Any Questions? info@beandbyias.com /+91 9958826967, 9958294810

For registration call @ 9958294810 or mail at info@beandbyias.com | Law Optional for Civil Services & Judicial Services Live classes Starting from 12th October 2020. |

Daily Category  (Cyber Security)

A quest for order amid cyber insecurity

1. CONTEXT OF THE NEWS

The present time is both, the best and worst for cyberspace.

Apple, Amazon and Microsoft have amassed over a trillion dollars in market value since the beginning of the year 2020.

However, on the other hand, cyber-attacks have grown as well.

2. INCREASING CYBER-INSECURITY

2.1 Increasing malwares

  • A report puts the number of daily malware and phishing emails related to COVID-19 to over 18 million in a single week in April 2020 monitored by a single email provider.
  • This was in addition to more than 240 million COVID-19-related daily spam messages.        
  • Twitter hackers and ransomware targets too are increasing by the day.

2.2 Cyber-attacks and States

  • Concerns about role of states in cyber-attack are also surfacing as mentioned by Australia.
  • There are also allegations on China regarding hacking health-care institutions in the U.S. doing research on COVID-19 treatment.
  • The United Kingdom has warned Russian state backed hackers targeting pharmaceutical companies working on COVID-19 vaccine.
  • India has recently banned specified Chinese Apps stating that they are “engaged in activities prejudicial to the sovereignty and integrity of India”.
  • This act of the Indian Government adds another layer of complexity to the contestation in cyberspace.
  • Therefore, clearly the cyber insecurity of individuals, organisations and states is expanding amidst the COVID-19 atmosphere.

2.3 Better understanding of Global Cyberspace

  • The world is increasingly moving in the digital space. People are adapting to new ways of digital interaction and an increasing number of critical infrastructure is turning digital.
  • However, despite the accelerated pace towards digital technologies, most of us do not understand the parameters of the transformation towards digital.
  • Much like the global public health, cybersecurity too is considered a niche area and is left to the experts.
  • The covid-19 pandemic has underlined the importance of the global public health infrastructure and the need to abide by agreed rules.
  • On similar lines, a better understanding of the global cyberspace architecture is also imperative.

3. NO GLOBAL COMMONS

3.1 The global commons

  • International law identifies four global commons viz. the High Seas, the Atmosphere, the Antarctica and the Outer Space.
  • The borderless global cyberspace is also considered a part of the “global commons”, however experts are of the view that it does not exist.

3.2 Border control on cyberspace

  • The view of cyberspace in terms of connectivity across national boundaries is an illusion.
  • Since the internet is dependent on the physical infrastructure that is under national control, the internet too is subjected to border control.
  • States control the national networks through laws in accordance with their international commitments.

3.3 Responsibility of States vis-a-vis cyberspace

  • States are also responsible for the following:
    • Ensuring cybersecurity,
    • Enforcing laws related to cyberspace
    • Protection of public good
  • Apart from their own actions, States are also responsible for actions taken from within their sovereign territory.
  • However, the implementation of the States' responsibilities towards cyberspace is difficult, since the infrastructure on which the Internet is dependent, falls within the jurisdictions of multiple states.
  • These states have differing approaches towards the view of cyberspace and cybersecurity.

3.4 Multiple Stakeholders

  • There are multiple stakeholders in the cyberspace including both states and non-state actors.
  • The non-state actors play key roles with both benign and malignant intentions.
  • Furthermore, some networks are private which have different objectives than the states have.
  • At last, the cyber tools too have dual use, cheap and make attribution and verification of actions quite a task.

3.5 Developing cyber norms

  • Despite the presence of both state and non-state actors, only the states have the right of oversight.
  • There is no single authority for the global cyberspace like the World Health Organization, which can monitor, assess, advise and inform about fulfilment of state commitments, in however limited or unsatisfactory a manner.
  • To put it simply we are still searching for the cyber "rules of the road".
  • Presently we are in the developing stage of “cyber norms” that can provide a balance between the competing demands of national sovereignty and transnational connectivity.

4. GAPS IN CURRENT PROCESSES

4.1 UN and Cybersecurity

  • In 1998, Russia raised the issue of information and communications technologies (ICTs) in international security on the UN agenda.
  • Since then, six Group of Governmental Experts (GGE) with two-year terms and limited membership have been working on the issue.
  • In addition to the GGE, last year, an Open-Ended Working Group (OEWG) began working on the same issue with similar mandates. The group is open to all and many states have shown interest in the group.
  • A report is expected by the next year.

4.2 Discussions in the group

  • The discussions are focussed narrowly in line with the mandate.
  • Issues that have been kept out are:
    • Internet governance
    • Development
    • Espionage
    • Digital privacy
  • Issues like terrorism and crime are acknowledged as important but the discussions on these topics are not as thoroughly done as in other UN bodies.

