communication maintaining a specific state. He discussed techniques like using audio files, cross domain on tor, siebel attacks as methods of deanonymization. Dr. Triveni Singh. Assistant Superintendent of Police, Special Task Force, UP Police made a presentation on the trends in cyber crime. Dr. Singh emphasised the amount of uncertainty with regard to the purpose of a computer intrusion. He discussed real life case studies such as data theft, credit card fraud, share trading fraud from the perspective of law enforcement agencies.

Anirudh Anand, CTO of Infosec Labs discussed how web applications are heavily reliant on filters or escaping methods. His talk focused on XSS (cross site scripting) and bypassing regular expression filters. He also announced the release of XSS labs, an XSS test bed for security professionals and developers that includes filter evasion techniques like b-services, weak cryptographic design and cross site request forgery. Jan Siedl, an authority on SCADA presented on TOR tricks which may be used by bots, shells and other tools to better use the TOR network and I2P. His presentation dealt with using obfuscated bridges, Hidden Services based HTTP, multiple C&C addresses and use of OTP. Aneesha, an intern with the Kerala Police spoke about elliptical curve cryptography, its features such as low processing overheads. As this requires elliptic curve paths, efficient Encoding and Decoding techniques need to be developed. Aneesha spoke about an algorithm called Generator-Inverse for encoding and decoding a message using a Single Sign-on mechanism. Other subjects presented included vulnerabilities that remained despite using TLS/SSL, deception technology and cyber kill-chain, credit card frauds, Post-quantum crypto-systems and popular android malware.

Panels

There were also two panels organised at the conference. Samir Saran, Vice President of Observer Research Foundation, moderated the first panel on Cyber Arms Control. The panel included participants like Lt. General A K Sahni from the South Western Air Command; Lt. General A S Lamba, Retired Vice Chief Indian Army, Alok Vijayant, Director of Cyber Security Operation of NTRO and Captain Raghuraman from Reliance Industries. The panel debated the virtues of cyber arms control treaties. It was acknowledged by the panel that there was a need to frame rules and create a governance mechanism for wars in cyberspace. However, this would be effective only if the governments are the primary actors with the capability for building cyber-warfare know-how and tools. The reality was that most kinds of cyber weapons involved non state actors from the hacker community. In light of this, the cyber control treaties would lose most of their effectiveness.

The second panel was on the Make for India’ initiatives. Dinesh Bareja, the CEO of Open Security Alliance and Pyramid Cyber Security was the moderator for this panel which also included Nandakumar Saravade, CEO of Data Security Council of India; Sachin Burman, Director of NCIIPC; Dr. B J Srinath, Director General of ICERT and Amit Sharma, Joint Director of DRDO. The focus of this session was on ‘Make in India’ opportunities in the domain of cyber security. The panelist discussed the role the government and industry could play in creating an ecosystem that supports entrepreneurs in skill development. Among the approaches discussed were: involving actors in knowledge sharing and mentoring chapters which could be backed by organisations like NASSCOM and bringing together industry and government experts in events like the Ground Zero Summit to provide knowledge and training on cyber-security issues.

Exhibitions

The conference was accompanied by a exhibitions showcasing indigenous cybersecurity products. The exhibitors included Smokescreen Technologies, Sempersol Consultancy, Ninja Hackon, Octogence Technologies, Secfence, Amity, Cisco Academy, Robotics Embedded Education Services Pvt. Ltd., Defence Research and Development Organisation (DRDO), Skin Angel, Aksit, Alqimi, Seclabs and Systems, Forensic Guru, Esecforte Technologies, Gade Autonomous Systems, National Critical Information Infrastructure Protection Centre (NCIIPC), Indian Infosec Consortium (IIC), INNEFU, Forensic Guru, Event Social, Esecforte Technologies, National Internet Exchange of India (NIXI) and Robotic Zone.

The conference also witnessed events such Drone Wars, in which selected participants had to navigate a drone, a Hacker Fashion Show and the official launch of the Ground Zero’s Music Album.

