Logo

Defender of your Digital Freedom

All Posts | Jan 15,2020

Our Submission to the National Cyber Security Strategy 2020

Our Submission to the National Cyber Security Strategy 2020

The National Security Council Secretariat had invited submissions/comments for the proposed National Cyber Security Strategy, 2020 recently. SFLC.in had submitted its comments which are published hereunder. The 2020 strategy is an attempt to revise and strengthen the National Cyber Security Policy 2013 and was based on the following vision to "ensure a safe, secure, trusted, resilient and vibrant cyber space for our Nation’s prosperity."

The Secretariat sought comments based on the following "Pillars of Strategy"
      a. Secure (The National Cyberspace)
      b. Strengthen (Structures, People, Processes, Capabilities)
      c. Synergise (Resources including Cooperation and Collaboration)

SFLC.in's submissions were as follows:

 

India ranks second among the top countries that were affected by targeted cyber attacks during the period 2016-2018 as per Symantec's Internet Security Threat Report 2019. At the same time, it is a matter of great concern that India’s rank fell from 23 (in 2017) to 47 (in 2018) in the Global Cybersecurity Index (GCI) 2018 published by the International Telecommunication Union. Five designated areas form the basis of the indicators for the GCI which are legal, technical, organisational, capacity building, and cooperation. Therefore, a ‘whole-of-nation’ strategy demands nothing but state-of-the-art infrastructure which includes hardware and software components that constitute the cyberspace within the regulative control of the State; strength of internal and external co-operation within and among agencies and entities involved in national cybersecurity; and a comprehensive legal and policy framework.

 

India faces the following challenges in formulating a robust, and futuristic cyber security strategy:

1. Low awareness among stakeholders

With the proliferation of digital devices in the Indian market and with the lowering of charges for Internet connectivity, people from economically lower backgrounds have been able to use smart devices and 4G connectivity. However, there is a need to raise awareness among these users to use the devices securely. This is sometimes also the case with educated and affluent consumers, who have low awareness in cyber/digital security. This calls for grassroot level awareness and training for consumers of digital devices and services. Similar is the case for government offices (whether Central or State) where best practices are not followed when it comes to secure use of digital devices and the Internet. When treading into grassroot levels, language is also a barrier in conveying concepts to consumers. So, any awareness or training programme must be delivered in vernacular languages.

2. Emerging Technologies

The 2013 National Cyber Security Policy lacked due concern to emerging technologies such as Blockchain, Internet of Things (IoT), 5G and most importantly, Artificial Intelligence. With IoT products slowly creeping into the market, India awaiting 5G connectivity, and artificial intelligence being relied on, there are greater challenges in securing the cyberspace. It is also alarming that with IoT standards easily available, these may be implemented by mid-level enterprises which do not give much care to security, or cannot implement strong safeguards because of lack of expertise or resources. The cyber security strategy must consider including highly secure technical standards for digital devices and services which employ emerging technologies.

3. Lack of Wider Public Private Partnerships

The 2013 Policy spoke of public-private partnership to facilitate collaboration and cooperation among stakeholder entities; however such partnerships should not be maintained only with private sector entities but also with academia, civil society and independent security researchers. This should lead to formulation of policy encouraging independent security researchers, white hat hackers and ‘bounty hunters’. Wider engagement with the community can also be increased by engagement with communities involved in free and open source software (“FOSS”). Moreover, the adoption of FOSS into the national cyber security framework will increase contribution from the community. Opening up the source code of abandoned projects/products by corporates needs to be encouraged to better understand legacy systems and products and their vulnerabilities.

4. Lack of Comprehensive Legal Framework

Perhaps the biggest challenge is the lack of a comprehensive sector neutral legal & regulatory framework in India pertaining to cyber security. The Data Protection Law is still in the draft stage. However, even the enactment of the Data protection law would not satisfy the need of a legislation specific to cyber security. The present Personal Data Protection Bill does mention reporting cyber incidents in the form of reporting data breaches. However, there are other issues pertaining to cyber incidents which needs addressing such as post incident investigation (forensics), evidence acquisition etc. which are nascent in terms of being regulated by law or policy. This also calls for revision of the existing rules under the Information Technology Act, 2000.

