Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Government of India. Show all posts

India's DPDP Act: Industry's Compliance Challenges and Concerns

As India's Data Protection and Privacy Act (DPDP) transitions from proposal to legal mandate, the business community is grappling with the intricacies of compliance and its far-reaching implications. While the government maintains that companies have had a reasonable timeframe to align with the new regulations, industry insiders are voicing their apprehensions and advocating for extensions in implementation.

A new LiveMint report claims that the government claims businesses have been given a fair amount of time to adjust to the DPDP regulations. The actual situation, though, seems more nuanced. Industry insiders,emphasize the difficulties firms encounter in comprehending and complying with the complex mandate of the DPDP Act.

The Big Tech Alliance, as reported in Inc42, has proposed a 12 to 18-month extension for compliance, underscoring the intricacies involved in integrating DPDP guidelines into existing operations. The alliance contends that the complexity of data handling and the need for sophisticated infrastructure demand a more extended transition period.

An EY study, reveals that a majority of organizations express deep concerns about the impact of the data law. This highlights the need for clarity in the interpretation and application of DPDP regulations. 

In another development, the IT Minister announced that draft rules under the privacy law are nearly ready. This impending release signifies a pivotal moment in the DPDP journey, as it will provide a clearer roadmap for businesses to follow.

As the compliance deadline looms, it is evident that there is a pressing need for collaborative efforts between the government and the industry to ensure a smooth transition. This involves not only extending timelines but also providing comprehensive guidance and support to businesses navigating the intricacies of the DPDP Act.

Despite the government's claim that businesses have enough time to get ready for DPDP compliance, industry opinion suggests otherwise. The complexities of data privacy laws and the worries raised by significant groups highlight the difficulties that companies face. It is imperative that the government and industry work together to resolve these issues and enable a smooth transition to the DPDP compliance period.

India’s Finance Ministry Tell State-run Banks to Adopt Emerging Technologies to Increase Operational Efficiency


The Indian finance ministry has ordered state-run banks to collaborate and take use of emerging technology to improve operational effectiveness and customer experience.

In a meeting, headed by Finance Minister Nirmala Sitharaman to assess the activities and performance of public sector banks (PSBs), utilization of account aggregators and generative artificial intelligence for banking operations was taken into consideration in order to correspond with the innovative technological advancements.

The finance minister further highlighted the significance of PSBs into exploring partnerships in human resource training and utilizing technology to provide a cost efficient service to customers. These resources and knowledge will ultimately provide enhancement in the PSBs’ operational capability and a better experience to their customers.

What are These Technologies? 

Account Aggregators provide consented sharing of financial data within and between financial institutions once the customers have approved. This enables a consolidated overview of a person's financial data from many accounts and organizations.

Generative Artificial Intelligence is the AI system that can be used to generate content, like text, images or applications, based on training data. Its ability to automate a number of processes and tasks, improves its efficiency and productivity.

Adopting these emerging technologies will streamline the bank’s operations, cut off the costs, and provide a better customer experience. The instruction from the finance ministry emphasizes the government's dedication to using technology in the banking sector and improve overall performance and customer satisfaction.

Security Approach

The government has also issued a cautionary state to the state-controlled banks over the protection of customer data when contracting out essential services, notably technological services. In order to reduce costs and improve security, the statement demonstrates the value of protecting personal information and the necessity of lender cooperation.

While the state-run banks are inclined into investing in technological upgrades like AI and machine learning, this is eventually leading to higher expenses. To evade the issue, the government has asked banks to work collaboratively in sharing information in areas like ‘cybersecurity,’ thus aiding in reducing cost.

Banks can work on collaborating and adopting effective cybersecurity measures and secure the personal information of their clients by pooling resources and sharing infrastructure. This cooperative strategy can reduce the dangers of data breaches and improve the state-run institutions' overall security posture.

The government's warning indicated a rising understanding of the significance of cybersecurity and data protection in the financial industry. It emphasizes the necessity for banks to exercise caution when contracting out technical services, making sure that sufficient safeguards are put in place to protect customer data throughout the entire process.

