We are anonymous, we are legion

Cybersecurity: The Intersection of Policy and Technology

Admin — 2018-03-25T03:24:23Z

Sunil Abraham and Aayush Rathi attended a round-table on 'Cybersecurity: The Intersection of Policy and Technology'. The event was organised by Synergia Foundation, Bengaluru.

The speakers for the round-table were Deborah Housen-Couriel, Professor at the Kennedy School of Government, Gaurav Gupta - Principal Secretary for IT, BT, and S&T, Government of Karnataka, and Dana Kursh, Consul General of Israel to South India.

The discussion at the round-table centred around developing approaches aimed at resolving the 'grand challenge' of cyber security. The role of deeper collaborations between various stakeholders such as academia, corporate enterprises, law enforcement and the government in arriving at cogent solutions was emphasised upon. For more on the discussion at the round-table, a press note can be found here.

For more details visit https://cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing

Admin — 2018-03-25T03:21:24Z

Amber Sinha participated as a panelist in the discussion on adapting privacy to new technologies organised by the USIBC on March 6, 2018 in New Delhi.

The way consumers interact with technology is quickly evolving, and there are distinct implications for privacy as these new applications and products become embedded in our daily lives. Many new technologies eliminate the need for consumers to interface with a screen, relying on sensor data, verbal interactions, or innate human communications – a grin or hand gesture. As technology evolves, so must the privacy protections.

Moderator: Ashutosh Chadha, Group Director, government Affairs & Public policy, Microsoft India

Panelists:

Shaundra Watson, Director, Policy, BSA | The Software Alliance
Betsy Broder, Counsel for International Consumer Protection, U.S. FTC
Amber Sinha, Senior Programme Manager, Centre for Internet and Society (CIS)
Riccardo Masucci, Global Director of Privacy Policy, Intel
Srinivas Poosarla, Vice President & Head (Global), Privacy & Data Protection, Infosys Limited

For more details visit https://cis-india.org/internet-governance/news/siri-did-you-hear-me-adapting-privacy-to-new-technologies-automated-decision-making-and-cloud-computing

Govt warns Facebook of stringent legal action if found misusing data

Admin — 2018-03-25T03:14:28Z

IT minister Ravi Shankar Prasad says that under the IT Act, Facebook’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The article by Komal Gupta was published by Livemint on March 21, 2018.

The government on Wednesday warned Facebook of stringent legal action if it is found misusing data, with law and information technology (IT) minister Ravi Shankar Prasad saying that under the IT Act, the social media giant’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The warning came after the ruling Bharatiya Janata Party (BJP) alleged that the Congress party was associated with London-based analytics firm Cambridge Analytica, which is at the centre of a global storm on the alleged misuse of data from 50 million Facebook users.

Prasad said the Congress indulged in “theft of online data” to help with its election campaigns, a charge that the opposition party denied.

“Will the Congress party depend on data manipulation and theft to woo voters? What is Cambridge Analytica’s role in (Congress president) Rahul Gandhi’s social media profile,” Prasad, who is also a senior BJP spokesperson, said in an interaction with reporters.

“Indian National Congress or the Congress president have never used and never hired the services of the company called Cambridge Analytica mentioned by the Union law minister. This is a fake agenda, a white lie being dished out on fake facts by the law minister unfortunately, and this has become a daily order,” Randeep Surjewala, the Congress party’s chief spokesperson, said.

Cambridge Analytica’s chief executive Alexander Nix—who was suspended on Tuesday—was secretly recorded in a Channel 4 sting claiming that the company ran Donald Trump’s campaign during the 2016 US presidential election. The firm is accused of harvesting private data from millions of Facebook profiles to influence and identify voter behaviour.

As of January, there were around 250 million Facebook users in India.

According to security experts, the incident yet again highlights the need for a stronger data protection law in the country.

“It has been almost six years since the report of the Justice AP Shah group of experts on privacy, but India still doesn’t have a data protection law. We urgently need a law that enshrines privacy by design — that would prevent entities like Truecaller from gaining access to third parties’ data without their consent, and entities like Facebook from providing it— as well as a liability regime that would enable an Indian data protection authority to hold accountable those who violate the law,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-21-2018-govt-warns-facebook-of-stringent-legal-action-if-found-misusing-data

Without stringent law, threats to Mark Zuckerberg are hollow: Experts

Admin — 2018-03-25T02:24:12Z

IT Minister Ravi Shankar Prasad on Wednesday warned Facebook and other social networks of tough action, if they attempted to influence the Indian elections.

The article by Alnoor Peermohamed and Karan Choudhury was published in the Business Standard on March 23, 2018.

The best way of keeping a check on the manipulation of elections through campaigns on Facebook is by introducing a strong data protection policy, said experts. After the Cambridge Analytica row, all eyes are on the use of such tools during the upcoming general election in India.

Union Law and Information Technology (IT) Minister Ravi Shankar Prasad on Wednesday warned Facebook and other social networks of tough action, if they attempted to influence the Indian elections. However, experts said these threats are hollow because the current law protecting user data lacks teeth.

“Without a strong data protection law, we wouldn't quite be able to take any action as what has happened is not a breach. While Section 43A of the IT Act talks about lack of consent from the users, it does not spell out any consequence for violating the same,” said Pranesh Prakash, policy director at think tank The Centre for Internet and Society (CIS). “Essentially, it's a toothless tiger.”

Having a data protection law might not directly stop firms from buying data from third-party developers and then deploying it for targeted users, but it is a great pre-emptive measure to stop unnecessary data collection. If users are asked to give consent for their data, it would vastly reduce the risk.

“The government's statement would be well supported, if it would be bringing a law, listening to key voices of experts and civil society. Even though the Justice Srikrishna Committee is currently examining and is expected to come out with a draft law, the timeline, transparency and willingness to safeguard user rights need to be better demonstrated,” said Apar Gupta, an independent lawyer.

Other experts have voiced their concerns over allowing tech giants to take sensitive user data out of the country. Once the data is out of India's jurisdiction, there is no way to ensure these companies are following the laws mandated by the government.

“Facebook is not an Indian company. We do not know how far it is complying with India’s IT Act. We should not be compromising on security and allow tech firms to play in the market without complying with the laws,” says Pavan Duggal, cyber law expert and Supreme Court advocate.