For more details visit https://cis-india.org/internet-governance/blog/ground-zero-summit

Grooming the geek

praskrishna — 2012-02-28T09:16:29Z

Generation 2.0, the iPad child, is enriched by technology, and many parents are embracing it wholeheartedly. But can technology transform the way a child’s abilities develop?

The article by Gopal Sathe was published in Livemint on 24 February 2012. Sunil Abraham is quoted in it.

Gauri Uttam, 11, loves reading books. Her room houses a huge number of books that her parents have collected for her over the years. But her favourite books are not in these piles. They are on her iPad. Ask her what her favourite book is, and pat comes the reply: The Pedlar Lady, downloaded on the family iPad 2.

The Pedlar Lady app, by Moving Tales Inc., is a beautifully animated story for children. Background images move, the text flows in and out, and the app reads the text aloud as well. “The book looks beautiful, and whenever you turn the page, it reads the words,” says Gauri. “You can carry it around anywhere, it’s not like sitting on the computer, but it’s much more fun than reading a book. There are pictures and if you get bored and want to draw something, you can, right there.”

Gauri’s father Sachin Uttam, 44, a director (consulting) with the Gurgaon-based technology start-up Enabling Dimensions, has also introduced her to software such as FaceTime on their iMac to teleconference with her cousins for homework. “Computers are a part of everything now,” Sachin says. “When children grow up, we try and teach them to sing, paint, write stories... In the same way, we need to teach them to be able to use computers. I’m a techie, so is my wife. We both have iPads and iPhones, and so it wasn’t surprising that Gauri started to use them too.”

Technology is revolutionizing the way children grow up. Parents put the Internet and technology to a variety of uses. It is not uncommon to see toddlers gurgling to a touch screen that tiny fingers don’t find daunting. In December, the Podar International School in Mumbai announced that from its next term, lessons for classes VI to XII would be on iPads.

The shake-up

For some parents, it is a way to help their children hone their creativity. Bangalore-based Viswanath Poosala, 41, head of Bell Labs Research India, has two children, a daughter (9) and a son (7) (names withheld on request), and he has been teaching them programming for the last year and a half. Poosala wanted to show his children how computers can be fun. “The key is to find ways to relate your children’s interests to computers. If you make a computer a tool that helps them do what they want, then they will learn enthusiastically,” he says.

Poosala’s son uses a tool called Scratch, a free MIT software for children, to make simple games that he can share with friends; his daughter uses Scratch to make animated, interactive versions of the stories she writes.

To teach his children programming, Poosala first introduced them to a free online game called Light-Bot. “In the game, you have to click on a set of commands, and once you are done, the robot will follow your choices to try and clear an obstacle course. It’s a fun game so children are keen to play it, and it shows them how a computer follows inputs.”

But in Light-Bot, commands are limited, and it is not possible to add custom elements. So Poosala downloaded Scratch. “It’s a visual programming language. You can add images and sounds, but it’s still completely visual, with no actual programming. You just click and choose from different icons,” he adds.

By engaging children with their own creations around their interests, they become more involved in what they are doing, and are keen to share their work with friends. They are more likely to finish projects and start new ones. Using such tools also helps them understand logic as a concept, which can then be applied to any field.

Sachin believes the iPad, especially, is a powerful reading resource that can make books far more attractive to children. He says, “Ever since Gauri discovered iBooks, she’s reading so much more than before. When she gets stuck on a difficult word, she just needs to tap it with her finger to get a definition.”

One such book is the Alice’s Adventures in Wonderland app. The book is presented with big, interactive illustrations on every page. Give Alice different bottles when she falls down the rabbit hole, and she will become bigger or smaller, depending on the bottle. Tilt your iPad on another screen, she will fall down and stand up.

New avenues

Enhanced books, such as Alice’s Adventures in Wonderland and The Pedlar Lady, are more advanced, redefining our expectations of children’s books. Take, for instance, Khoya, an iPad app illustrated by Shilo Shiv Suleman and written by Avijit Michael. The app has been showcased at TEDGlobal 2011 in Scotland, the Wired conference in the UK in 2011, and launched at the INK conference in Jaipur in 2011. Khoya has artwork, animated pages, quests that have to be completed in the real world, that require children to help the two protagonists navigate various worlds.