4.3 Outcome of the UN Exercise

  • The net outcome of the UN exercise on cyberspace is the acceptance that international law and the UN Charter applies to cyberspace as well.
  • On these lines, a set of voluntary norms of responsible state behaviour was agreed to in 2015.
  • However, the aspects are circumstances in which the international law will be applicable have still not been addressed and various reports on the matter call for action including the recent report by UN Secretary General AntónioGuterres’s entitled “Roadmap for Digital Cooperation”.
  • However, given the present geopolitical circumstances there is very little hope of such processes being undertaken.

5. MORE ENGAGEMENT NEEDED

5.1 Expanding cyberspace in India

  • Generally speaking, technologies move faster and are ahead of the development of associated norms and institutions, similar is the case with cyberspace.
  • This provides India the opportunity with the time and space to develop our approach in tune with relevance of cyberspace to India's future economic, social and political objectives.
  • Despite the digital divide, India’s cyber footprint is expanding at an accelerated rate and therefore the rate of conflicts and crimes will increase too.
  • Under these circumstances, the Shared “rules of the road” become imperative.

5.2 India and Cybersecurity

  • The Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology is a very active nodal agency for cybersecurity.
  • Five of the six GGEs formed had representatives from India.
  • India is also an active participant at the OEWG.
  • India is also a member of the Shanghai Cooperation Organisation, which has also shown support for a code of conduct.
  • India also joined the Christchurch Call, which brought countries and corporations together on order for an increased effort in stopping the use of social media for promoting terrorism and violent extremism.

5.3 Need of active engagements

  • The cyberspace is becoming an increasingly contested and fragmented domain.
  • Going forward, the issue of cybersecurity will require better arrangements and more intense partnerships with additional safeguards.

5.4 India and Global Efforts

  • India needs to turn attention immediately on the issue of cybersecurity.
  • India needs to take both domestic and global efforts in this regard.
  • India should be an active participant in shaping and defining cyber norms.
  • India can also consider acceding to the Convention on Cybercrime of the Council of Europe (Budapest Convention).
  • There should be increasing participation and engagement in multi-stakeholder orientations as the Paris Call for trust and security in cyberspace.

5.5 India and domestic Efforts

  • There should be more clarity on legislation on data protection.
  • The private sector in India should be encouraged to participate increasingly in industry-focused processes such as the Microsoft-initiated Cybersecurity Tech Accord and the Siemens-led Charter of Trust.

6. CONCLUSION

Present there is a huge digital divide in India. However, the coming future is going to bridge this gap and India is expected to have a major portion of the next billion smartphones.

Therefore, it is imperative that cybersecurity is going to play a large role in the lives of Indians.

To prepare for the larger role of cyberspace in India, we need to work on a deeper public understanding of cyberspace, cybersecurity and its various dimensions.

Given the size and scope of cyberspace in India, it is too important to be left only to the experts.

ADDITIONAL INFORMATION

Indian Computer Emergency Response Team (CERT-In)

  • CERT-In is a functional organization under the Ministry of Electronics and Information Technology of the Government of India.
  • CERT-In is the national nodal agency to deal with cybersecurity incidents.
  • The CERT-In was established in 2004.
  • The Information Technology (Amendment) Act 2008 has provided for the following functions to be undertaken by CERT-In and has designated it to serve as the national nodal agency:
    • Collection, analysis and dissemination of information on cyber incidents.
    • Forecast and alerts of cybersecurity incidents
    • Emergency measures for handling cybersecurity incidents
    • Coordination of cyber incident response activities.
    • Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.
    • Such other functions relating to cybersecurity as may be prescribed.

Defence Offsets

Context:

The Defence Ministry came up with its latest Defence Acquisition Procedure 2020 (DAP 2020) which comes into effect from October 1.

  • The government has also decided to remove the clause for offsets if the equipment is being bought either through deals or agreements between two countries or through an ab initio single-vendor deal.

Defence offsets:

  • The policy was adopted on the recommendations of the Vijay Kelkar Committee in 2005. The first offset contract was signed in 2007.
  • The first policy mentioned that all defence procurements exceeding Rs 300 crore, estimated cost, will entail offsetting obligations of at least 30%, which could be increased or decreased by the DAC (Defence Acquisition Council).
  • The offset is an obligation by an international player to boost India’s domestic defence industry if India is buying defence equipment from it.
  • The Comptroller and Auditor General (CAG), in a report defined offsets as a “mechanism established with the triple objectives of:
    • Partially compensating for a significant outflow of a buyer country’s resources in a large purchase of foreign goods
    • Facilitating the induction of technology and
    • Adding capacities and capabilities of domestic industry”.
  • An offset provision in a contract makes it obligatory on the supplier to either reverse purchase, execute export orders or invest in local industry or in research and development in the buyer’s domestic industry.

The objective of the Defence Offset Policy:

  • To leverage capital acquisitions to develop Indian defence industry by fostering the development of internationally competitive enterprises, augmenting capacity for Research, Design and Development related to defence products and services and encouraging the development of synergistic sectors like civil aerospace, and internal security”.

