GDPR and India: Where do Indian data protection laws stand?

data protection

Privacy of an individual and an organisation is a fundamental right that protects his inner sphere. With the massive data breach by Facebook, the far from over concern about data protection is back in limelight. While there are many questions raised about the fundamental rights of privacy, data protection, etc. can we say its high time we need our own data protection laws and regulations to be established?

The Europeans have devised a data regulation model, GDPR (General Data Protection and Regulation) that aims at harmonizing the data privacy laws in Europe to protect and empower all European citizens’ data privacy. India being a developing nation, we believe has a great opportunity to research, innovate and come up with a new regulatory framework. We do not necessarily have to implement an outdated model to govern data privacy by replicating the laws of other nations but devise policies that are relatable to our nation as a whole.

What GDPR exactly is?
GDPR is a complex data regulatory framework with a huge number of restrictions on processing of data and information. It aims at reshaping the way organisations across Europe approach data privacy. GDPR’s underlying principles stem from the German constitutional court that had created a right to informational self determination in the year 1983.

The primary aim of GDPR is to reshape the way organisations approach data privacy. GDPR applies to all the companies processing and holding personal data of subjects residing in European Union and non compliance on GDPR will levy you 4% fine on your annual turnover.

While Europe has devised a clean regulation term for governance of data protection with GDPR, should India be the next one in line?

Current state of laws with respect to cybersecurity in India
While data protection laws in India are loosely constructed, Information Technology Amended Act, 2008 (ITAA) under Sections 43-A and 72A of the Act. Compensation for failure to protect data (Section 43-A) as an amendment in 2008, which states the liability of a body corporate to compensate in case of negligence in maintaining and securing the “sensitive data.” However, the Act fails to define “sensitive data” and states the same as “personal information as may be prescribed by the Central government.”

Clearly, the data protection laws in India are poorly drafted and application of the same can raise serious questions taking into consideration the current turn of events.

While breach of data privacy is considered to be a serious offence and is punishable under Section 72-A (introduced by an amendment in 2008), which penalises the offender for a three year imprisonment or a maximum fine of Rs 5 lakh, The laws certainly seem to be very vague about personal information and data.

Though a latest draft was introduced in Rajya Sabha in 2014 providing a small definition of “personal information” and vaguely explains the role of a Data Controller, the bill also fails to underline the issue relating to outsourced data and the liabilities of companies outsourcing and hosting the data.

While it is imperative to protect an individual’s privacy and data, we also need to take into consideration that while fundamental rights of an individual may be universal, but the way they are enforced should be different and adaptive as per different jurisdictions. The regulations drafted in India for data protection and privacy should conform to the problems that we, Indians face in our organisations and personal lives and try to devise a solution for the same.

Privacy and protection of an individual’s data is and should be the top priority of the governing bodies and it is high time that we devised regulatory rules for the same. That being said, it is extremely imperative to revise the current state of data protection and privacy laws in India to safeguard personal information and data in a rightful manner. Stronger data protection and governance laws are the need of the hour.

Is your privacy secured on facebook?

fb breach

Around 2.2 billion of people around the world actively use facebook to connect with their friends, family, and to socialize, which means 2.2 billion people around the world showcase their lives on this giant social media platform. Facebook authorities say, with such a large number of people, they ensure that the users’ data is always safe guarded through the terms and conditions described in their Privacy Policy.

But with the recent events that are happening, a shocking news has come into light. The Internet is on fire with outrage right now about the alleged data breach that has impacted the private information of more than 50 million individuals.

