Google and Indian Privacy Laws (Part I)

Google and Indian Privacy Laws (Part I)

Search engines are the most important actors on the Internet today and Google is the undisputed king of search. Google dominates the Internet, guiding users to the information they seek through an ocean of unrelated data with astonishing precision and speed. It is a powerful tool, evoking ambivalent feelings. On the one hand, we adore Google for its simple, modest-looking interface masking a hyper-complicated algorithm, which is the very essence of online ingenuity. We admire it for providing superb services at no (evident) cost, a practical miracle in today's market economy.

On the other hand, we grow wary of Google's increasing clout as the ultimate arbiter of commercial success ("to exist is to be indexed by a search engine") and as a central database for users' personal information, not only logging their search queries but also storing their e-mail (Gmail), calendars (Calendar), photos (Picasa), videos (YouTube), blogs (Blogger), documents (Docs & Spreadsheets), social networks (facebook), news feeds (Reader), credit card information (Checkout) – in short, their entire digital lives.

Google's access to and storage of vast amounts of personal data create a serious privacy problem, Princeton computer scientist Edward Felten had called "perhaps the most difficult privacy [problem] in all of human history." Every day, millions upon millions of users provide Google with unfettered access to their interests, needs, desires, fears, pleasures and intentions. Counter to conventional wisdom, this information is logged and maintained in a form which may facilitate the identification of specific users for various purposes, including not only their targetingwith effective advertising but also prosecution by the government or pursuit by private litigants. Let us put it like this, "link by link, click by click, search is building possibly the most lasting, ponderous, and significant cultural artifact in the history of humankind: the Database of Intentions." This "Database of Intentions" constitutes a honey pot for various actors, ranging from the CBI ,NIA, NTRO etc which expend crores of rupees on online surveillance and cannot overlook Google's information treasure trove, to hackers and data thieves, who routinely overcome information security systems no matter how robust.

A leading advocate for human rights, Privacy International, had initially ranked Google's privacy practices as the worst out of more than 20 leading Internet service providers, including Microsoft, Yahoo, Amazon and eBay. ¹Privacy International describes Google as "an endemic threat to privacy."It criticizes Google's "aggressive use of invasive or potentially invasive technologies and techniques" and claims the company "fails to follow generally accepted privacy practices such as the OECD Privacy

Guidelines and elements of EU data protection law." EU data protection regulators time and again have also launched an investigation into Google's data retention and privacy practices, which was quickly expanded to cover other search engines as well. China’s Blockage is well known to the world.

How did Google evolve from being a benevolent giant seeking to "do no evil" into a privacy menace, an unruly private sector "big brother" reviled by human rights advocates worldwide? Are the fears of Google's omniscient presence justified or overstated? What personal data should Google be allowed to retain and for how long? Is Google Intermediary as per The IT Act,2000? What rules should govern access to Google's database? What are the legal protections currently available in India  and are they sufficient to quell the emerging privacy crisis? What does India's New The Privacy Protection Act,2013 have to say? These are the main issues I will address in Part II

1.Privacy International, A Race to the Bottom - Privacy Ranking of Internet Service Companies, A Consultation report

New Malware to Steal your Credit or Debit Card Details

Your Ultimate Bank Money Stealer is Here.. 

A new malware is discovered called “Dump Memory Grabber,” which has already been used to steal debit and credit card information from customers using major US banks including Chase, Citibank and Capital One, The malicious code is evidently being installed directly into point-of-sale (POS) hardware (meaning registers or kiosks) and ATMs, and transmitting the harvested information straight out of the magnetic stripes on credit and debit cards - which includes everything from account numbers, to first and last names and expiration dates.

How are attackers infecting physical systems? It is your favourite USB drives are the likely culprits, as modern register systems often have accessible ports, as well as direct connections to the Web.

The harvested information is then used to produce cloned cards, and they are likely succeeding with the help of individuals with direct access to the POS systems and ATMs - which could include employees.

Please think twice where to use your credit and debit cards !!!!

Denial-of-service (DoS) attack what it is ??

Denial-of-service (DoS) attack

Now all major organizations face DDoS attacks on their public facing servers, mainly banking and finance companies face the most with demands of ransom from attackers sitting in any corner of the world. Old approaches and solutions sometimes seem to not work, but remaining educated about the same(DoS or DDoS Attacks) always helps.

What is DoS ?

In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.

The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you type a URL for a particular website into your browser, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can't process your request. This is a "denial of service" because you can't access that site.

An attacker can use spam email messages to launch a similar attack on your email account. Whether you have an email account supplied by your employer or one available through a free service such as Yahoo or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your account at any given time. By sending many, or large, email messages to the account, an attacker can consume your quota, preventing you from receiving legitimate messages.

What is a distributed denial-of-service (DDoS) attack?

In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.

How do you avoid being part of the problem?

Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack, but there are steps you can take to reduce the likelihood that an attacker will use your computer to attack other computers:

·         Install and maintain updated anti-virus software (Please be it Legal avoid freeware)

·         Install a firewall, and configure it to restrict traffic coming into and leaving your computer (Avoid free ones and avoid two at a time).