Offset obligations:

  • There are multiple routes through which foreign vendor fulfil its offset obligations. Until 2016, the vendor had to declare around the time of signing the contract.
  • In 2016, the new policy amended it to allow it to provide it “either at the time of seeking offset credits or one year prior to discharge of offset obligations”.
  • The August 2012 Defence Ministry note mentioned these avenues:
    • Direct purchase of, or executing export orders for, eligible products manufactured by, or services provided by Indian enterprises
    • Foreign Direct Investment in joint ventures with Indian enterprises (equity investment) for eligible products and services
    • Investment in ‘kind’ in terms of transfer of technology (TOT) to Indian enterprises, through joint ventures or through the non-equity route for eligible products and services
    • Investment in ‘kind’ in Indian enterprises in terms of provision of equipment through the non-equity route for manufacture and/or maintenance of products and services
    • Provision of equipment and/or TOT to government institutions and establishments engaged in the manufacture and/or maintenance of eligible products, and provision of eligible services, including DRDO (as distinct from Indian enterprises).
    • Technology acquisition by DRDO in areas of high technology.
  • The DAP 2020 has given transfer of critical technology to DRDO.

Will no defence contracts have offset clauses now?

  • Only government-to-government agreements (G2G), ab initio single vendor contracts or inter-governmental agreements (IGA) will not have offset clauses anymore. For example, the deal to buy 36 Rafale fighter jets, signed between the Indian and French governments in 2016, was an IGA.
    • IGA is an agreement between two countries under which you can go on signing individual contracts. G2G is a transaction-specific or an acquisition specific agreement.
  • According to DAP 2020, all other international deals that are competitive, and have multiple vendors vying for it, will continue to have a 30% offset clause.

Source: Indian Express

Annual Crime in India Report

Context:

According to the annual Crime in India 2019 report, a crime against Scheduled Castes (SCs) and Scheduled Tribes (STs) saw an increase of over 7% and 26% respectively in the year 2019 compared to 2018.

  • The report is published by the National Crime Records Bureau (NCRB).

Cases against SCs:

  • A total of 45,935 cases were registered for committing a crime against SCs, showing an increase of 7.3% over 2018 when 42,793 such cases were recorded.
  • At 11,829 cases, Uttar Pradesh recorded the highest number of crimes against SCs in 2019, followed by 6,794 cases in Rajasthan and 6,544 cases in Bihar.

Rape cases:

  • In the number of cases of rape of women belonging to SCs, Rajasthan topped the list with 554 cases, followed by Uttar Pradesh at 537 and Madhya Pradesh at 510 cases.
  • A total of 8,257 cases were registered for committing a crime against STs, an increase of 26.5% over 2018 when 6,528 such cases were registered.
  • Madhya Pradesh recorded the highest number of cases against STs as it recorded 1,922 cases, followed by Rajasthan, which recorded 1,797 cases and Odisha-576 cases.
  • The highest number of incidents of rape of tribal women- 358 was registered in Madhya Pradesh, followed by 180 incidents in Chattisgarh and 114 in Maharashtra.

Cognizable crimes:

  • A total of 51,56,172 cognizable crimes comprising 32,25,701 Indian Penal Code (IPC) ones and 19,30,471 Special and Local Laws (SLL) crimes were registered in 2019. It showed an increase of 1.6% in the registration of cases over 2018 (50,74,635 cases).
  • A total of 4,05,861 cases of crime against women were registered in 2019 compared to 3,78,236 cases in 2018, showing an increase of 7.3%.
  • Cybercrimes increased by 63.5% in 2019. A total of 44,546 cases were registered under cybercrimes, compared to 27,248 cases in 2018. In 2019, 60.4% of cybercrime cases registered were for the motive of fraud (26,891 out of 44,546 cases), followed by sexual exploitation, with 5.1% (2,266 cases), and causing disrepute with 4.2% (1,874 cases).

CHRI statement:

  • The Commonwealth Human Rights Initiative (CHRI), a police reform advocacy group, highlights a few cases that were being registered for specific discriminatory action against SCs and STs.
  • Crimes against SCs and STs include the following categories- atrocities committed by non-SC/ST members under the Scheduled Castes and Scheduled Tribes (Prevention of Atrocities Act), 1989 (hereafter POA Act), the Indian Penal Code, and the Protection of Civil Rights Act, 1955.

National Crime Record Bureau:

  • NCRB was set-up in 1986 under the Ministry of Home Affairs.
  • It was set up on the recommendations of the National Police Commission (1977-1981) and the MHA’s Task Force (1985).
  • Objective: To function as a repository of information on crime and criminals so as to assist the investigators in linking crime to the perpetrators.
  • NCRB publishes the Crime in India report.
  • Headquarter: New Delhi.

Source: The Hindu

ICGS Kanaklata Barua

Context:

A Fast Patrol Vessel (FPV) named ICGS Kanaklata Barua was commissioned in the Indian Coast Guard.

  • It is named after a teenage freedom fighter who was shot dead in Assam during the Quit India Movement.