CERT-In Publishes Security Norms for Government Data Safety

 

The usage of remote desktop applications like Anydesk and Teamviewer in government departments is now prohibited under new security rules issued last week by the Indian cyber security body CERTin. 

According to the regulations, government agencies must enable multi-factor authentication (MFA) for VPN accounts and use virtual private networks (VPN) to access network resources from remote locations. 

"Ensure to block access to any remote desktop applications, such as Anydesk, Teamviewer, Ammyy admin etc," Guidelines on Information Security Practices for Government Entities explained.

The goal of these standards, according to CERT-In (Indian Computer Emergency Response Team), is to create a priority baseline for cyber security procedures and controls within government organisations and their affiliated organisations. 

In an official statement, Minister of State for Electronics and IT Rajeev Chandrasekhar stated the government has taken a number of steps to guarantee an open, safe, trusted, and responsible digital world. 

"We are expanding and accelerating on Cyber Security with focus on capabilities, system, human resources and awareness. The guidelines are an important part of our larger cybersecurity framework being built under the leadership of our PM Narendra Modi ji, as India takes rapid strides towards USD 1 trillion Digital Economy," Chandrasekhar stated. 

The guidelines state that essential servers should either be made stand-alone or part of a specific secure zone. Servers are not required to connect with one another unless they are a part of the same application with dedicated ports and authenticated apps.

It's encouraging that CERT-In has released standard operating procedures in the aftermath of several claims and hypotheses that AIIMS systems were infected with ransomware and exposed to data leaks from government agencies. These will harmonise cyber security practises throughout India. Jiten Jain, director of the Voyager Infosec Digital Lab, predicted that it will lessen the amount of cyber security assaults in the nation.

Additionally, the guidelines include security measures for social media accounts associated with government departments in addition to protection for computer and network infrastructure. Before anything is put on an official social media account, the guidelines require clearance from the relevant authorities.

Will VPN Providers and the Indian Government Clash Over New Rules on User Data Collection?


The Ministry of Electronics and Information Technology, which administers CERT-in, has mandated all VPN providers and cryptocurrency exchanges save user records for five years. Some of the most well-known VPN providers, such as NordVPN and ExpressVPN, claim to collect only the most basic information about their customers and to provide ways for them to stay relatively anonymous by accepting Bitcoin payments. 

VPNs reroute users' internet connections through a separate network; this can be done for a variety of reasons, such as connecting to a workplace network that is not available from the general internet or accessing prohibited websites by using servers in other nations. 

Another characteristic of VPNs several VPN companies like Nord promote as a selling factor is privacy. They frequently claim to keep no logs; Nord's no-logs policy has been examined by PriceWaterhouseCoopers regularly. However, the IT Ministry's ruling would force the corporation to deviate from such a guideline for servers in India.

What sort of data does the government expect firms to preserve? 
  • Names of subscribers/customers who have hired the services have been verified.
  • Hire period, including dates.
  • IP addresses assigned to/used by members.
  • At the moment of registration/onboarding, the email address, IP address, and time stamp were utilized. 
  • Why are users hiring services? 
  • Validated contact information and addresses.
  • Subscriber/customer ownership patterns when hiring services.

Official orders from CERT-In, the government agency in charge of investigating and archiving national cybersecurity incidents, have generated controversy. It was announced in a press release for all "Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers" would be bound to maintain a variety of user data for at least five years after the service was canceled or discontinued. 

VPN industry's comment on user data?

ExpressVPN stated, that their apps and VPN servers have been meticulously designed to completely erase sensitive data. As a result, ExpressVPN will never be forced to give non-existent client data.

"Our team is currently analyzing the latest Indian government decree to determine the best course of action. Because the law will not take effect for at least two months, we are continuing to work as usual. We are committed to protecting our clients' privacy, thus if no other options exist, we may withdraw our servers from India," Patricija Cerniauskaite, a spokesman for NordVPN stated.

If NordVPN leaves India, would you still be able to use it?