Bangalore-based Suleman says, “People are so excited about how technology is functional and useable that they forget how technology is also magical. Sure, it’s useful to be able to fly to London in 10 hours, but the idea that we are actually floating in the clouds, flying around the world is forgotten.”

Khoya uses technology to get children to explore the natural world along with a screen. While the protagonists of the story undertake their quests, readers are given their own quests such as collecting flower seeds and making photo collections of these seeds. “It’s a real problem that children in the last 10 years have been glued to computers, but now with mobile technology we can get them outside their houses. Photo quests, augmented reality in the garden, are just two examples of how we’re trying to find the links between the earth, magic and technology,” Suleman says.

Technology can also help children find their passions, and guide them through life. Aveek, the son of Bangalore-based media expert Arun Katiyar (56), found his passion through technology. Lego blocks helped Aveek, now 23, develop an interest in mechanical engineering.

Katiyar says Aveek, now studying industrial design at the National University of Singapore, was a fan of Legos since he was 6. When Aveek turned 15, he was gifted Lego Technic, a programmable Lego set. Katiyar says, “The Technic was exceedingly advanced for its time. You take a programmable microchip, and connect it to a computer. You can then program commands in the remote to control the chip. Then you remove the chip, and put it in your Lego creation that is a lot more advanced than the coloured bricks most will be familiar with, as a Technic set includes moving parts, pistons, engines and much more.”

The Technic is not available any more, but Lego now sells the more advanced Mindstorm. Legos are particularly useful as learning tools because of how versatile they are. Children can fit the pieces together to make almost anything they can imagine. By fitting joints and gears, they can create a small machine, entirely by themselves.

Rajesh S. (full name not given on request), runs an environmental NGO in Bangalore, and has worked in the US with several leading IT firms. His two sons, Parthiv, 14, and Tarang, 11, have picked up their parents’ interest in technology and gone with it in different ways. Parthiv learnt about film-making thanks to a discarded video camera, Tarang experiments with circuits around the house, and knows his way around capacitors and resistors.

Rajesh says, “When my elder son was 8, I had an old video camera that no one was using any more. Instead of throwing it away, I gave it to my son. It was an expensive gift, but it didn’t matter even if he broke it.”

Parthiv became fascinated by the camera, and would find new ways to keep using it. Rajesh says Parthiv would write short poems and then make small videos for them. Since he didn’t have a track or a dolly, he mounted the camera on an old toy truck and made his younger brother pull it to take panned shots.

“As he experimented with it, we also encouraged him. He was quickly teaching himself how to make the best use of it. Using their computers, the boys learnt to edit their footage, and put it up themselves as well. Parthiv is interested in the media, and is determined to either direct, or write, or act, undoubtedly because he had access to the right technology in his childhood.”

Tarang used the Internet and a lot of trial and error to find his way around a circuit board—a skill many adults lack. Rajesh says, “I don’t know what got him started. He’s fascinated by circuits, always experimenting and we are happy to buy circuits and capacitors too.”

At the same time, as an environmentalist, Rajesh also wants the boys to experience the outdoors. “My role has actually not been to support them but to discourage them. I want them to spend more time outdoors, and find more interests. Play sports and explore the world as well as their hobbies,” he says.

The points of debate

Expert opinion on the use of technology is divided. Chennai-based child psychologist Lakshmi Rajaram says parents need to monitor how their children are using technology and moderate the amount of time they spend with it. “While it can look harmless, these Internet-connected devices can be a gateway to pornography, violence and all kinds of disturbing and harmful content,” she says.

Sunil Abraham, executive director of the Centre for Internet and Society, Bangalore, also feels that it’s important that younger children at least be given limited access to technology. He says children have to learn fine motor and social skills; tablets and other technology hinder the development of these skills. “For young children, this is counter-productive—if your two-year-old can scroll and zoom on an iPad, that’s nothing to be proud of. You’re underestimating your child, who should be capable of much greater dexterity. New technology is too simple, and doesn’t give the child enough feedback to develop their skills.”