About the ship:

  • It is the fifth and last in a series of FPVs built by Garden Reach Shipbuilders and Engineers (GRSE) Ltd.
    • The other four are ICGS Priyadarshini (named after Indira Gandhi), ICGS Annie Besant, ICGS Kamala Devi (after Kamala Devi Chattopadhyay), and ICGS Amrit Kaur.
  • These FPVs are upgraded versions of the inshore patrol vessels and can achieve a speed of 34 knots.
  • In the Coast Guard, these FPVs and their earlier versions belong to the Rajashree class of patrol vessels.
    • The previous versions were named ICGS Rajashree, Rajtanag, Rajkiran, Rajkamal, Rajdoot, Rajveer, etc; the modified versions are named after freedom fighters.

Significance:

  • These are suited for patrolling, maritime surveillance, anti-smuggling, anti-poaching operations and also for fishery protection, and rescue and search missions.
  • These FPVs are medium-range surface vessels with a length of around 50 m, and a displacement of over 300 tonnes.

Kanaklata Barua:

  • She was one of the youngest martyrs of the Quit India Movement who has iconic status in Assam.
  • She led the Mukti Bahini which was a procession of freedom fighters to unfurl the Tricolour at Gohpur police station in 1942.
  • When police did not let them move forward, an altercation led to the firing, killing Barua at the head of the procession.
  • The Coast Guard had named an earlier ship after her. The previous ICGS Kanaklata Barua was commissioned in 1997 and decommissioned in 2017. The ship was dismantled in 2018 and sold as scrap.

Source: Indian Express

Basic Exchange and Cooperation Agreement for Geo-Spatial Cooperation (BECA)

Context:

The USA is looking forward to India signing the Basic Exchange and Cooperation Agreement for Geo-Spatial Cooperation (BECA), at the next India-USA 2+2 ministerial dialogue likely to be held in October 2020.

Details:

  • A meeting of the Quad Foreign Ministers is scheduled to take place in Tokyo in October 2020. Earlier, the meeting was expected to be held in New Delhi.
  • The U.S. wants BECA to be signed at the ministerial 2+2 in October.
  • A maritime information agreement is also under active deliberation between India and the U.S. Once concluded, India will have such arrangements with all Quad countries naming Australia, Japan, and the U.S.

BECA:

  • It will allow India to use the geospatial maps of the USA to get pinpoint military accuracy of automated hardware systems and weapons such as cruise and ballistic missiles.
  • BECA is an important precursor to India acquiring armed unmanned aerial vehicles such as the Predator-B from the USA. Predator-B uses spatial data for accurate strikes on enemy targets.
  • In 2016, India has signed three foundational agreements with the USA.
  • BECA is one of the four foundational military communication agreements between the two countries. 
    • The Logistics Exchange Memorandum of Agreement (LEMOA),
    • The Communications Compatibility and Security Agreement (COMCASA)
    • The General Security of Military Information Agreement (GSOMIA)

2+2 talks:

  • These talks are between two appointed ministers from each country. Defense and foreign ministers or secretaries meet with their counterparts from another country. 
  • Objective: To discuss issues of strategic and security interests between the two countries.
  • The talks were announced in June 2017. The 2+2 dialogue has replaced the Strategic and Commercial Dialogue between the foreign and commerce ministers of the two countries that were held previously.
  • India holds ministerial-level talks only with the USA. Apart from India, the United States holds such talks with Australia and Japan also.

Communications and Information Security Memorandum of Agreement (COMCASA):

  • It was signed by India in 2018.
  • It is valid for 10 years only.
  • Objective: To provide a legal framework for the transfer of highly sensitive communication security equipment from the USA to India that will streamline and facilitate interoperability between their armed forces.

General Security Of Military Information Agreement (GSOMIA):

  • In 2002 it was signed by India.
  • The agreement allows militaries to share the intelligence gathered by them.
  • An extension to the GSOMIA, the Industrial Security Annex (ISA), was signed at the 2+2 dialogue in 2019.
  • ISA provides a framework for the protection as well as the exchange of classified military information between the USA and India.

Source: The Hindu

Proportionality of Aarogya Setu

1. CONTEXT OF THE NEWS

The AarogyaSetu app developed by the government appears to be commendable use of technology to provide efficient solutions.

This editorial discusses the proportionality of technological-solutionism vis-à-vis inadequate privacy protection.

2. UNDERSTAND TRANSMISSION AND NEED OF ANALYSIS

2.1 Transmission of COVID-19

  • There are two ways of transmission of COVID-19 according to the virologists viz. :
    • direct person-to-person transmission by inhalation of droplets or aerosols carrying the virus
    • inadvertently picking up droplets from contaminated surfaces
  • For direct person-to-person transmission of COVID-19, the precise relation between risk of infection and proximity is not clearly modelled but there is a consensus that the person-to-person distance should approximately be within 2m for sufficient virus load inhalation.
  • For picking up droplets from contaminated surface, it is known that the viruses can survive for different time-periods on different surfaces, particularly on hard metallic surfaces, ranging from several hours to even days.