Users will most likely be able to connect to NordVPN's servers in other countries even if the company decides to leave India. According to reports, NordVPN has 28 servers in India which users in India and other countries can connect to. Surprisingly, NordVPN's Indian servers provide access to websites that are normally restricted in India.

India enters an unfortunate list of other large countries where Nord and other VPN providers have either pulled servers or never had a presence: Russia, where Nord and other VPN providers pulled servers just after the country ordered VPN firms to provide backdoor access to government on demand in 2019; and China, where VPN providers are subject to stringent controls. 

The Internet Freedom Foundation, a New Delhi-based digital rights advocacy group, claimed in a comprehensive statement released Thursday afternoon, the requirements were "extreme" and would impair VPN users' "individual liberty and privacy."

French Cyber security Analyst Claims He Could Access Details Of Corona-Infected Persons Via The Government-Mandated Aarogya Setu App


A French cybersecurity analyst by the pseudonym 'Elliot Alderson' on Twitter claims he could access details of Corona infected people via the government-mandated Aarogya Setu app.

Robert Baptiste wrote on Twitter that it was feasible for a remote attacker to know “who is infected, unwell, make a self-assessment in the area of his (attacker’s) choice.” He was able to see “if someone was sick at the PMO office or the Indian Parliament" even with the most recent variant of the Covid-19 contact tracing application.

The creators of Aarogya Setu albeit even issued a statement accordingly in response to dismissing Baptiste's prior claims.

The French cybersecurity analyst asserted that he could gain access to the details of positive cases at a location of his choice. He didn't present any confirmation in this regard however guaranteed a point by point report about the alleged security flaws.

The official statement released by Aarogya Setu said “no personal information of any user has been proven to be at risk by the French ethical hacker”.

The statement earlier gave by the creators of the application said it was feasible for a user to get information for various places by changing the latitude/longitude, which is, at any rate, an accessible data.

The creators, notwithstanding, demanded that mass assortment of this information was unrealistic as “the API call is behind a Web Application Firewall”.

However all this has given rise to a raging debate on the utilization of contact tracing applications by governments, Eivor Oborn, Professor of Healthcare Management at Warwick Business School, UK, says “I think a real breach is made if the professionals are forced to use the app and then are not allowed to discontinue the monitoring after the threshold of the pandemic is over; this to me is a greater concern.”

He included that in a democratic nation like India, citizens ought to have transparency with respect to what, when, and how the information is being utilized. “I think it is good for the governments concerned to tangibly show benefits that accrue from data use,” Prof Oborn stressed.

Nonetheless, the government's chief scientific advisor, Prof K VijayRaghavan, says that the source code of the application will be made open very soon, “India is the only democracy which has made the use of contact tracing app mandatory, so steps should be taken to make the codebase of the app open source, and users should be given the option to delete their data, even from the servers.”


Facebook Makes Its Largest Bet on the Developing Market; Invests $5.7 Billion in Indian Internet Giant Jio


“The country is in the middle of a major digital transformation, and organizations like Jio have played a big part in getting hundreds of millions of Indian people and small businesses online. With communities around the world in lockdown, many of these entrepreneurs need digital tools they can rely on to find and communicate with customers and grow their businesses.”

This is what Mark Zuckerberg, the CEO of Facebook, said in a post to his Facebook page on the occasion of the social media giant making its biggest single investment by putting $5.7 billion into Jio Platforms of India on Tuesday.

Adding later on that the move indicates its 'commitment' to India, as approximately more than 388 million people in India have been in a solid connection with the internet service over the past four years via Jio.

While numerous businesses have been harmed by the aftermath from the Covid-19 pandemic, huge technology companies are positioned to profit over the long haul as more people resort to their services while keeping indoors.

Facebook is thusly making preparations to move ahead with vital and strategic investments at a very 'fragile' time in the global economy.

David Fischer, Facebook's chief revenue official, and Ajit Mohan, Facebook's managing director in India, in a blog-entry by-lined by the former said that “One focus of our collaboration with Jio will be creating new ways for people and businesses to operate more effectively in the growing digital economy. For instance, by bringing together JioMart, Jio’s small business initiative, with the power of WhatsApp, we can enable people to connect with businesses, shop, and ultimately purchase products in a seamless mobile experience.”