While both the Congress and the BJP have accused each other of working with Cambridge Analytica and denied their own affiliation with the company, the UK-based firm was already functioning in India through its partner Ovleno Business Intelligence (OBI). The OBI website, which has now been taken down, had listed the BJP, the Congress and Janata Dal (United) as its clients.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-and-karan-choudhury-without-stringent-law-threats-to-mark-zuckerberg-are-hollow-experts

‘If an Indian party acted like Cambridge Analytica, it will not be guilty under current laws’

Admin — 2018-03-25T02:01:18Z

Sunil Abraham, Executive Director of Centre for Internet and Society, says Indians are vulnerable in the absence of a data protection law.

The blog post by Amit Bhardwaj was published by Newslaundry on March 24, 2018.

What exactly is the nature of the Facebook data breach? What went wrong?

Technically, this is not a data breach. There is an internet standard called O-auth (open-authorisation). Through it, different applications on the internet that don’t want to build their own authorisation infrastructure can use the authorisation infrastructure provided by internet giants such as Facebook, Google, Twitter, etc. There was a personality quiz application, which used the Facebook O-auth service. In this protocol, the authorisation server can also give some data to the application which is using its services.

Does that mean that when we ‘sign up with Facebook’, we also authorise such transfer of data?

What you are doing is that you are a user of the application (personality application). Once you try to use the service, it will give you a choice - whether you want to authenticate yourself using Facebook, Twitter etc. So basically you are authorising a third-party application to use your data. Previously, Facebook’s authorisation service allowed the third-party application to harvest data on your profile as well as that on your friends’ list. Facebook is designed to allow this kind of data harvesting.

How is the data harvesting being done by the third-party application dangerous for users of Facebook?

It is you who has given consent for data harvesting, and not your friends. But the application was abusing the consent given by you to harvest the data of people who have not given consent. Facebook had, however, discontinued this API in 2014 as mentioned by Mark Zuckerberg in his statement.

How can Cambridge Analytica (CA) - the British data consultant which also provides services to political parties - influence the choice of these Facebook users?

The CA has experts that focus on psychological manipulation. Thus, the more personal information they have about you, the more they can do what is called “micro-targeting of advertisements”. Suppose they know you are an undecided Republican (now governing party in the US) voter, so they can target you with information and propaganda - including misinformation - in order to push you over the fence. For example, it could discourage an African-American voter, who is going to vote for the Democrats, from going out to vote that day by showing him depressing content. They can also encourage a Republican voter to go out and vote by scaring them that if they don’t vote, the Democrats will win.

How do you take Zuckerberg’s statement? Can it even be considered a valid apology?

Whether he has apologised or not is irrelevant to our situation. What we Indians need is a regulatory response. For the past eight years, my centre has been working towards getting a data protection law. As the situation stands today, what Cambridge Analytica did in the US can be repeated in India. And that won’t be illegal under the present set of laws in India.

Union IT minister Ravi Shankar Prasad said Indian laws are stringent and they can also summon Mr Zuckerberg. How strong is the law that Mr Prasad could be referring to?

Section 43 of the Information Technology Act has been commonly misunderstood as the data protection law. In reality, it only has data security provisions, i.e. under Indian law if you lose property or money as the result of a breach of your personal information, you can approach the court. While in case of data harvesting it amounts to infringement of the right to privacy.

Ever since this scandal surfaced, both the BJP and Congress have been distancing themselves from the CA and are also accusing each other of using the CA or its Indian wing’s services. Why are these accusations making these political parties so nervous?

Unfortunately, I am only a policy researcher and I don’t follow a political party. It is better to ask a political analyst that kind of question.

Hypothetically, even if these parties – the BJP and the Congress - have used the CA’s service, have they been on the wrong side by doing so?

As I said previously, there is no law in our country. Suppose a political party did exactly what Cambridge Analytica did, it will still not be guilty under any law in India.

A commoner’s argument could be - even if my personal data is with these companies, how is it going to affect my voting choice?

What has been clear from the CA episode is that personal data can be used to manipulate you. They can make you depressed, they can make you feel suicidal, they can make you buy products that you don’t want, they can even make you vote for parties you don’t like. The most important aspect of the story is that it is undermining free will.

Since the 2014 general elections, India has been witnessing the rise of troll culture where dissenting voices are crushed. A narrative is being created in favour of one party or against any party standing against this party. Do you think services of such agencies could have been used to do so?

No, trolling is a separate thing, while manipulation is more subtle. Unlike manipulation, where you are unaware of the influences, in trolling you know when you are being targeted. The trolls are trying to silence and intimidate you – that is not done through the use of personal information.

There were media reports which said that 70 per cent of the applications used in India do not explicitly take user consent at the time of installation. Also, many of these apps do not even delete the personal information of users once they have been uninstalled from mobile phones. How dangerous is this situation?

It is not just that these applications don’t take your consent, or that they retain data after you’ve stopped using their services, what is scarier is that many of these applications take extensive permissions on your phone. For example, the torch application sometimes asks for permission to read your messages. What they can do using this is harvest your one-time passwords (OTPs) from your SMS folder in order to conduct fraudulent financial transactions.

They can also collect your personal photographs, and maybe later that can be used to blackmail you. A lot of horrible things can happen because we have, what is called, a regulatory battle.

According to media reports, the CA’s Indian subsidiary - Ovleno Business Intelligence, whose Indian operations are headed by the son of JDU leader KC Tyagi - was hired for elections in India - Bihar polls in 2010 and 2015, and in state polls. Could it be possible that data harvested by this company was used to influence voters?

Again, I don’t know the specifics connected to the behaviour of Cambridge Analytica and its subsidiary in India. I don’t think anybody has done any research on this question.

There is already the conundrum over Aadhaar in India and pressure to link it with our bank accounts and phone numbers. Do you think the Facebook data breach or data harvesting will press the question of privacy here?

It's a very different type of privacy concern. With Aadhaar, the primary concern is of biometrics and the storage of biometrics in a centralised database. Here, it’s a concern of unauthorised third-party applications being able to harvest our personal data. Though different, they are two excellent case studies for us to test the effectiveness of our draft Data Protection Bill, which will come out in April or May.

The Facebook CEO didn’t mention that Facebook will stop collecting our data. Do you feel Facebook too is on the wrong side when speaking of attempts to harvest personal data?

You cannot accuse Facebook of doing wrong. Being wrong or right is an ethical question and subjective. For instance, I might think that Facebook is doing something wrong, however, Facebook, which is trying to maximise its shareholding value, might think it is doing right.