As Centre 'mandates' download of Aarogya Setu app, a debate ensues ...2.2 Need of Analysis

  • The government has excessively pushed AarogyaSetu and hailed it as the major instrument in India's fight against COVID-19.
  • Several experts and technocrats have expressed serious concerns about privacy and trust issues in an app based approach (AarogyaSetu).
  • There needs to be a careful analysis of the effectiveness and utility of the app and the balance of the two and it becomes all the more important because there are no publically available detailed and credible evaluation of the efficacy of AarogyaSetu. 

3. ANALYSIS OF AAROGYA SETU

3.1 Working of AarogyaSetu

  • Electronic risk assessment of COVID-19 like the AarogyaSetu uses two main principles
    1. GPS based geolocation
    2. Bluetooth based proximity sensing

3.2 Assessment using Global Positioning System (GPS)

  • GPS is often unavailable indoors.
  • Even outdoors in dense metropolitan areas average unavailability of GPS ranges in 30-40%.
  • Even during its availability, the GPS can have errors to the tune of several tens of metres on a consistent basis.

3.3 Reliability of Global Positioning System (GPS)

  • Hence, for assessment within 2m person-to-person direct transmissions, especially in dense gatherings, the GPS is clearly not a reliable instrument, especially in dense gatherings.
  • Using GPS if everybody within a few meters of an infected individual will be declared infected, it will generate too many false positives.
  • In addition, for a cautious and COVID-19 aware person taking all safety precautions, mere colocation does not necessarily imply high risk of contracting the infection.
  • Hence, GPS may overestimate risks for direct transmissions.
  • Similarly, GPS is also unreliable for indirect transmissions as the proximity with a potential infected indoor surface is most likely to be missed entirely, leading to false negatives.

3.4 Assessment using Bluetooth based proximity sensing

  • For this method of assessment, each device transmits low energy radio beacons isotopically in all directions at periodic intervals.
  • The listening device picks the signal establishing a communication channel between the two devices.
  • The distance between the two devices is estimated on the basis of the strength of the received signal.

3.5 Reliability of Bluetooth based proximity sensing

  • An optimum effective interval rate of radio transmission for effective risk assessment of direct person-to-person infections is not clear.
  • While excessive frequent transmissions will drain out batteries, too wide time gaps in radio transmission on the other hand will lead to false negatives.
  • Another concern is generation of too many false positives.
  • Bluetooth based proximity sensing can overestimate the risk because radio transmissions can establish connections even across large distances in open spaces and across walls, which the radio transmission can penetrate but the virus cannot. This is a major drawback.
  • False negatives are also possible while assessment through Bluetooth due to weakening of radio signals through human bodies like in case when victim carries the phone in the front pocket while the infected person is present in close proximity behind the victim.
  • The Bluetooth based proximity sensing is also ineffective for assessing indirect transmission of infection. The corona virus can survive on contaminated surfaces for hours or even days hence for effective assessment the intersection of smartphone trajectories will need to be computed not only in space but also over large temporal windows.
  • For this assessment, the Bluetooth based proximity sensing which are isolated communication events over narrow temporal windows between two smartphones will be rendered ineffective.

4. PRIVACY CONCERNS IN AAROGYA SETU

  • The privacy aspects in AarogyaSetu app have also not been effectively implemented.
  • AarogyaSetu uses a static transmission id for every smartphone which is fixed at the time of registration.
  • Other tracing applications like Apple and Google’s proposal, DP3T, MIT’s Private-Kit and PACT, Singapore’s TraceTogether generate a new random token to be used as a fresh id after a pre-specified interval.
  • AarogyaSetu also collects more metadata compared to the other apps.
  • Metadata includes details as the timestamp of the contact, the MAC address, the Bluetooth model name and number of the contacted device.
  • Additionally, while other application (except TraceTogether) assume the centralised server to be untrusted AarogyaSetu, on the other hand completely trusts the centralised server.
  • Both, the static id and the collection of additional metadata by the AarogyaSetu app, especially the time stamps and geolocations make it vulnerable to privacy attacks by users.

5. CLOSING ANALYSIS

5.1 Lack of error model

  • A basic engineering principle states that all measurements must be entailed with associated error model clearly specifying the least count and a confidence interval for the measurement.
  • Similarly, for using technology in risk measurement, precise estimates of the rates of false positives and false negatives need to be specified.
  • AarogyaSetu does not specify such rates.
  • Additionally, there are currently no models or principles for estimating the infection risks for both GPS and Bluetooth proximity based estimation.

5.2 Other drawbacks

  • Additionally, Aarogya Setureveals an estimation of “infection risk" within a radius of 10−500m to its users.
  • Given that the stigma and fear of COVID-19 has outgrown the disease itself and there are several reports and incidences of targeting and stigmatising doctors, service staff, as well as members of vulnerable communities for fear of spreading the virus, using a large radius of 10−500m for risk estimation is unwise.
  • Although the source code of a version of the app is now made public, the design details the underlying conceptual principles and server side details are yet not publically available.