 

Recommendations

1. Steps should be initiated to roll out comprehensive cyber security awareness programmes for all stakeholders.

2. A comprehensive legal framework should be planned with a data protection law and cyber security specific legislations.

3. Partnerships should be planned with various stakeholders including private sector entities, academia, civil society and independent security researchers.

4. Government should adopt FOSS software and open standards so that the software used is auditable and verifiable.

5. Government should place special emphasis on protecting critical infrastructure.


Note: Minor edits, such as modifications to words and deletion of certain characters within the text were made at the time of submission to cater to the requirement of the Secretariat to keep the submission within 5000 characters. However, no substantial changes were made to the arguments and recommendations made.

All Posts | May 14,2019

Critical security advisory: WhatsApp vulnerability

WhatsApp has reported that a security vulnerability in the app was exploited to install the NSO Pegasus spyware in certain iPhones and Android phones. The spyware can be installed by calling a target device. Even if the call is missed, the device could still be infected. The Financial Times has reported that a log of the call could disappear from the device, leaving no trace that the device was called and infected if the user of the device missed the call. The spyware can retrieve your calls, messages and data, and activate your camera and microphone, among malicious activities.

WhatsApp has stated the the vulnerability has been fixed in a recent update to the app. We urge all our readers to upgrade the app on your phone as soon as possible. If you noticed an incoming call that later disappeared from your call log, we advise that you erase / reset your phone.

In general, we advise updating your device's OS (such as iOS or Android) and apps as often as possible so that you have the latest security patches installed on your phone. We further advise purchasing your devices from only those manufacturers that have a reputation of keeping the OS updated for at least as long as you plan to use the device.

For more details regarding the security vulnerability in WhatsApp, please see https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers-install-government-grade-spyware-on-phones/

For more information on keeping yourself safe and secure online, please visit https://security.sflc.in/

All Posts | Oct 04,2017

Digital Security Training in Kochi

We live in an era where human activity is producing unprecedented amounts of digital data. The popular saying these days is ‘data is the new oil’. The high value of this data along with the lack of awareness among people about rights has prompted corporations and governments alike to amass and exploit data for their purposes while posing long-term risks to the right to privacy and other civil liberties of citizens around the world. It has become imperative for everyone to protect their data, their privacy and digital communications.

We also live in an era of unprecedented surveillance. The technical capabilities of law enforcement and intelligence agencies are rapidly expanding, and even the best attempts at law reform can’t keep up with these new powers. Over and over again, we’ve seen these capabilities used against protected free speech activities, especially against the speech of marginalized people. Compounding the problem of government surveillance is that of corporate surveillance; we rely on a small handful of data-driven private companies for all of our computing needs, and many of these services are “free” because we are the product. These corporate entities regularly collude with law enforcement to share our private communications, searches, contacts, and more — quite often without our knowledge. By fighting against surveillance, we can reject an Internet controlled by a handful of powerful corporate entities and intelligence agencies, and take back our rights in the digital sphere.

In this context, SFLC.in is partnering with Democratic Alliance for Knowledge Freedom (DAKF) in Kochi to organize a Digital Security Training.

Venue: Ernakulam Public Library, Ernakulam
Date: 6 October 2017
Time: 4:00 PM to 6:30 PM

During the workshop we will be demonstrating and training the participants on popular cryptography tools like Tor and Signal. A dedicated session on mobile security will deal with specific measure to secure your phone from various common threats. The following are the objectives of the workshop:

  • Learn to protect privacy of your online communications
  • Learn to anonymize your online activity
  • Learn to encrypt your chat and emails with security that no one can break!

Speakers

Sukhbir Singh is a free software developer currently working with The Tor Project, a non-profit organization that organizes the development of the Tor network and other cryptography projects that provide anonymity and privacy. He is also an advocate of the Tor project and has been going around the world giving talks to promote the use of Tor and other related tools.