Also, at the end, it’s all about the legal framework. In US jurisdiction, what Facebook did is completely legal. Under the European data protection law, what they did is illegal.

(Transcribed by Newslaundry interns Priyali Dhingra and Maitri Dwivedi.)

For more details visit https://cis-india.org/internet-governance/news/newslaundry-march-24-2018-amit-bhardwaj-facebook-data-breach-cambridge-analytica-privacy-law-sunil-abraham

Is Facebook too powerful without legal safeguards?

Admin — 2018-03-25T01:38:57Z

The absence of a data protection law and a competition watchdog to oversee Internet companies are key shortcomings, according to some experts.

The article by Vidhi Choudhary was published in Hindustan Times on March 24, 2018

It’s time India moves to put in place legal safeguards to contain the potential harm that Internet giants like Facebook Inc. can cause, experts say, amid a raging scandal over access gained by political marketing firm Cambridge Analytica to user data on the social media network. India is a key market for Facebook with 217 million people using the platform every month.

Concerns centre around protection of user privacy and freedom of speech, harassment by Internet trolls, spread of misinformation and fake news, said Apar Gupta, a Delhi-based lawyer who is part of Save The Internet , a group of individuals and non-government organisations fighting to preserve net neutrality. It’s time to take stock of the concerns and the sufficiency of India’s legal framework to address them, Gupta said.

“Companies like Facebook have grown too big and too powerful without adequate legal safeguards,” he said.

On Thursday, Facebook founder and CEO Mark Zuckerberg pledged to stop the misuse of user data on its site to manipulate voters in India,Brazil and the US. The social media network is under scrutiny after a whistleblower alleged that London-based Cambridge Analytica accessed user data to prepare voter profiles that helped Donald Trump win the US presidential election in 2016.

Information technology and law minister Ravi Shankar Prasad on Wednesday warned social media platforms such as Facebook of “stringent action” in case of any attempt to sway the country’s electoral process. The government is considering a new regulatory framework for online content, including on social media and websites, Union minister for information and broadcasting Smriti Irani said on 17 March at the News18 Rising India Summit , conceding that the law is not clear about online news and broadcast content.

“We remain strongly committed to protecting people’s information. We have announced that we are planning to introduce improvements to our settings and give people more prominent controls ,” an India-based Facebook spokesperson said in response to an emailed query from Hindustan Times .” We have a lot of work to do to regain people’s trust and are working hard to tackle past abuse, prevent future abuse and will continue to engage with the Election Commission of India and relevant stakeholders to answer any questions they may have.”

The absence of a data protection law and a competition watchdog to oversee Internet companies are key shortcomings, said Sunil Abraham, founder of the think tank Centre for Internet and Society.

“Evil is a function of power. As internet giants get bigger and bigger, they’ll become more and more evil. In fact, in jurisdictions like India, where we don’t have a data protection law and a sufficiently agile competition commission to take on these Internet giants, they can do whatever they want to..,” said Abraham.

Internet networks have helped undermine the business model for real news and replace it with a vibrant fake news model, in the process cornering the lion’s share of the digital advertising revenue, said Abraham . Facebook and Google dominate the Rs 9,490 crore digital advertising market in India.

“Since they don’t see themselves as a media company, their primary objective is to maximize the amount of time their users spend on the platform,” he said, adding that social media networks aren’t concerned whether the content they present is the truth or lies

“It would be laziness on our part to just blame Facebook and then feel morally superior. We have to regulate them using competition law and a data protection law so that they behave themselves on our jurisdiction,” Abraham said.

The legal framework for Indian social media users is limited. Section 43 (A) of the IT Act operates merely as a data security law applicable only to someone whose privacy has been infringed and can demonstrate that he/she has suffered a financial loss in the process.

“Whatever is known from the Cambridge Analytica episode is that none of the users have lost money or property but democracy has been undermined. So we cannot use the IT Act in India to save our democracy,” he said.

Facebook operates in an opaque manner in the manner in which it regulates content, said Geeta Seshu, consulting editor for media website The Hoot.

“When complaints are launched, they are upheld if they meet Facebook’s so-called community standards. Often users who are dissenting voices against hate or discrimination or misogyny have found themselves blocked. The process to appeal back to Facebook is very arbitrary. Users spend months and years being blocked on the platform. Facebook manipulates user data, when it decides to use algorithms to push content or boost certain articles for a certain sum of money,” she added.

In December, Alex Hardiman, head of news products at Facebook, said restoring trust and credibility to news on Facebook is one of the biggest priorities for the company.

“There is a lot that we are doing to make sure that we eradicate any false news or misinformation on Facebook. We’ve found that false news is actually a very small percentage of content. But there were a lot of financial motivations for posting false news,” she said in an interview to Mint when he was in Delhi to attend the Hindustan Times Leadership Summit. “So, one of the first things we have done is remove any financial incentives. We have also done a lot to make sure we can quickly identify and remove fake accounts. Also, we have been doing a lot to better understand clickbait content and train classifiers to identify and downlink it.We have also started third-party fact-checking. We have partnered with third-party organizations in the US, France, Germany and a few other countries,” said Hardiman.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-march-24-2018-vidhi-choudhary-is-facebook-too-powerful-without-legal-safeguards

‘If an Indian party acted like Cambridge Analytica, it will not be guilty under current laws’

Admin — 2018-04-05T16:24:18Z

Sunil Abraham, Executive Director of Centre for Internet and Society, says Indians are vulnerable in the absence of a data protection law.

The interview was published by Newslaundry on March 24, 2018.

What exactly is the nature of the Facebook data breach? What went wrong?

Does that mean that when we ‘sign up with Facebook’, we also authorise such transfer of data?

Previously, Facebook’s authorisation service allowed the third-party application to harvest data on your profile as well as that on your friends’ list. Facebook is designed to allow this kind of data harvesting.

How is the data harvesting being done by the third-party application dangerous for users of Facebook?

How can Cambridge Analytica (CA) - the British data consultant which also provides services to political parties - influence the choice of these Facebook users?

How do you take Zuckerberg’s statement? Can it even be considered a valid apology?

Union IT minister Ravi Shankar Prasad said Indian laws are stringent and they can also summon Mr Zuckerberg. How strong is the law that Mr Prasad could be referring to?

Unfortunately, I am only a policy researcher and I don’t follow a political party. It is better to ask a political analyst that kind of question.