With more than 400 million Indian citizens utilizing WhatsApp and more than 300 million people utilizing the company's core social network, therefore Facebook sees a lot of chance with Jio.

Apart from this, last week India's Economic Times revealed that Facebook and Reliance were intending to use WhatsApp and Jio administrations to make a WeChat-style "super-app" for India.

Tencent's WeChat has enormous penetration in China, with in excess of a billion users and numerous independent businesses utilizing it for payments, promotion, and communication. Yet, it is to be noticed this isn't Facebook's first swoop into the Indian market.

Quite a long while ago, it attempted to offer free internet connectivity to Indian users in a program called Free Basics. Yet, that initiative hit a lot of obstacles until it was ultimately banned in the nation by the telecom regulator TRAI, in 2016.

What's more, is that the regulators concluded that businesses couldn't offer free internet services that supported only a few companies over the others. Facebook has been at a disagreement with the Indian government over WhatsApp for quite some time recently.

The government had demanded that WhatsApp change its encryption to trace messages back to their source, which WhatsApp refused to comply with. Simultaneously, regulators have over and over again thwarted WhatsApp's request to offer a payments service to its Indian users.

Here are some of the reaction tweets by people on the Jio-Facebook collab.







A Web Privacy Research Group Discovers Data Breaches In Two Indian Fintech Startups




Data breaches in two Indian fintech start-ups — Credit Fair and Chqbook were recently discovered by a web privacy research group called vpnMentor. While the former start-up has all to deal with online shopping credit to customers the latter is a finance marketplace which associates customers to credit cards, and personal loans providers.

The research group's team found that "both Credit Fair and Chqbook’s entire databases were unprotected and unencrypted. Credit Fair uses a Mongo Database, while Chqbook uses Elastic Search, neither of which were protected with any password or firewall.”

With regards to Chqbook, the research group 'claimed' to have accessed 67 GB of user information including sensitive data, like the user's telephone number, address , email, Credit card number, expiry date, transaction history, plain text passwords, gender, income and employment profile among other fields.

However, Vipul Sharma the founder of Chqbook denied the research group's claim that 67 GB of user data was comprised, rather he said that 'Chqbook does not have that much volume of data.'

In the case of Credit Fair, the research group said it was able to extract 44K user records containing fields, like phone number, detailed information of their loan applications, PAN number, IP address, session tokens, Aadhaar number, and more.

The 'lending company' as of now has still not fixed the issue as per the research group's post of July 31.

This is however not the first case of data breach in Indian start-ups, numerous well-known start-ups across various sectors have experienced at least one situation of data breach. Some recent ones include: Truecaller, Justdial, EarlySalary, Ixigo, FreshMenu, and Zomato.

Hence keeping in mind the ever expanding number of data breaches in the nation, the Indian government has begun observing the situation with a much serious eye that too at a policy level and in July, an high-level panel headed by Justice B.N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad.

Hopefully the Government's stance on requiring every single sensitive information of Indian users to be put away or stored locally to guarantee that the information is easily auditable will be viable this time.

Government of India blocked over 2,100 URLs







The Central Government of India has blocked over 2,100 URLs (Uniform Resource Locators) on social media platforms in the first six months of 2019. 

The Electronics and IT Minister Ravi Shankar Prasad informed the Parliament in a written reply to the Lok Sabha, said that a total of 633, 1,385 and 2,799 URLs were ordered for blocking in 2016, 2017 and 2018, respectively. 

“Section 69A of the Information Technology Act, 2000 empowers Government to block any information generated, transmitted, received, stored or hosted in any computer resource in the interest of sovereignty and integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above,” he said.

The Minister said that this action was taken by the government to make social media platforms safer place. 


According to the written statement submitted, Ministry of Electronics and IT (MeitY) and Ministry of Home Affairs (MHA), and various police departments regularly monitor the various social media platform in order to remove the objectionable content.