Sarath M S is the chief technologist at Software Freedom Law Center, India. He engages in research related to digital freedoms and develops tools for advocacy of civil liberties in the digital sphere. He loves reaching out to people who are new to software freedom, Internet freedom and help them find their space and contribute to the society.

Note: This post is a derivative of “What is the Library Freedom Project?” by Library Freedom Project, used under CC BY-SA 4.0.

All Posts | Jun 26,2017

Delhi Tech Talks [June 23, 2017; New Delhi]

On June 23, 2017, the second edition of Delhi Tech Talks – a collaborative series of quarterly discussions on the state of tech policy in India – was organized by the Centre for Communication Governance at National Law University, Delhi (CCG), Centre for Internet and Society (CIS), Digital Empowerment Foundation (DEF), HasGeek, Internet Democracy Project (IDP), and SFLC.in at the India International Centre, New Delhi. The overarching theme for this event was data protection, privacy and citizenship, in the context of Aadhaar.

Session 1: Aadhaar, Data Privacy, and What it Means to be a Citizen

The discussion comprised two panels, the first of which was titled “Aadhaar, Data Privacy and What it Means to be a Citizen”. This panel was moderated by Ms. Shuchita Thapar (Project Manager, CCG), and featured the following speakers: Ms. Anja Kovacs (Founder-Director, IDP), Mr. Pranesh Prakash (Policy Director, CIS), Ms. Zainab Bawa (Founder & CEO, HasGeek), Mr. Osama Manzar (Founder, DEF), and Ms. Chinmayi Arun (Executive Director, CCG).

Ms. Anja Kovacs began by highlighting the negatives of surveillance. She said that surveillance is not just a matter of privacy but also social justice, and explained the same from a feminist perspective. In light of the recent comments made by the Attorney General that Indians do not have an absolute right over their bodies, she explained the shifting perspective on the definition of “body”. Ms. Kovacs said that in the age of digital technology, the body is not just limited to the physical self but extends to multiple data doubles in the virtual world. With respect to Aadhaar and the collection of biometrics, she said that if the data reflection of our body does not work, we might be denied basic services by the State and this will influence the relationship between citizen and State.

Mr. Pranesh Prakash was of the view that moving towards digitalization is not necessarily awful. It is a consequence of urbanization and helps in the larger project of nation state building. He emphasized that the problem lies with the implementation of the Aadhaar scheme and not so much with the law. He maintained that he is not against the idea of a foundational identification system upon which other identification mechanisms are based. Mr. Prakash clarified that the issue with Aadhaar is not identification, but unchecked surveillance, though he also added that just because a technology can be used for surveillance does not make it bad per se. Instead, there should be discussions around privacy and accountability with respect to Aadhaar.

Ms. Zainab Bawa said that Aadhaar is like a looming ghost – on one hand there is a growing belief that it is extremely important for one to have an Aadhaar card and on the other hand there is a lot of mystery surrounding its nature. She talked about the politicization of the issue of Aaddhar and how a binary is being promoted by the Government through Aadhaar and demonetisation. The Government is propagating the idea that anything thats analogue is backward. She also pointed out the problem of authentication failure and the confusion among citizens with respect to grievance redressal. Lastly, Ms. Bawa raised the following questions: “What are the spheres of relationships where regulations are required to protect privacy? In the absence of law, can mathematics sometimes provide a more elegant solution for privacy?”

Mr. Osama Manzar started with his views on what it is like to be a citizen in times of technology. According to Mr. Manzar, being a citizen in India is a luxury, considering the number of people who are denied benefits for the lack of Aadhaar. He cited the example of four hundred women sitting in front of a computer for three days to access a printout that was supposed to show that they were paid their MNREGA wages. Mr. Manzar mentioned that Aadhaar is digital exclusion in the name of inclusion.