Hypothetically, even if these parties – the BJP and the Congress - have used the CA’s service, have they been on the wrong side by doing so?

As I said previously, there is no law in our country. Suppose a political party did exactly what Cambridge Analytica did, it will still not be guilty under any law in India.

A commoner’s argument could be - even if my personal data is with these companies, how is it going to affect my voting choice?

They can also collect your personal photographs, and maybe later that can be used to blackmail you. A lot of horrible things can happen because we have, what is called, a regulatory battle.

Again, I don’t know the specifics connected to the behaviour of Cambridge Analytica and its subsidiary in India. I don’t think anybody has done any research on this question.

The Facebook CEO didn’t mention that Facebook will stop collecting our data. Do you feel Facebook too is on the wrong side when speaking of attempts to harvest personal data?

Also, at the end, it’s all about the legal framework. In US jurisdiction, what Facebook did is completely legal. Under the European data protection law, what they did is illegal.

(Transcribed by Newslaundry interns Priyali Dhingra and Maitri Dwivedi.)

For more details visit https://cis-india.org/internet-governance/news/newslaundry-amit-bhardwaj-march-24-2018-facebook-data-breach-cambridge-analytica-privacy-law-sunil-abraham

India Trilateral Forum

Admin — 2018-04-10T15:09:21Z

Sunil Abraham was a panelist in the session "The Promise and Peril of Technology" at the 14th edition of India Trilateral Forum organized by the German Marshall Fund of the United States, Observer Research Foundation and Ministry of Foreign Affairs, Government of Sweden in Goa from March 22 - 23, 2018.

The Promise and Peril of Technology

The emergence of new technologies create possibilities for change, yet also carry risks of the emergence of “soft wars,” privacy issues, ethical challenges, among others. With global military spending on the rise, we may now be on the cusp of a series of new technological innovations that will fundamentally change the way we conduct warfare. The rise of low-cost real-time satellite surveillance has the potential for privacy violation, intrusive controls, and hacking. Many credit the digital revolution with creating new possibilities for democratic engagement, because information technology has made institutions like mass media less hierarchical. There are hidden costs to the digital revolution and the transformative technologies, which needs to be carefully understood. The panel discussed the deeper layers of opportunities and risks associated with transformative technologies on war and peace and discuss whether the U.S., India, and Europe are falling behind China in this crucial area.

For more details visit https://cis-india.org/internet-governance/news/india-trilateral-forum

A Methods Workshop for Researching Future of Work in India

Admin — 2020-03-05T18:59:11Z

Centre for Internet & Society and the Department of Management Studies, Indian Institute of Technology (IIT) Delhi is conducting a workshop in New Delhi on March 28, 2018.

Read the event report in pdf format here.

Industry 4.0 is widely understood as the technical integration of cyber physical systems into production and logistics, and the use of IoTs and services in processes, which are designed to bring about significant changes in business models, downstream services and work organisations.

Labour markets are complex and are impacted by wide variety of contextual factors such as policy, informal sectors, and immigration. Technological adoption is increasingly a key factor impacting labour markets. The impact and effect of technological adoption is also complex.Questions such as whether the technology is augmenting the job, automating the job/parts of the job, digitizing the job/part of the job, and if this is resulting in unemployment or a change and re-shuffling in tasks arise. In a similar vein, as pointed out in a 2017 McKinsey Report on labour markets in India, declining labourparticipation also does not necessarily equate to unemployment and could mean instead more people are staying in education etc. International studies have concluded that jobs in developing countries will be more at risk than those in developed countries because of a larger workforce employed in routine jobs, yetit is unclear if these studies have fully accounted for context and local labour market structures.

With the goal of exploring research questions and methodologies and facilitating the exchange of ideas, prior to commencing research, CIS in collaboration withthe Department of Management at IITD, will organise a roundtable on the 28th of March 2018 from 10am - 4pm at Committee room, 4th floor, Vishwakarma Bhawan,Dept of Management Studies, IIT Delhi . The event will bring experts and relevant stakeholders together to discuss research questions, methodologies, and sources of data necessary for researching the impact of automation on labour markets in developing countries.

Questions

What are the kinds of quantitative and qualitative changes in employment in response to technological adoption that need to be studied? What methods are needed to study these? What data is needed to study these?
What are the policy processes that are most critical for the research to speak to? Will it be focussed on education? Re-skilling? Market control?
Who are the key stakeholders needed to engage with to undertake this research with respect to the quantitative, qualitative, and policy oriented research.

Agenda (Tentative)

10:00 a.m. Welcome and Tea
10:30 a.m. to 11:30 a.m.

Session 1: Exploring Research Questions for the Study of Future of Work

11:30 a.m. to 12:30 p.m.

Session 2: Primary Data and the Future of Work: Challenges and Prospects

12:30 p.m. to 1:30 p.m.Lunch
1:30 p.m. to 2:30 p.m.

Session 3: Research Methodologies for the Future of Work

2:30 p.m. to 3:30 p.m.

Session 4: Identifying Stakeholders for the studying Future of Work

3:30 p.m. to 4:00 p.m. Evening High Tea

For more details visit https://cis-india.org/internet-governance/events/a-methods-workshop-for-researching-future-of-work-in-india

Facebook breach: Privacy advocates in India seek stronger data laws

Admin — 2018-03-20T23:37:04Z

Privacy advocates in India underlined the urgent need for stronger data privacy laws in India with the debate coming under focus after reports alleged that British data analysis firm Cambridge Analytica had tapped into the profiles of more than 50 million Facebook users, without their permission, during the last US elections.

The article by Surabhi Agarwal and Devina Sengupta was published in the Economic Times on March 20, 2018. Pranesh Prakash was quoted.

Advocates of data privacy told ET that even in India — where issues around data privacy have been on the boil — voter opinion may be targeted by using their personal information without their approval. “The government has not moved with necessary pace on data protection,” said advocate Apar Gupta.

“Election commission (EC) has not taken up this issue of data protection for regulatory scrutiny. EC has in the past issued guidelines to protect election integrity and restrained exit polls and also required candidates to disclose social media handles. However, much more needs to be done,” he added.

His concerns around India’s voting process being potentially vulnerable to similar influence like in the US come amid a “case study” on the Cambridge Analytica website said the company had worked for Indian political parties as well.

It said that the British firm was “contracted to undertake an indepth electorate analysis for the Bihar Assembly Election in 2010…Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won”.