Ramya Somashekhar and her husband, both doctors, live in the UK, but grew up in India. They have a two-year-old son, whom they have kept away from new technology. Somashekhar says, “There’s an information overload in the world today. We want our son to grow up at his own pace, and let him stay a kid for as long as we can. Just because he thinks an iPad is pretty doesn’t mean we want our two-year-old playing with something that expensive. He thinks that a teddy bear and a singing toy truck are equally fascinating. A gadget doesn’t begin to compare to the real world, and we want to keep it that way, so he grows up the way we did.”

At Podar International School in Mumbai, though, students have started using iPads, and Vandana Lulla, director of the school, says only around 10% of the parents have not opted for it. While the school is not providing the iPads, they are offering a financing scheme for them.

She says, “Moving to iPads was a natural step because they are easier for students to use than laptops. We had observed how tech-savvy and comfortable they were, and had gone through studies that show the use of computers makes the learning of science more effective. We can also block access to games on the iPads, so the devices would allow students to work more effectively.”

Mumbai-based writer and freelance journalist Manisha Lakhe almost bought an iPad last year, but her then 13-year-old son Agni Murthy was able to talk her out of it. She says, "Agni told me to buy the Acer Iconia instead, because it was better. I was sure I needed a 3G tablet. He convinced me to get the Wi-Fi one, then sat with it, entered its programming and was able to change it so that it worked using my old 3G dongle, saving me a lot of money."

By looking up a lot of different methods, Agni was able to find the best way to change the installed operating system on the Iconia, and instead run a routed version which would support the function his mother needed, without buying the more expensive 3G model. He says, “I use my laptop to study, to work with my friends on chat, to do homework and Photoshop. I used to draw but now I do a lot of that on Photoshop. I look up a lot of tech stories on the Net, because that’s really interesting. I read about how to make the Iconia work on 3G so I could give my mother advice.”

This positive view is also supported by a study carried out by the US department of education. The 2010 study, Young Children, Apps and iPad, concluded that touch-screen technology allows younger children to play productively with a sophisticated media technology platform. The study found that “the use of touch-screen devices improved tacit and explicit learning, and was easy to pick up for children.”

It continues, “Children are fascinated and engaged by touch-screen devices, and the engagement goes up over time. Using such devices, children learn ‘motor skills, exploration, game concepts and generalization of skills’, where the learning from one app can transfer to another app.” The study also says, “Well-designed apps give children the opportunity to play/learn independently, and to participate in activities that would be messy in the real world, for example, finger painting.”

As Gauri says, “You can do everything with the iPad. You don’t need to carry anything else. I have books, cartoons, and games and we can take them in the car, or outside, or in any room, all the time.”

CHILD-FRIENDLY APPS

The App Store has a lot of child-friendly apps available—some are meant to entertain, while others have an educational component. We hand-picked five of the best apps that have launched this year, for different age groups. We have focused only on iOS apps that offer something over and above real-world analogues.

ALPHATOTS: $0.99(around Rs. 48)

Learning the alphabet is a slow process that involves a lot of repetition and trial and error. The AlphaTots app uses funny sounds and cute animations to make this more fun, and also demonstrates things that a

standard “A is for Apple” style book can’t. For example, F is for Flower is accompanied by a picture of a flower, and turning the page shows G is for Grow, and the flower gets bigger.

GRIMM’S RAPUNZEL POP-UP BOOK: $3.99
This version of Rapunzel’s story is simple, beautifully animated, and from time to time, the angle changes from a 2D view to a 3D angle, where parts of the book pop out of the page and can be played with.

SPARKY THE SHARK: $3.99

This funny e-book is meant

for children above six years of age, and tries to impart lessons of self-confidence, and the importance of being yourself through the adventures of ‘Sparky the Shark’. There’s clever animation work mixed with text and read-aloud sections as well.
FREDDI FISH AND THE STOLEN SHELL: $2.99
Somewhere between a game and an interactive book, ‘Freddi Fish and the Stolen Shell’ tasks children with solving a mystery. There are various touchable elements on each screen and by following the clues, it’s easy to go through the story. Unlike similar games, the app follows consistent logic, so it’s a fun way of teaching children critical thinking.