·         Follow good security practices for distributing your email address. Applying email filters may help you manage unwanted traffic.(Check what solutions your ISP also uses)

How do you know if an attack is happening?

Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack:

·         unusually slow network performance (opening files or accessing websites)

·         unavailability of a particular website

·         inability to access any website

·         dramatic increase in the amount of spam you receive in your account

What do you do if you think you are experiencing an attack?

Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of the attack. Contact the appropriate technical professionals for assistance.

·         If you notice that you cannot access your own files or reach any external websites from your work computer, contact your network administrators. This may indicate that your computer or your organization's network is being attacked.

·         If you are having a similar experience on your home computer, consider contacting your internet service provider (ISP). If there is a problem, the ISP might be able to advise you of an appropriate course of action.

Reasonable Security Practices and Procedures and Sensitive Personal Data in India-provisions required

ITA Reasonable Security Practices and Procedures and Sensitive

Personal Data or Information Rules 2011

The Personal Information Security Rules were notified in April 2011 and serve as

the most comprehensive form of data protection in India. The Rules prescribe procedures

and protocol by which body corporate must adhere to. The Rules can be brought in line

with the National Privacy Principles through the following changes:

1. Notice

Existing Provisions

o Privacy Policy: Anybody corporate that collects, receives, possesses, stores,

deals, or handles information must provide a privacy policy that provides for clear

and easily accessible statements of its practices and policies, type of personal or

sensitive personal data or information collected, purpose of collection and usage

of such information, disclosure of information, and reasonable security practices

and procedures. Rule 4

o During Collection: While collecting information directly from the person

concerned the body corporate shall take steps to ensure that the individual knows

that the information is being collected, the purpose for which the information is

being collected, the intended recipients of the information, the name and address

of the agency collecting the information and the agency that will retain the

information. Rule 5(3)

Missing Provisions

o Data Breach: If a data breach occurs, affected individuals must be notified

immediately.

o Legal Access: If information is legally accessed, the access must be notified at the

close of the investigation.

o Change in privacy policy: Any changes in a body corporate privacy policy

should be notified to the public and the individual.

o Process to access and correct: At the time of collection body corporates must

provide notice of the processes available to data subjects to access and correct

their own personal information.

2. Choice & Consent

Existing Provisions

o Individual Consent: Body corporates must obtain consent in writing through

letter or Fax, or email from the provider of the sensitive personal data or

information regarding purpose of usage before collection. Rule 5(1)

o Right to withdraw and opt in/opt out: Prior to collection of information, body

corporate must provide the individual not to provide the data sought. The provider

of information will have the right to withdraw consent at any time while availing

services. Rule 5(7)

Missing Provisions

o Mandatory provision: When provision of information is mandated by is should

be in compliance with all other National Privacy Principles. Information collected

on a mandatory basis should be anonymized within one year if published in public

databases.

3. Collection Limitation

Existing Provisions

o Necessary & Relevant: Body corporate shall not collect sensitive personal data

unless the information is collected for a lawful purpose connected with a function

or activity of the body corporate. The collection of sensitive personal data is

considered necessary for the purpose. Rule 5(2)

4. Purpose Limitation

Existing Provisions

o Definition of Sensitive Personal Data: password, financial information such as

Bank account or credit card or debit card or other payment instrument details,

physical, physiological and mental health conditions, sexual orientation, medical

records and history, biometric information, any detail relating to the above as

provided to body corporate for providing service, any of this information received

by body corporate for processing, stored or processed under lawful contract. Any

information that is available or accessible in public domain or furnished under the

Right to Information Act, 2005 will not be regarded as sensitive personal data. Rule 3

o Retention: The Body Corporate holding sensitive personal data will not retain

that information for longer than is required for the purposes for which the

information may be lawfully used or is required under any other law in force.Rule 5(4)

o Use: The information collected will be used for the purpose for which it has been

collected. Rule 5(5)

Missing Provisions

o Adequate and Relevant: Personal data collected and processed by an

organization must be adequate and relevant to the purposes for which they are

processed.

o Change in purpose: If there is a change in purpose, this must be notified to the

data subject.

o Destruction: After personal information has been used in accordance with the

identified purpose, it must be destroyed as per the identified procedures.

o Data Retention: Data retention mandates by the government should be in

compliance with the National Privacy Principles.

5. Access & Correction

Existing Provisions

o Access: Body corporate must permit the providers of information, when

requested, to review the information they had provided and ensure that any

personal information or sensitive personal data or information found to be

inaccurate or deficient shall be corrected or amended as feasible. Rule 5(6)

Missing Provisions:

o Confirmation of personal information: Data subjects should be able to confirm

that an organization holds or is processing information about them.

o Copy of personal information: Data subjects should be able to obtain a copy of

the personal data undergoing processing.

o Limitation to Access: The information may not be given or access permitted if it

is not possible to do so without disclosing information about another person unless

that persona has consented to the disclosure.