Media reports quoted sources at Cambridge Analytica, and its Indian partner, Oveleno Business Intelligence, as saying that the local company was in talks with leading Indian political parties for a pact for their 2019 parliamentary poll campaigns.

“This shows integrity of elections and voter trust may be undermined through data analytics and target voters on the basis of their personal data,” said Gupta Pranesh Prakash, policy director at Center for Internet and Society, said India urgently needs a strong data protection regulation, that require companies to have oversight and pin liabilities on them if they fail to have oversight over data they transact with.

“So, in this case for instance, the companies that provided Cambridge Analytica DATA are seriously culpable and Facebook --right now it is unclear if under any current law it is culpable --there are some discussions in the US etc. Regardless of it, they should be required to exercise greater diligence when it comes to personable data that they have taken consent for,” said Prakash.

“Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. If these reports are true, it's a serious abuse of our rules.

All parties involved — including the SCL Group/Cambridge Analytica, Christopher Wylie and Aleksandr Kogan — certified to us that they destroyed the data in question. In light of new reports that the data was not destroyed, we are suspending these three parties from Facebook, pending further information. We will take whatever steps are required to see that the data in question is deleted once and for all —and take action against all offending parties.”

In a statement to ET, Facebook said there was no breach of its data base and that protecting people’s information was core to the company. “Like all app developers, Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” Paul Grewal, VP & Deputy General Counsel, Facebook said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-20-2018-surabhi-agarwal-devina-sengupta-facebook-breach-privacy-advocates-in-india-seek-stronger-data-laws

Supreme Court extends Aadhaar linking deadline till it passes verdict

Admin — 2018-03-17T15:02:10Z

The Supreme Court, however, allowed the government to seek Aadhaar numbers to transfer benefits of government schemes funded from the consolidated fund of India.

The article by Priyanka Mittal and Komal Gupta was published in Livemint on March 13, 2018. Pranesh Prakash was quoted.

The Supreme Court (SC) on Tuesday extended the deadline for linking of Aadhaar with mobile services, opening of new bank accounts and other services until it passes its verdict on a pending challenge to the constitutional validity of such linkages.

The court also noted that Aadhaar could not be made mandatory for issuance of a Tatkal passport, for now.

The extension would be applicable to the schemes of ministries/departments of the Union government as well as those of state governments, the court ruled in an interim order.

It was however, clarified that the extension would not be applicable for availing services, subsidies and benefits under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.

A Constitution bench comprising Chief Justice Dipak Misra and justices D.Y. Chandrachud, A.K. Sikri, A.M. Khanwilkar and Ashok Bhushan is hearing a challenge to the constitutional basis of the 12-digit unique identification project, which is now likely to conclude after 31 March, the earlier deadline for Aadhaar linking.

“Even where Aadhaar hasn’t been mandated by the government, and even though the Supreme Court has extended the deadline for some mandatory linkages, if the software systems used by various governmental and private entities don’t make ‘Aadhaar number’ and authentication optional, then the SC’s orders gets nullified, effectively,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society (CIS).

Similar concerns over the extent of Tuesday’s interim protection were also expressed by the Software Freedom Law Centre (SFLC), an organization working to protect freedom in the digital world. “While the extension is certainly welcome, it is also important to note that there is currently some uncertainty about this extension and how it applies to linkages made mandatory under Section 7 of the Aadhaar Act. If the latest order does indeed exclude Aadhaar linkages mandated under Section 7, a large number of central and state government schemes (such as PDS, LPG, MNREGA and many more) would still need to be linked to Aadhaar by the end of the month, significantly diminishing the relief brought by today’s order, ” said the organization.

“The deadline for Aadhaar holders to link their PAN cards for taxation purposes will also be extended until disposal of the case as this linkage was mandated by Section 139AA of the Income Tax Act, 2000 and not Section 7 of the Aadhaar Act,” SFLC added.

Last week, attorney general K.K. Venugopal had told the apex court that the centre would consider extending the linking deadline since arguments in the case were likely to proceed beyond the earlier deadline of 31 March.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict

New Lock For EU’s Digital Mines

Admin — 2018-03-17T13:10:52Z

Indian companies dealing with European data wait anxiously as the EU pushes in new security rules

The article by Arindam Mukherjee was published in the Outlook in March 26, 2018 issue. Elonnai Hickok was quoted.

Pretty soon, Indian companies, especially those associated with European companies, will have to walk that extra mile to protect personal data. Come May 25, the European Union (EU) will enact a new set of regulations, called the General Data Protection Regulation (GDPR), which will impose stringent conditions for personal data protection and privacy laws.

What’s more, any violation of or non-compliance with the new regulations will attract the strictest of penalties and fines. On an average, the new regulations call for up to 4 per cent of a company’s global revenue as penalty.

With the already huge and rapidly expanding field of big data play across companies and industries, data protection has come under the limelight and many countries are talking in terms of putting in place stringent rules for personal data protection. The EU will be the first off the block with GDPR, which comes into effect in less than three months. It is expected that following the EU’s example, similar regulations will start coming up in other countries as well.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU and its regulations will cover all EU member states and citizens. Accordingly, all companies operating in the EU and having customers there, or even having work outsourced from the EU which involves its citizens’ personal data, will have to fall in line and comply.

The rules under GDPR will be relevant for businesses collecting, processing, storing, and sharing data of EU data subjects. This would include all businesses located in India providing services directly or indirectly to EU data subjects, as well as Indian companies with a presence in Europe.

This has put a lot of Indian IT and ITES companies in a bind given that few Indian companies are in a position to comply with the new GDPR rules and regulations within the given deadline. GDPR necessitates that adequate steps have to be taken to secure EU data wherever it is stored or processed.

At present, India does not have any data privacy law. However, the government has set up a committee of experts under former Supreme Court Justice B.N. Srikrishna to look into matters related to data protection and privacy in the country. The committee has so far come up with a draft protection bill. But it is unlikely that the committee will be able to come out with its final report before the GDPR deadline of May 25.

Huzefa Goawala, who heads GRC, India & SAARC, RSA, says the impact of GDPR will be heavy on India. “A sizeable chunk of Indian companies operate out of the EU including IT/ITeS, manufacturing, financial services and telecom companies,” he adds. “The GDPR will apply to personally identifiable information and internal facing data and external facing data, and organisations will have to protect data on all these fronts. Unfortunately, very few organisations have taken measures to become GDPR compliant at the ground level and are waiting for others to make a move. Larger, tier 1 organisations are in a consultation mode at the moment and are in a preliminary stage of compliance.”