This furor is based on the alleged data breach carried out through the company, Cambridge Analytics that worked with Donald Trump’s election team which harvested millions of profiles of US voters. This has been one of the biggest alleged data breaches and has left a huge concern of privacy protection on everyone’s mind around the world. This supposed breach was carried out through an application on facebook called “thisisyourdigitallife”. Through this company, in collaboration with Cambridge Analytics, hundreds and thousands of users were paid to take a personality test and agreed to have their data collected for academic purposes through “app permissions” However, the app also collected the information of the test-takers’ Facebook friends, leading to the accumulation of a data pool tens of millions-strong. Facebook’s “platform policy” allowed only collection of friends’ data to improve user experience in the app and barred it being sold on or used for advertising. The discovery of the unprecedented data harvesting, and the use to which it was put, raises urgent new questions about Facebook’s role in targeting voters in the US presidential election but moreover about protecting an individual’s data and privacy.

With the security and privacy of over 50 million users been compromised, serious questions have been raised about how much can we trust facebook on safeguarding our privacy as a social networking platform. While Cambridge Analytica and Facebook are one focus of an inquiry into data and politics by the British Information Commissioner’s Office. Separately, the Electoral Commission is also investigating what role Cambridge Analytica played in the EU referendum.

How to secure your personal information on social media?

Here are some steps that you can take to safeguard your social media presence to avoid being a victim of any kind of data breach, it’s better to be safe than sorry.

  1. Though facebook has inbuilt security options, they can often be confusing and hard to find. One easy way to find them is by going to the Help Center.

  2. Note the best security practices as specified in the Help Center on Facebook. Where facebook points you in the direction of changing your security settings for the better.

  3. Understand the privacy settings completely. From there you can edit a number of your security settings, including contact information and applications.

  4. It is a violation of Facebook’s terms of services to use a fake name on an account, there is always the possibility that people you don’t want to find you will. You can block such people from your facebook profile. You can also report the sender to Facebook.

  5. Keep a check on authorised applications to revoke access from any third party application that uses your information but you don’t use that particular app anymore. These applications could be games or tests like “What would you look like in future” or “Which celebrity you resemble”

  6. Avoid giving permissions to third party applications to post on your behalf or access your personal information as this can be quite risky.

As with any social networking site and the Web in general, much of your information is out there for public consumption. It’s up to you and only you to use the tools provided by Facebook to protect yourself. The simplest rule of all is: If you don’t want others to know about it, don’t post it.

GajShield Security Alert - Internet Explorer Scripting Engine Memory Corruption Vulnerability

Internet Explorer in various Microsoft Windows Operating System allows remote code execution due to how the scripting engine handles objects in memory. Using this vulnerability, attackers can execute arbitary code in the context of the current user. If the user happens to be an Administrator, an attacker can take control of the system, delete data, install programs leading to compromising data security of an organisation

To exploit this vulnerability an attacker could craft a specially designed website and convince the user to view it. Attackers could also use compromised sites or sites which allow any users to provide content to it. Exploits could also be embedded in Microsoft Office documents that hosts the IE rendering engine. It is advised that users do not click on any link that appears suspicious. 

The following Internet Explorer versions are affected. Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016. A complete list is available at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0866#ID0EGB

Microsoft has provided security updates which addresses the above issue. It is advise to update your software on priority. For updates, visit https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0866

Would BlockChain have prevented the PNB scam?

Block chain

The Indian Banking industry has been plagued with non-performing assets (NPA) and added to this wound was the recent disclosure by Punjab National Bank that it was defrauded of Rs 11,400 crores. While the government is after the people involved to recover this amount, industry and regulators are already discussing on how such frauds can be prevented in future. Once technology being looked at for this is the blockchain. Before we discuss about blockchain, let us understand the fraud and how it happened.

It came into light that PNB had been defrauded of about Rs 11,400 crores allegedly by diamond jeweller Nirav Modi with the help of some dishonest PNB employees. These employees fraudulently issued over 150 LOUs (Letter of Understanding) to Nirav Modi and his relatives without proper authorization. These LOUs helped Modi to raise buyer’s credit from overseas branches of Indian banks for his companies, which were authorised by the PNB officials allegedly using their access to the SWIFT system  without making entries in the PNB bank’s system.