6. Disclosure of Information

Existing Provisions

O Consent for Disclosure: Disclosure of sensitive personal data or information by

body corporate to any third party shall require prior permission from the provider

of such information, unless disclosure has been agreed to by contract or is

necessary by legal obligation. Rule 6

o Prohibition on publishing: The body corporate will not publish the sensitive

personal data or information. Rule 6(3)

o Non-disclosure: The third party receiving the sensitive personal data will not

disclose it further. Rule 6(4)

o Transfer of Information: A body corporate may transfer sensitive personal data

to any body, organization, or country that ensures the same level of data

protection. The transfer can only take place for the performance of a lawful

contract or where the transfer has been consented to. Rule 7

Missing Provisions

o Notice of disclosure: Body corporate must provide notice of disclosure to third

parties.

o Bound to Principles: All third parties must be bound to the National Privacy

Principles.

Conflicting Provisions

o Authorized Agencies: Information will be share with Government Agencies

mandated under law without obtaining prior consent for the purposes of

verification of identity, for prevention, detection, investigation including cyber

incidents, prosecution, and punishments of offences. Rule 6

7. Security

Existing Provisions

o Security standards: A body corporate or person must have a comprehensive

documented information security program and information security policies that

contain managerial, technical, operational, and physical security control measures.

In the event of a breach, the body corporate must be able to demonstrate that they

have implemented security control measures. This includes being IS/ISO/IEC

27001 compliant. Rule 8(1)

o Audit: On any annual basis the body corporate must undergo an audit of his/her

reasonable security practices. Rule 8(4)

8. Openness

Missing Provisions

Transparency: Body corporate must make available to the public information

regarding the steps taken to ensure compliance with the National Privacy Principles

9. Accountability

Existing Provisions

· System of Complaints: Body Corporates must address any discrepancies and

grievances of their provider of the information with respect to the processing of

information in a time bound manner. To achieve this, a Grievance Officer must be

appointed to address these grievances. Rule 5(9)

Missing Provisions

o External verification: All processes related to the handling of sensitive personal

information [in addition to security systems] should undergo external verification

on a regular basis.

o Support to Privacy Commissioner: Body corporate should be held responsible

for giving support to the Privacy Commissioner and complying with general/specific

orders of the privacy commissioner.

10. Verification

Existing Provisions:

· Liability of accuracy: A body corporate is not responsible for the authenticity of

the personal information or sensitive personal data or information supplied by the

provider of information. Rule 5(6)

**Source - Report of the Group of Experts on Privacy

Adv Prashant Mali took session for police officers from 4 states on "IT Act, 2000,Digital Evidence,Investigation etc " at the Rajasthan Police Academy,Jaipur for a course named "Investigation of Cyber Crime" Sponsored by Bureau of Police Research &Development(BPR&D) in India.

Officers were found concentrating due to high number of Information technology related cases in almost all the police stations including those from rural areas

Computer Forensics Tools – Attacks-Legal Stand

Attacks on Computer Forensics Tools – Legal Stand

Direct attacks on the computer forensics process are the newest type of Anti-Forensics and potentially the most threatening.

There are six phases in the process of digital forensics; all are open to attack:

1. Identification refers to the method by which an investigator learns that there is some incident to investigate. This phase can be undermined by obscuring the incident, or hiding the nexus between the

digital device and the event under investigation.

2. Preservation describes the steps by which the integrity of the evidence is maintained. This phase can be undermined by interrupting the evidence chain or calling into doubt the integrity of the evidence

itself.

3. Collection is the process by which data from the evidence medium is acquired. This step can be undermined by limiting the completeness of the data being collected or calling into question the

hardware, software, policies, and procedures by which evidence is gathered.

4. Examination addresses how the evidence data is viewed. This part of the process can be undermined by showing that the tools themselves are inadequate, incomplete, or otherwise not scientifically valid.

5. Analysis is the means by which an investigator draws conclusions from the evidence. This phase relies on the tools, investigative prowess of the examiner, and the rest of the evidence that was found. If a

case hinges solely on digital evidence, the interpretation of the evidence is the part most open to attack.

6. Presentation refers to the methods by which the results of the digital investigation are presented to the court, jury, or other fact-finders. If the evidence is otherwise solid, anti-forensics tools and methods will be used to attack the reliability and thoroughness of the reports -- or the examiner.

Courts throughout the world have long had to deal with scientific evidence and have had to establish rules for

what is acceptable and unacceptable in this realm.

In the U.S., the guiding principle in federal courts and many

state courts is patterned after the seminal case of Daubert v. Merrell Dow Pharmaceuticals (SC- United States-1993). According to Daubert, a judge can determine the admissibility of scientific evidence

based upon four factors:

• Testing: Can -- and has -- the procedure been tested?

• Error Rate: Is there a known error rate of the procedure?

• Publication: Has the procedure been published and subject to peer review?

• Acceptance: Is the procedure generally accepted in the relevant scientific community?