According to Ernst & Young’s forensic data analytics survey (2018) done among Indian companies, 60 per cent of Indian respondents are still not familiar with the GDPR, while only a little over 23 per cent have heard of it but have done nothing about it. “This puts India in a precarious position, especially because it takes time for a company to prepare for GDPR compliance, which involves identifying where all the data resides and taking measures to safeguard it,” says Mukul Shrivastava, partner, Fraud Investigation and Dispute Services, Ernst & Young. “Many large IT-ITeS companies have secure servers in the EU or on cloud. But a lot of EU data processing is either done in India or is outsourced to India. That data needs to be protected under the GDPR.”

Experts say that under GDPR, a company will have to report any breach of data security within 72 hours. In case it fails to do so, stiff penalties will be imposed. With GDPR, the EU wants to stress on how important personally identifiable information is and see what companies are doing to protect it. It calls for deployment of ground level technologies by companies to ensure data security.

To ensure full compliance under GDPR will be a difficult task. “It is not possible to check 100 per cent compliance,” says Vijayshankar Na, cyber law and international information security expert. “There can be multiple versions of personal data in a process. To tap this data and see where all it is flowing in the system will be the toughest part under GDPR. Companies will have to identify all this in order to protect data.”

To help Indian companies, India’s IT representative body Nasscom has sought a “data secure” status for its companies from the EU. The EU has given a similar status to American companies, which ensures some concessions for them. Indian companies would be entitled to similar concessions under GDPR if they get the data secure status. But a decision on this is yet to come.

“As India has not attained data secure status, the collection, processing, storing, and sharing of EU data subjects by Indian companies will continue to be through ‘binding corporate rules’,” says Elonnai Hickok, chief operating officer, CIS (Centre For Internet and Society), Bangalore. “Though GDPR will affect any company handling EU data, the IT sector in India could potentially be impacted the most given the amount of business that it does and potentially could do with the region. For instance, a Deloitte report has estimated the outsourcing opportunity of the Indian IT industry with Europe at $45 billion.”

Hickok says India’s legal regime around privacy, consisting primarily of section 43A of the IT Act and associated rules, has not been found to be data secure by the EU in past assessments. This means that unless practices are guided by binding corporate rules, the standard of practice in India is lower than required by the previous Data Protection Directive (1995) as well as the GDPR. Some of the potentially challenging requirements in the GDPR will include the requirement for reporting breaches, new standards for consent, ensuring the rights of data subjects including access and correction, portability, erasure and deletion, the right to objection, and, if the need arises, the right to request human intervention in automated decisions.

What could also hit Indian companies is that the cost of GDPR compliance will be high—there will be costs related to human capital, periodic updates, IT infrastructure around the data (both hardware and software) and setting up cyber security and incident response programs.

“Europe is an important market for Indian companies,” says Vinayak Godse, senior director, Data Security Council of India (DSCI). “This heightened threshold of privacy may lead to some top line compromise for Indian IT companies. The compliance burden is also bound to increase. The small and mid-size companies looking at the EU as a market may struggle to comply with the new rules.”

The Indian government is trying to bring some order vis a vis data privacy and the Justice Srikrishna panel is expected to expedite the process. “The Government of India is currently developing a national data protection framework, following the Supreme Court judgment of August 2017 recognising an individual’s privacy as a fundamental right,” says Keshav Dhakad, director & assistant general counsel, corporate, External & Legal Affairs, Microsoft India. “The coming of GDPR will help galvanise the discussion in countries outside of Europe and in India.”

As of now though, there is a lot of confusion and Indian companies, staring at a tight deadline, are under stress. If they can speed up the process and comply, they will be safe, but if they fail, they could lose business in one of India’s most promising markets.

For more details visit https://cis-india.org/internet-governance/news/outlook-march-26-2018-new-lock-for-eu-digital-mines

Aadhaar unique IDs in India: a qualified success?

Admin — 2018-03-17T12:49:51Z

Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.

Benefits of Aadhaar

India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.

Security challenges are paramount

Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.

In May 2017, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.

The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.

The second instance of a breach occurred between January to July 2017, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.

Aadhaar and the right to privacy

The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.

The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.

Read the original blog post published by the Paypers here

For more details visit https://cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success

Analysis of ICANN revenue shows ambiguity in their records

Sunil Abraham, Arjun Venkatraman and Akriti Bopanna — 2018-04-27T10:01:26Z

We, The Centre for Internet and Society, have been instrumental in having ICANN become transparent about their revenue with our persistent requests for their sources of revenue.

Click to download a PDF of the Analysis

In 2014, CIS' Sunil Abraham demanded greater financial transparency of ICANN at both the Asia Pacific IGF and the ICANN Open Forum at the IGF. Later that year, CIS was provided with a list of ICANN's sources of revenue for the financial year 2014, including payments from registries, registrars, sponsors, among others, by ICANN India Head Mr. Samiran Gupta.This was a big step for CIS and the Internet community, as before this, no details on granular income had ever been publicly divulged by ICANN on request.¹ Our efforts have resulted in this information now being publicly available from the years 2012 onwards. We then decided to analyze all these years of financial data collaborating with Ashoka fellow Arjun Venkatraman and following are our observations:

To get a clear picture of ICANN's revenue, it can be seen that over the years it has been growing steadily. In 2016 it was 1.7 times the revenue it made in 2012.

A breakdown by country reveals that a significantly higher proportion of their revenue is from sources registered in the United States.

It is also interesting to note that revenue from China has seen a spike in the past 2 years, especially in the period of 2015-2016. Verisign CEO, James Bidzos confirmed in an interview to analysts that Chinese activity had surprised them as well though they expected the activity to slow down in the second quarter of 2016.²

Verisign also happens to be the top paying customer for ICANN every year, running the .com/.net names. Their payments are orders of magnitude greater than payments made by any other single entity or even several collective entities.