While the blockchain technology has been heavily in news lately, would the implementation of this blockchain technology have possibly avoided this scam?  Well, at least experts nod in agreement.

Blockchain is a type of distributed ledger in which value-exchange transactions are sequentially grouped into blocks. Each block is chained to the previous block and immutably recorded across a peer-to-peer network, using cryptographic trust and assurance mechanisms. Any document, submitted while taking a loan, such as land title, assets or letter of understanding would form a block. Modification to any such block is by approval of all parties only.

Blockchain has many benefits as the data is not stored at a single location and isn’t retained by a single authority either. All the records that are a part of the blockchain are public and can be easily validated. The ability of public validation of data simultaneously, by millions of nodes across the world has huge benefits of transparency.

The banking system could have indeed benefitted from the blockchain technology as the frauds, as seen in the PNB case, could have been easily highlighted and taken into notice and the corrupt, guilty officers wouldn’t have been able to preface an unapproved LOU into the system like they did, causing a huge blow to the Indian economy. Further on, higher administration in the hierarchy would have easily intercepted the abnormal behaviour thereby, preventing large scale losses incurred.

PNB officials, with the help of blockchain would have been able to showcase the manipulation attempted the very day it was attempted and could have instantly informed the entire banking community. The LOU record system at PNB is alleged to be a standalone system which may have been the reason why fraudsters were encouraged to carry out this scam since nobody really found out about this massive scam for long.

Blockchain technology, is indeed the future step that needs to be actively implemented to avoid such horrendous criminal acts impacting millions of citizens and the countries’ economy. Blockchain technology offers an internal network check instead of relying on auditing because of which, one single individual can never clear all the transactions alone. Implementation of Blockchain technology would have indeed, avoided this massive blow to our economy and the corrupt officials would have easily gotten into knowledge of everybody in the network.

Blockchain technology too could be gamed to commit fraud, but it would make it that more difficult to do so and with proper audits, such scams could be prevented, saving a lot of tax payers money.

It is only wise that we advanced our skills with the help of technology as the generation further developed and progressed to make the best use of the technology and security mechanisms available for the betterment of society, and our country! That been said, let us have a look at how the blockchain technology has now been adopted by various industries in the light of the recent PNB scam.

  • AXIS BANK

India’s 3rd largest private sector bank, AXIS Bank has launched instant international payment services using the enterprise blockchain technology solution.

https://inc42.com/buzz/axis-bank-blockchain-ripple/

  • KOTAK MAHINDRA

Kotak Mahindra Bank enables blockchain based trade financing operation 

Read more at:
https://economictimes.indiatimes.com/articleshow/58714243.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

  • YES BANK

Yes bank officially deploys a blockchain solution commercially.

https://the-ken.com/story/yes-bank-gstn-enterprise-blockchain/

  • Reserve Bank of India

https://analyticsindiamag.com/rbis-successful-test-boosts-blockchain-technology-banking-financial-sectors-india/ 

  • Amazon Web Services

AWS will work in collaboration New York City based Digital Currency Group to provide a service to enable a secure environment with clients who include financial institutions, insurance companies and enterprise cloud companies.

https://www.forbes.com/sites/laurashin/2016/05/02/amazon-steps-up-blockchain-commitment-web-services-partners-with-digital-currency-group/#2e1e673c34cd

While these may be some implementations of the blockchain technology in India, it’s high time that sectors like Retail/E-commerce, Manufacturing, Government and Health care also facilitate the adoption of latest technologies like the blockchain technology to minimize scams and increase transparency. After all, Security always comes first!

 

WPA3 - The newest wireless protocol standard

WPA3- THE NEWEST WIRELESS PROTOCOL STANDARD

 

A new wireless standard is required

In a matter of very few years, the internet has amalgamated itself as a very powerful platform that has changed the way we communicate with each other, do business and the way we operate. Internet has fast become the universal source of information for millions of people- at home, school or at work. However, the means by which these millions of people are connected to the internet (if they’re connected wirelessly) is inherently insecure. Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. But do these protocols ensure complete security? The Answer is no. There exist a host of tools available for cybersecurity testers, which with a little application can easily be used for ill.