Ms. Chinmayi Arun spoke about the ideals of a democratic state and how Aadhaar is contrary to it. In the context of Aadhaar, she expressed her skepticism with respect to a project where the Government identifies a problem and then finds a solution that does not necessarily have anything to do with the problem. She said that democracy is based upon a delicate balance between the citizens and the State. Ms. Arun also mentioned the importance decentralization of power in a democratic State. She said that Aadhaar concentrates power and information in the Centre, and that this is incompatible with democracy. Further, Ms. Arun stated that democracy is about not trusting your Government, adding that this is not because the Government has harmful intentions but to maintain that delicate balance between the citizen and the State. It was also remarked by her that the previous draft of the Aadhaar Act had the provision of “ombudsman”, who could pull the plug on the entire system of Aadhaar. It has been removed from the new Act. Ms. Arun also gave the example of Germany, where a subject who is being surveilled is always informed of the same after the surveillance is complete. The subject can approach the court if he/she thinks that he/she has been illegally targeted by the State. This is contrary to what is followed in India, where there is no state accountability mechanism. Most of the safeguards that are considered fundamental in other countries is not implemented in India, said Ms. Arun.

Session 2: When Big Data Becomes Toxic

The second panel of the evening, titled “When Big Data Becomes Toxic” was moderated by Ms. Smitha Krishna Prasad (Project Manager, CCG), and had the following speakers: Mr. Anupam Saraph (Future Designer), Mr. Manish (Research Associate, Centre for Policy Research), Ms. Smriti Parsheera (Research Associate, National Institute for Public Finance and Policy), and Mr. Sukarn Singh Maini (Counsel, SFLC.in).

Mr. Anupam Saraph explained how Aadhaar is being used to facilitate benami transactions. He pointed out that the Reserve Bank of India (RBI) had initially refused to link Aadhaar with bank accounts, but information received through RTI revealed that they were compelled by the Ministry of Finance to allow the linking. He said that Aadhaar can be used to create multiple fake identities, hence enabling the creation of multiple fake bank accounts. Mr. Saraph highlighted that UIDAI signed an MoU with a non governmental agency called National Payments Corporation of India to create Aadhaar Enabled Payment System, which will enable transfer of funds from person to person instead of account to account.

Mr. Manish started by quoting an anecdote about his experience at a seminar on bonded labour. Representatives of the Government attending the seminar were asked to propose solutions to tackle the evil. Most of the labour secretaries from various states of India were of the view that the solution to tracing bonded labourers was to create a centralised database of such labourers with their Aadhaar details. Mr. Manish also explained how India has become a reluctant welfare state and that there is a push towards digitalization, especially with regard to financial services, post demonetisation.

Ms. Smriti Parsheera talked about big data and databases, and said that big data analysis can be utilized for a lot of good if done in the right way, though she also acknowledged the privacy and data protection challenges with big data. She touched upon the concern of bias with respect to big data analysis, citing the example of biases that creep into the criminal justice system. Lastly, she explained the link between big data and Aadhaar and how unidentifiable Aadhaar data analysis can be used for the benefit of research and analysis that can serve public good.

Lastly, Mr. Sukarn Singh Maini spoke about digital payments such as Unified Payments Interface and e-wallets, and privacy concerns attached to it. He also explained how big data analysis can be used for behavioural advertising. He spoke about Ministry of Electronics Information and Technology’s draft rules on e-wallets, the lack of a privacy and data protection legislation in India and the need for the same, and the need for the Supreme Court to form a bench to decide the pending issue of privacy.

All Posts | Jun 25,2017

Real World IoT Security Conference 2017 [June 20, 2017; Bengaluru]

SFLC.in was a community partner at the Real World Internet of Things Security Conference (RISC) organized by the EFY Group on 20th June 2017 at Hotel Park Plaza, Bengaluru. In view of the fact that lack of security is the greatest challenge facing IoT deployments today, RISC ’17 was meant as a platform to learn how to respond to the security concerns surrounding IoT products, and to find smart solutions to the most common security threats.

At the conference, our Executive Director Biju Nair conducted a session titled “How to legally deal with a security breach at work”, where he went over India’s legal framework on security breaches and provided insights into how a security breach must be handled in compliance with applicable laws. His session covered such aspects as relevant provisions in the Information Technology Act, 2000, procedure for mandatory reporting of cyber security incidents, voluntary/legally-mandated cyber security guidelines as applicable across industry sectors, and notable case law among other things.

A video recording of Biju’s session is available here, and the slides he used at the session can be accessed here.