ICANN differentiates its sources of revenues by each class of entity which stand for the following:

RYN - Registry
OTH - Other
RYG - Registry
RIR - Regional Internet Registry
RYC - ccTLD (Top Level Domains)
IDN - Internationalized Domain Names
RAR - Registrar
SPN - Sponsor

It is evident that the Registries and Registrars contribute the most to revenue however the classification of these groups in itself is ambiguous. RYG and RYN both stand for registry but we do not find any explanation given for the double entry for a single group. Secondly, Sponsors are included yet it is unclear how they have sponsored ICANN, whether through travel and accommodation of personnel or any other mode of institutional sponsorship. The Regional Internet Registries are clubbed under one heading and as a consequence it is not possible to determine individual RIR contribution such as how much did APNIC pay for the Asia and Pacific region. The total payment made by RIRs is a small fraction of the payments made by many other entities and they all pay through the Numbers Resources Organization (NRO), who is listed as paying from Uruguay however the MOU creating the NRO does not specify their location as being there. The NRO website states that " RIRs may be audited by external parties with regards to their financial activities or their operations. RIRs may also allow third parties to report security incidents with regards to their services." ³ Their records show that financial disclosure is done in an inconsistent manner with the last publication from AFRINIC being for the year 2013 ⁴ while the RIPE NCC who coordinates the area of Central Europe, Middle East and Russia last published an annual report for the year 2016 but had no financial information in it. ⁵

The most frequently found words in their sources which can give us an idea of the structure of the contributing entity yields the following result.

Several clients have registered multiple corporate entities to increase their payments to ICANN such as DropCatch, Everest and Camelot. ⁶ The first of them, DropCatch, is a domain drop catcher, essentially selling expired domain names to the highest bidder. By the end of 2016, about 43% of all ICANN-accredited registrars were controlled by them. ⁷

Many clients have reported themselves from different countries over the years as well such as 'Verisign Sarl' which has been reported as originating from Switzerland and in a different year from the United States. ⁸ Another curious case is of the entity, 'Afilias plc', which when categorized as a sponsor (SPN) is reported from Ireland however as a registry (both RYG and RYN) is reported from the United States. Some entities have originated from one place such as the United Arab Emirates and then moved to other countries such as India.

To summarize, the key takeaways from the information we have dissected so far are:

- ICANN's revenue has been steadily increasing with the 2016 seeing a 1.6 times increase of its revenue generated in 2012.

- United States is the country that most of the revenue originates from.

- After the US, China is now the largest contribution to ICANN revenue, significantly increase their contributions from 2015.

- Verisign is the top contributing entity, their contribution much greater than other entities.

- Registries and Registrars are the main sources of revenue though there is ambiguity as to the classifications provided by ICANN such as the difference between RYG and RYN. The mode of contribution of sponsors exactly is not highlighted either.

- Several entities have been listed from different places in different years, sometimes depending on the role they have played such as whether they are a sponsor or registry. Registering multiple corporate entities to acquire more registrars has occurred as well.

1. Venkataraman, P. (2017). CIS' Efforts Towards Greater Financial Disclosure by ICANN . [online] The Centre for Internet and Society.[Accessed 14 Mar. 2018].

2. Murphy, K. (2016). Verisign has great quarter but sees China growth slowing | Domain Incite - Domain Name Industry News, Analysis & Opinion . [online] DomainIncite. [Accessed 14 Mar. 2018].

3. Nro.net. (2018). RIR Accountability Questions and Answers | The Number Resource Organization . [online] [Accessed 11 Mar. 2018].

4. African Network Information Centre - Annual Report

5. RIPE Network Coordination Centre Annual Report 2016

6. Murphy, K. (2016). DropCatch spends millions to buy FIVE HUNDRED more registrars | Domain Incite - Domain Name Industry News, Analysis & Opinion . [online] DomainIncite.[Accessed 13 Mar. 2018].

7. Id

8. Detailed list is available on request

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-icann-financials-from-2012-2016

People Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India

Shweta Mohandas — 2018-03-11T15:30:50Z

On the 27th of February, Peter Sparkes the Senior Director, Cyber Security Services, Symantec conducted a webinar on the ‘5 Essentials of Every Next-Gen SOC’. In this webinar, he evaluated the problems that Security Operations Centers (SOCs) are currently facing, and explored possible solutions to these problems. The webinar also put emphasis on AI and ML as tools to improve cyber security. This blog draws key insights from the webinar, and explains how AI and ML can improve the cyber security process of Indian enterprises.

Introduction

In a study conducted by Cisco, it was found that in the past 12-18 months, cyber attacks have caused Indian companies to incur financial damages amounting to USD 500,000.

There is a need to strengthen the nodal agencies in an enterprise that can deal with these threats to prevent irreparable damage to enterprises and their customers. An SOC within any organization is the team responsible for detecting, monitoring, analyzing, communicating and remedying security threats. The SOC technicians employ a combination of technologies and processes to ensure that an enterprise’s security is not compromised. As instances of cyber attacks increase both in number and sophistication, SOCs need to use state of the art technologies to stay one step ahead of the attackers. Presently, SOCs face a number of infrastructural problems such as the low priority given to a cyber security budget, slower and passive response to threats, dearth of skilled technicians, and the absence of a global intelligence network for cyber-threats. This is where technologies such as Artificial Intelligence and Machine learning are helping, by monitoring the system to identify cyber attacks, and analyse the severity of the threat, and in some cases by blocking such threats.

Evolution of Security Operations Centers

In the same study, Cisco looked at the evolution of cyber threats and how companies were using technologies such as AI and ML to ameliorate those threats. Another key insight the study brought out was that 53 and 51 percent of the subject companies were reliant on ML and AI respectively. One of the reasons behind AI and ML’s effectiveness in cyber security is their capacity not only to detect known threats but also to use their learnings from data to detect unknown threats. In his webinar, Peter Sparkes also stated that SOCs were evolving into a ‘people driven and tech enabled’ system.

People Driven and Tech Enabled

In the case of cyber security, which in itself is a relatively new field, technologies such as AI and ML are helping companies to not only overcome infrastructural barriers but also to respond proactively to threats. A study conducted by the Enterprise Strategy Group, revealed that one-third of the respondents believed that ML technology could detect new and unknown malware.

The study also stated that the use of machine learning to detect and prevent threats from unknown malware reduced the number of cases the cyber security team had to investigate.

Similarly, the tasks of monitoring and blocking which were earlier conducted by entry level analysts were now done by systems, using machine learning. Typically, the AI acts as the first monitoring system after which the threat is examined by the company’s technicians who possess the requisite skill set and experience. By delegating the time consuming task of continuous monitoring to an ML system, the technicians now have time to look at serious threats. In this way AI and humans are working together to build a stronger and responsive security protocol.