WPA and WPA2 are old technologies and have been around for close to 15 years now. Clearly, these are susceptible to attack with various loopholes and are fairly easy to crack into.

WPA and WPA2 is vulnerable to attacks

There are various vulnerabilities with respect to WPA2. The primary security vulnerability however obscure, is serious. It requires the attacker to already have access to the secured Wi-Fi network to gain access to certain keys and then perpetuate an attack against other devices on the network. The security implications of the known WPA2 vulnerabilities are susceptible almost entirely to enterprise level network security which is very risky for the enterprises.

The biggest vulnerability in WPA armour—the attack vector through the Wi-Fi Protected Setup (WPS) still remains unresolved in modern WPA2. Although breaking into a WPA/WPA2 secured network using this vulnerability requires anywhere from 2-14 hours of sustained effort with a modern computer, it is still a legitimate security concern. That’s not all, if you may recall, there was a serious weakness discovered in WPA2 networks last year which put the once-trusted security standard into a precarious position.

The security flaw was dubbed KRACK. (Key Reinstallation Attack) Krack vulnerability directly affected Wi-Fi protocol and not a specific product or implementation. It targeted the third step in a four-way authentication "handshake" performed when a WI-FI client attempts to connect to a protected network and allowed an attacker to intercept data from a nearby Wi-Fi network, including passwords, photos, credit card information, private messages, emails and web activity. Basically, anything that's normally protected and encrypted by the WPA2 standard.

The KRACK attack put the security of the WPA2 standard itself in question, a huge question about security arose. Any new improvements to better the security aspects? A new standard in question? The questions remained unanswered until Wi-Fi Alliance, the non-profit body that defines and promotes the standards of Wi-Fi technology, recently unveiled the new WPA3 Wi-Fi security standard at CES in Las Vegas.


Welcome WPA3

Building on the security advantages of WPA2, WPA3 was designed to not only eliminate KRACK-style attacks, but to also reduce the potential for weaknesses brought by bad configurations and weak passwords. WPA3 also aims to protect managed networks with a more centralized authentication system.

Since WPA3 is an entirely new standard and is meant to replace WPA2, users may have to buy new "WPA3 certified" equipment to take advantage of it.

New WPA3 security enhancements as announced by WiFi alliance:

There are four main enhancements to the WPA3 standard.

1.  “Robust protection against weak passwords.”

This enhancement is aimed for people who use weak passwords (for example, “password”), as well as aimed at protection against what are known as dictionary attacks or brute force attacks that can lock out a device after a number of unsuccessful attempts. This new feature in WPA3 aims to protect your network even when you decide to use a weak Wi-Fi password.

2.  “Simplification of configuration process”

WPA3 aims to simplify the configuration process and to do that, it offers security for devices with limited display interfaces. This will prove to be ideal for sensors and Internet of Things’ devices. With simplification of configuration, you will now be able to tap a smartphone against a device or sensor and then provision the device onto the network.

3.  “Individualised encryption for open networks”

This enhancement is specifically for public networks or open Wi-Fi networks, such as, restaurants, stores and coffee shops. WPA3 device will provide users with individualized data encryption eliminating the need to configure a network password. This will prove to be a big privacy boost for open and public networks considering that, connected users won't be able to read each other's data once enabled.

4.  “Compliance with CNSA”

Finally, WPA3 aims to deliver strong and robust security for government, defence, and industrial networks by complying with the Commercial National Security Algorithm (CNSA) Suite. CNSA is a 192-bit security protocol mandatory for secure networks. Encryption in WPA3 will be further strengthened with a 192-bit security suite.

Read the official announcement about WPA3 here