For more details visit https://cis-india.org/news/grooming-the-geek

Govt working to set up financial CERT to tackle cyber threats

Admin — 2017-11-25T02:28:18Z

IT secretary Ajay Prakash Sawhney says the government is getting the framework in place for financial CERT, which will be followed by other sectoral CERTs later.

The article by Komal Gupta was published in Livemint on November 16, 2017

The government is working to set up a financial Computer Emergency Response Team (CERT) to tackle a rise in cyber threats to India’s financial institutions.

This will be the first sectoral CERT to be introduced in India, said IT secretary Ajay Prakash Sawhney on Wednesday.

“Right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors, said Sawhney, responding to a question on the progress of setting up of sectoral CERTs in the country. “It will oversee the entire financial sector including banks and financial institutions,” he added.

He was addressing the Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in the capital on Wednesday.

In March, the power ministry had announced setting up of four sectoral CERTs for cyber security in power systems—CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution).

According to Sawhney, as of now, there is a national CERT and no other sectoral CERTs. While addressing the conference, he said one of the themes to be discussed will be “How sectoral CERTs can function in conjunction with the national CERT.”

CERT-In is the national nodal agency under the ministry of electronics and IT (MeitY), which deals with cyber security threats such as hacking and phishing. The agency is tasked with the collection, analysis and dissemination of information on cyber incidents and even taking emergency measures for handling cyber security incidents.

“The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack; normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank

“From April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries,” said cyber security chief Gulshan Rai, who was also present at the event.

A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June 2017, PTI reported in August.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats

Govt websites to get new addresses

praskrishna — 2012-06-11T03:27:19Z

The government today said by December all its websites would switch over to IPv6 — the next generation Web standard that enables the creation of trillions of new Internet addresses and provides higher levels of security.

Click to read the original published by the Telegraph on June 7, 2012. Nishant Shah is quoted.

Internet protocol version 6 (IPv6) went live across the globe today, with leading online giants, including Google, Facebook, Yahoo! and Microsoft (Bing), introducing the new standard on their products and services.

Experts said Internet users would not feel any impact because of the shift.

At present, websites run on IPv4, a 27 year-old standard that allows just over four billion unique IP addresses, which are the sequence of numbers used to identify a device.

Each Internet-enabled device — computer, tablet or smartphone — needs its own IP address to connect to the Internet. However, because of the shortage of addresses, many devices have to share them, limiting the ability of the security agencies to track the exact device involved in a security breach.

Networking giant Cisco has predicted that 18.9 billion devices will be online by 2016.

Switching to IPv6 will ensure a unique IP address for each device.

“IPv6 is designed to handle security issues better... All government websites will be IPv6-compatible by December. For the country as a whole, the road map for transitioning to IPv6 is by 2020,” telecom secretary R. Chandrashekhar said.

Internet traffic that moves over to the new protocol is encrypted. Systems in IPv6 ensure that the traffic gets to the correct destination without being intercepted, analysts said.

To ensure a smooth transition and avert an abrupt disruption, both systems (IPv4 and IPv6) will work simultaneously for the next few years.

“The future of our connected networks is IPv6. Not only is it more efficient and faster than IPv4, which we are currently working with, it is also more reliable and secure,” said Nishant Shah, director (research) at the Bangalore-based Centre for Internet and Society.

India has 35 million IPv4 addresses against a data user base of about 360 million.

In addition, with the government targeting 160 million and 600 million broadband customers by the year 2017 and 2020, respectively, the need to move to IPv6 becomes more crucial. Moreover, there is a strong security requirement to provide unique IP address to each individual user.

The IT department has taken various steps, including organising workshops, to encourage state governments to hold pilot projects.

Twenty-seven government websites have been brought under IPv6 platform.

For more details visit https://cis-india.org/news/govt-websites-to-get-new-addresses

Govt websites face major outage; hacking ruled out

Admin — 2018-04-07T16:17:55Z

Defence Minister orders probe.