Detecting the Unknown

Cyber criminals are becoming increasingly sophisticated, and in order to prevent attacks the monitoring systems (both human and automated) need to be able to detect them before the security is compromised. The detection of threats through AI and ML is done in a similar way as it is done for the identification of spam, where the system is trained on a large amount of data which teaches the algorithm to identify right from wrong.

There have been numerous cases of stealthy cyber attacks such as wannacry and ransomware, that have evaded detection by conventional security firewalls and caused crippling damage. There is also the need to use deception technology which involves automatic detection and analysis of attacks. This technology then tricks the attackers and defeats them to bring back normalcy to the system.

The systems that can handle threats by themselves do so by following a predetermined procedure, or playbook where the AI detects activities that go against the procedure/playbook. This is more effective compared to the earlier system where the technicians would analyse the attacks on a case by case basis.

AI and ML can help in reducing the time required to detect threats enabling technicians to act proactively and prevent damage. As AI and ML systems are less prone to make mistakes compared to human beings, each threat is dealt with in a prompt and accurate manner. AI systems also help by categorising attacks based on their propensity for damage. These systems can use the large volumes of data collected about previous attacks and adapt over time to give enterprises a strong line of defence against attacks.

Passive to Active Defense

Threat to cyber security can emerge even in seemingly safe departments, such as Human Resources. It is therefore important to proactively hunt for threats across all departments uniformly.

In order to detect an anomaly, the AI and ML system will require both large volumes of data as well as a significant amount of processing power, which is difficult for smaller companies to provide. A possible solution to improve defense is to have a system of sharing SOC data between companies, and thereby creating a global database of intelligence. A system of global intelligence and threat data sharing could help smaller companies combat cyber threats without having to compromise on core business development.

Use of AI in Cyber Security in India

In 2017, Indian enterprises were infected by two lethal cyber attacks called Nyetya that crept through a trusted software - Ccleaner and infected computers

. These attacks may just be the tip of the iceberg , since there may be many other attacks that might have gone unreported, or worse, undetected. Cisco reported that less than 55 per cent of the Indian enterprises were reliant on AI or ML for combating cyber threats. Although the current numbers seem bleak, there are a number of Indian enterprises that have recently begun using AI and ML in cyber security.

One such example is HDFC bank which is in the process of introducing an AI based Cyber Security Operations Centre (CSOC).

This CSOC is based on a four point approach to dealing with threats - prevent, detect, respond and recover. The government of India has also taken its first step towards the use of AI in cyber security through a project that aims to provide cyber forensic services to the various agencies of the government including law enforcement.

Indian intelligence agencies have also entered into an agreement with tech startup Innefu, which utilizes AI, to process data and decipher threats by looking at the patterns of past threats.

As India is increasingly becoming data dense both private and public organizations need to consider cyber security with utmost seriousness and protect the data from crippling attacks.

Conclusion

Enterprises have become storehouses of user data and the SOCs have a responsibility to protect this data. The companies’ SOCs have been plagued with several problems such as lack of skilled technicians, delay in response time and the inability to proactively respond to attacks. AI and ML can help in a system of continuous monitoring as well as take over the more repetitive and time consuming tasks, leaving the technicians with more time to work on damage control. Although it must be kept in mind that AI is not a silver bullet, since attackers will try their best to confuse the AI systems through evasion techniques such as adversarial AI (where the attackers design machine learning models that are intended to confuse the AI model into making a mistake).

Hence, human intervention and monitoring of AI and ML systems in cyber security is essential to maintain the defence and protection mechanisms of enterprises.

A few topics that Indian SOCs need to consider while using AI and ML :

1. The companies need to understand that AI and ML need human expertise and supervision to be effective and hence substituting people for AI is not ideal.

2. The companies need to give equal if not more importance to data security.

3. The companies need to constantly upgrade their systems and re-skill their technicians to combat cyber security threats.

4. The AI and ML systems need to be regularly audited to ensure that they are not compromised by cyber attacks and also to ensure that they are not generating false positives.

[]. Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2

[]. Ibid.

[]. Enterprise Strategy Group (2017, March ). Top-of-mind Threats and Their Impact on Endpoint Security Decisions. Retrieved March 8, 2018 from https://www.cylance.com/content/dam/cylance/pdfs/reports/ESG-Research-Insights-Report-Summary-Cylance-Oct-2017.pdf

[]. Ibid.

[]. Vorobeychik,Y (2016). Adversarial AI. Retrieved March 8, 2018, from https://www.ijcai.org/Proceedings/16/Papers/609.pdf

[]. Quora. ( 2081, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved March 8, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#569454786147

[]. Sparkes, P. (2018, February 27). The 5 Essentials of Every Next-Gen SOC. Retrieved March 8, 2018, from https://www.brighttalk.com/webcast/13389/303251/the-5-essentials-of-every-next-gen-soc

[]. PTI. ( 2018, February 21).Indian companies lost $500,000 to cyber.Retrieved March 8, 2018, from https://economictimes.indiatimes.com/tech/internet/indian-companies-lost-500000-to-cyber-attacks-in-1-5-years-cisco/articleshow/63019927.cms

[]. Raval, A. ( 2018,January 30). AI takes cyber security to a new level for HDFC Bank.Retrieved March 8, 2018, from http://computer.expressbpd.com/magazine/ai-takes-cyber-security-to-a-new-level-for-hdfc-bank/23580/

[]. “The Centre for Development of Advanced Computing (C-DAC) under the Ministry of Electronics and Information Technology (MeitY) is working on a project to provide cyber forensic services to law-enforcing and other government and non-government agencies.” Ohri, R. (2018, February 15. Government readies AI-muscled cyber security plan. Retrieved March 8, 2018, from https://economictimes.indiatimes.com/news/politics-and-nation/government-readies-ai-muscled-cyber-security-plan/articleshow/62922403.cms utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[]. Chowdhury, P.A. (2017, January 30). Cyber Warfare at large in Southeast Asia, India leverages AI for the same cause Retrieved March 8, 2018, from https://analyticsindiamag.com/cyber-warfare-large-southeast-asia-india-leverages-ai-cause/

[]. Open AI.(2017 February 24). Attacking Machine Learning with Adversarial Examples. Retrieved March 8, 2018, from https://blog.openai.com/adversarial-example-research/

For more details visit https://cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india