5.3 Final Verdict

  • The combined use of GPS colocation and Bluetooth radio proximity for risk estimation of COVID-19 appears to be a leap of faith.
  • The problem is compounded by low smartphone penetration in India.
  • Too many false positives and false negatives may lead to an unbounded noise-to-signal ratio for infection transmission creating confusion and detraction from the main effort by sending administrators and policy-makers on a wild chase.
  • Without a clearly specified protocols and details regarding the central server and in the absence of a regulatory oversight, illegal identification of users and other violations are also possible at the server.

6. WAY AHEAD

  • Use of an app like ArogyaSetu for estimating risk of infection at the micro-level is not as effective as a local community based manual contact tracing.
  • The manual contact tracing has been applied to much success in Kerala and Dharavi in Mumbai leading to impressive containments.
  • However, the application of contact tracing method is highly restrictive in cases of community transmission, as many instances of spreading will not be caught by it.
  • GPS based geo-location, however, can be effectively used in identifying hotspots at the macro-level.

7. CONCLUSION

Public applications like AarogyaSetu must definitely be more transparent in their design and implementation.

Aarogyasetu is an exemplary use of technology to provide social solutions but the fears of inadequate privacy protection and effective risk assessment can not be ignored.

For an app emerging as a foremost scientific and policy response tool in India's fight against COVID-19, AarogyaSetu needs closer introspection.

Public, private and profit

CONTEXT OF THE NEWS

The giant social media platform, facebook, has been facing the criticism over allegations that it favours the ruling government in India, to push its own business goals. It has raised concerns over the role of social media, censorship and Political partisanship in private sector as well as public officials.

THE CASE OF FACEBOOK

  • As per a report in a journal, senior company official in charge of government relations in India had intervened to prevent the platform from banning a ruling Party legislator for his incendiary posts and public appearances. The legislator of the ruling party has called Muslims traitors, Rohingya immigrants should be shot, and threatened to raze mosques.
  • Earlier the company has mentioned that punishing the legislator would hurt the platform’s business prospects in India but later on he was banned. 
  • Its criteria of regulating speech are under scrutiny. In this case we have seen  political partisanship, not being attentive enough to hate speech and fake news, opaque algorithms that  direct users to particular kinds of content, inadequate privacy controls, and inordinate and unaccountable power to shape public discourse

Facebook security and privacy issues:

  • Facebook was found guilty in German and Belgian courts of violating privacy laws.
  • Cambridge Analytica scandal: It was a political data analytics firm which used a legitimate app distributed by a third party to harvest Facebook user data. The access was abused, and data was improperly passed to Cambridge Analytica to build political profiles on more than 50 million users, with the intention of influencing elections around the world.
  • In April 2018, as per a report, dozens of Facebook groups were openly being used for cybercrime purposes.
  • In 2018 attackers exploited vulnerability and obtained access tokens for 30 million accounts of facebook.
  • Facebook was accused of designing its Android app permissions in a way that it obfuscated the fact that the app was gathering user call logs and SMS data from users in 2015 and earlier.
  • In 2019, researchers discovered third-party databases containing 146 GB of Facebook data on 540 million users exposed publicly.

SOCIAL MEDIA AND POLITICAL PARTIES

  • Political parties in India know the importance social media. Everyone has recognizing this powerful weapon to interact with the masses and make them participate and thereby enabling better communication.
  • Indian politicians have started experiencing the impact of social media in one form or the other. Now, almost every political party used the social media to get their message across the masses.
  • Political campaigns are in no way just limited to buttons and banners for politicians to reach their constituents. The new political arena is full of commercials, blog posts, and hundreds of tweets.
  • Through social media like Facebook or Twitter, politicians are able to constantly display their message through endless commercials.
  • Social media is creating a new political dialogue. It takes the power of political messaging away from the mass media model and places it firmly into peer-to-peer, public discourse.

MAJOR CONCERNS

Private sector

  • Facebook has posed a serious challenge and there is no any easy way solution for this.
  • This is an age of Fourth revolution and social media. The age of a social media is like printing revolution of the 14th and 15th century which empowered masses of people and help in bringing the nationalism.
  • The problem is not with the policy structure of the social media like facebook, which is a private company and can be control through legal provisions and by their own codes of conduct, but with the private views of the officials working there. This is also can be seen as a violation of free speech of those people.

Public Officials

  • The issue of political partisanship is not only with the private workers but also with the public officials like bureaucrats and judges.
  • There is no challenge to the political partisanship of public officials. Many serving IAS officers now don’t just disseminate government schemes, but openly violate norms of civil service neutrality, without repercussions.
  • Even in official circles, where non-partisanship was appropriate, the norm has been eroded.

Credibility:  

  • We have seen in the last few years that there has been complete fusion of social media, private and public roles. So, maintaining a strict boundary between the public role and private or political views in social media age is very difficult.