The article was published in the Hindu Businessline on April 6, 2018. Sunil Abraham was quoted.

In a sudden outage on Friday, a few key government websites went down, sending officials into a tizzy as rumours of a widespread hacking of portals created panic across the corridors of power.

The Ministry of Defence website was the first to go down, with Chinese characters being displayed on the portal’s homepage. Thereafter, one after another, the websites of the Ministries of Home Ministry, Law and Labour and of Central Bureau of Investigation (CBI) went down.

All the sites were restored by late evening. Late in the day, the National Informatics Centre confirmed that the sites were not hacked. “The site showed what appeared to be a Chinese character and it was understandable that the site was perceived to be hacked . However, it has since been identified that the sites have not been hacked,” an NIC release said.

‘Technical snag’

While the IT Ministry tried to downplay the issue and said that the websites had not been hacked, and that it was a “technical snag”, Defence Minister Nirmala Sitharaman said she had ordered a probe into the matter, hinting that it may have been a case of hacking.

“Action is initiated after the hacking of MoD website (http://mod.nic.in). The website shall be restored shortly. Needless to say, every possible step required to prevent any such eventuality in the future will be taken,” Sitharaman said in a tweet.

This is not first time that Indian government websites faced an outage. The government had informed the Lok Sabha earlier this year that over 700 websites linked to the Central and State governments were hacked in the past four years. In February last year, the website of the Ministry of Home Affairs was hacked.

“Compromising a government website is a low-value attack, but results in a big win for the attackers in the battle over perception,” Sunil Abraham, Executive Director, Centre for Internet and Society told BusinessLine. “This usually happens because the server administrator has not configured the software stack properly or is not installing all the security updates in a timely fashion.”

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-april-6-2018-govt-websites-face-major-outage-hacking-ruled-out

Govt warns Facebook of stringent legal action if found misusing data

Admin — 2018-03-25T03:14:28Z

IT minister Ravi Shankar Prasad says that under the IT Act, Facebook’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The article by Komal Gupta was published by Livemint on March 21, 2018.

The government on Wednesday warned Facebook of stringent legal action if it is found misusing data, with law and information technology (IT) minister Ravi Shankar Prasad saying that under the IT Act, the social media giant’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The warning came after the ruling Bharatiya Janata Party (BJP) alleged that the Congress party was associated with London-based analytics firm Cambridge Analytica, which is at the centre of a global storm on the alleged misuse of data from 50 million Facebook users.

Prasad said the Congress indulged in “theft of online data” to help with its election campaigns, a charge that the opposition party denied.

“Will the Congress party depend on data manipulation and theft to woo voters? What is Cambridge Analytica’s role in (Congress president) Rahul Gandhi’s social media profile,” Prasad, who is also a senior BJP spokesperson, said in an interaction with reporters.

“Indian National Congress or the Congress president have never used and never hired the services of the company called Cambridge Analytica mentioned by the Union law minister. This is a fake agenda, a white lie being dished out on fake facts by the law minister unfortunately, and this has become a daily order,” Randeep Surjewala, the Congress party’s chief spokesperson, said.

Cambridge Analytica’s chief executive Alexander Nix—who was suspended on Tuesday—was secretly recorded in a Channel 4 sting claiming that the company ran Donald Trump’s campaign during the 2016 US presidential election. The firm is accused of harvesting private data from millions of Facebook profiles to influence and identify voter behaviour.

As of January, there were around 250 million Facebook users in India.

According to security experts, the incident yet again highlights the need for a stronger data protection law in the country.

“It has been almost six years since the report of the Justice AP Shah group of experts on privacy, but India still doesn’t have a data protection law. We urgently need a law that enshrines privacy by design — that would prevent entities like Truecaller from gaining access to third parties’ data without their consent, and entities like Facebook from providing it— as well as a liability regime that would enable an Indian data protection authority to hold accountable those who violate the law,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-21-2018-govt-warns-facebook-of-stringent-legal-action-if-found-misusing-data