Censorship: 

  • In present, both the ruling and opposition parties used to claim to be victim of Facebook’s censorship policy.
  • Censorship, whether public or private, always invites charges of partisanship. It is probably hard to censor nowadays, things get disseminated one way or the other.
  • In some sense, social media makes these distinctions difficult to maintain. The distinction between speech and action has become harder in an age where speech goes viral with unpredictable effects.
  • The authority of private companies to censor or redirect the speech of elected officials is under scrutiny. This can most likely rebound in a democratic backlash against free speech, more than it would cleanse the system of hateful speech.
  • Censors will always remain there, will be politicized deeply and will raise a question that how much authority to censor one should grant to private and relatively unaccountable entities like Facebook.

CONCLUSION

Facebook got attention because it’s a great power and needs to be regulated. But it is not sure that other platforms will solve concerns about partisanship and censorship in social media. Companies want to blur the distinction between public and private. Social media cannot profit unless everything private becomes public. They know that, in some sense, hate pays and wants to cash on it. So while we need to ask tough questions about Facebook’s role, let us not pretend that all we are doing is enacting a performance. Resisting Facebook’s power will require a more radical withdrawal from a logic of profit that blurs the boundary between public and private, without which no freedom and civility is possible.

Source: Indian express

A quest for order amid cyber insecurity

1. CONTEXT OF THE NEWS

 

The present time is both, the best and worst for cyberspace.

Apple, Amazon, and Microsoft have amassed over a trillion dollars in market value since the beginning of the year 2020.

However, on the other hand, cyber-attacks have grown as well.

2. INCREASING CYBER-INSECURITY

2.1 Increasing malwares

  • A report puts the number of daily malware and phishing emails related to COVID-19 to over 18 million in a single week in April 2020 monitored by a single email provider.
  • This was in addition to more than 240 million COVID-19-related daily spam messages.
  • Twitter hackers and ransomware targets too are increasing by the day.

2.2 Cyber-attacks and States

  • Concerns about the role of states in cyber-attack are also surfacing as mentioned by Australia.
  • There are also allegations on China regarding hacking health-care institutions in the U.S. doing research on COVID-19 treatment.
  • The United Kingdom has warned Russian state-backed hackers targeting pharmaceutical companies working on the COVID-19 vaccine.
  • India has recently banned specified Chinese Apps stating that they are “engaged in activities prejudicial to the sovereignty and integrity of India”.
  • This act of the Indian Government adds another layer of complexity to the contestation in cyberspace.
  • Therefore, clearly the cyber insecurity of individuals, organizations, and states is expanding amidst the COVID-19 atmosphere.

2.3 Better understanding of Global Cyberspace

  • The world is increasingly moving in the digital space. People are adapting to new ways of digital interaction and an increasing number of critical infrastructure is turning digital.
  • However, despite the accelerated pace towards digital technologies, most of us do not understand the parameters of the transformation towards digital.
  • Much like the global public health, cybersecurity too is considered a niche area and is left to the experts.
  • The COVID-19 pandemic has underlined the importance of the global public health infrastructure and the need to abide by agreed rules.
  • On similar lines, a better understanding of the global cyberspace architecture is also imperative.

3. NO GLOBAL COMMONS

3.1 The global commons

  • International law identifies four global commons viz. the High Seas, the Atmosphere, Antarctica and the Outer Space.
  • The borderless global cyberspace is also considered a part of the “global commons”, however experts are of the view that it does not exist.

3.2 Border control on cyberspace

  • The view of cyberspace in terms of connectivity across national boundaries is an illusion.
  • Since the internet is dependent on the physical infrastructure that is under national control, the internet too is subjected to border control.
  • States control the national networks through laws in accordance with their international commitments.

3.3 Responsibility of States vis-a-vis cyberspace

  • States are also responsible for the following:
    • Ensuring cybersecurity,
    • Enforcing laws related to cyberspace
    • Protection of public good
  • Apart from their own actions, States are also responsible for actions taken from within their sovereign territory.
  • However, the implementation of the States' responsibilities towards cyberspace is difficult, since the infrastructure on which the Internet is dependent, falls within the jurisdictions of multiple states.
  • These states have different approaches towards the view of cyberspace and cybersecurity.

3.4 Multiple Stakeholders

  • There are multiple stakeholders in the cyberspace including both states and non-state actors.
  • The non-state actors play key roles with both benign and malignant intentions.
  • Furthermore, some networks are private which have different objectives than the states have.
  • At last, the cyber tools too have dual use, cheap and make attribution and verification of actions quite a task.

3.5 Developing cyber norms

  • Despite the presence of both state and non-state actors, only the states have the right of oversight.
  • There is no single authority for the global cyberspace like the World Health Organization, which can monitor, assess, advise and inform about the fulfillment of state commitments, in however limited or unsatisfactory a manner.
  • To put it simply we are still searching for the cyber "rules of the road".
  • Presently we are in the developing stage of “cyber norms” that can provide a balance between the competing demands of national sovereignty and transnational connectivity.

4. GAPS IN CURRENT PROCESSES

4.1 UN and Cybersecurity

  • In 1998, Russia raised the issue of information and communications technologies (ICTs) in international security on the UN agenda.
  • Since then, six Group of Governmental Experts (GGE) with two-year terms and limited membership have been working on the issue.
  • In addition to the GGE, last year, an Open-Ended Working Group (OEWG) began working on the same issue with similar mandates. The group is open to all and many states have shown interest in the group.
  • A report is expected by the next year.

4.2 Discussions in the group

  • The discussions are focussed narrowly in line with the mandate.
  • Issues that have been kept out are:
    • Internet governance
    • Development
    • Espionage
    • Digital privacy
  • Issues like terrorism and crime are acknowledged as important but the discussions on these topics are not as thoroughly done as in other UN bodies.

4.3 Outcome of the UN Exercise

  • The net outcome of the UN exercise on cyberspace is the acceptance that international law and the UN Charter applies to cyberspace as well.
  • On these lines, a set of voluntary norms of responsible state behavior was agreed to in 2015.
  • However, the aspects are circumstances in which the international law will be applicable have still not been addressed and various reports on the matter call for action including the recent report by UN Secretary-General AntónioGuterres’s entitled “Roadmap for Digital Cooperation”.
  • However, given the present geopolitical circumstances, there is very little hope of such processes being undertaken.

5. MORE ENGAGEMENT NEEDED

5.1 Expanding cyberspace in India

  • Generally speaking, technologies move faster and are ahead of the development of associated norms and institutions, similar is the case with cyberspace.
  • This provides India the opportunity with the time and space to develop our approach in tune with the relevance of cyberspace to India's future economic, social, and political objectives.
  • Despite the digital divide, India’s cyber footprint is expanding at an accelerated rate and therefore the rate of conflicts and crimes will increase too.
  • Under these circumstances, the Shared “rules of the road” become imperative.

5.2 India and Cyber security

  • The Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology is a very active nodal agency for cybersecurity.
  • Five of the six GGEs formed had representatives from India.
  • India is also an active participant at the OEWG.
  • India is also a member of the Shanghai Cooperation Organisation, which has also shown support for a code of conduct.
  • India also joined the Christchurch Call, which brought countries and corporations together on order for an increased effort in stopping the use of social media for promoting terrorism and violent extremism.

5.3 Need of active engagements

  • The cyberspace is becoming an increasingly contested and fragmented domain.
  • Going forward, the issue of cybersecurity will require better arrangements and more intense partnerships with additional safeguards.

5.4 India and Global Efforts

  • India needs to turn its attention immediately on the issue of cybersecurity.
  • India needs to take both domestic and global efforts in this regard.
  • India should be an active participant in shaping and defining cyber norms.
  • India can also consider acceding to the Convention on Cybercrime of the Council of Europe (Budapest Convention).
  • There should be increasing participation and engagement in multi-stakeholder orientations as the Paris Call for trust and security in cyberspace.

5.5 India and domestic Efforts

  • There should be more clarity on legislation on data protection.
  • The private sector in India should be encouraged to participate increasingly in industry-focused processes such as the Microsoft-initiated Cybersecurity Tech Accord and the Siemens-led Charter of Trust.

6. CONCLUSION

Present there is a huge digital divide in India. However, the coming future is going to bridge this gap, and India is expected to have a major portion of the next billion smartphones.

Therefore, it is imperative that cybersecurity is going to play a large role in the lives of Indians.

To prepare for the larger role of cyberspace in India, we need to work on a deeper public understanding of cyberspace, cyber security, and its various dimensions.

Given the size and scope of cyberspace in India, it is too important to be left only to the experts.

ADDITIONAL INFORMATION

Indian Computer Emergency Response Team (CERT-In)

  • CERT-In is a functional organization under the Ministry of Electronics and Information Technology of the Government of India.
  • CERT-In is the national nodal agency to deal with cyber security incidents.
  • The CERT-In was established in 2004.
  • The Information Technology (Amendment) Act 2008 has provided for the following functions to be undertaken by CERT-In and has designated it to serve as the national nodal agency:
    • Collection, analysis, and dissemination of information on cyber incidents.
    • Forecast and alerts of cyber security incidents
    • Emergency measures for handling cyber security incidents
    • Coordination of cyber incident response activities.
    • Issue guidelines, advisories, vulnerability notes, and whitepapers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents.
    • Such other functions relating to cyber security as may be prescribed.

Source: The Hindu

Is Internet Freedom Being Sacrificed For National Security?

1. CONTEXT OF THE NEWS

Amidst the ongoing border standoff with China along the Line of Actual Control (LAC), the Union Government decided to ban 59 'Chinese' apps in India.

The banning of these apps has once again brought on the surface, the question of vulnerability of Internet freedom at a time of national security.

This editorial analyses the Government's decision on the basis of the proportionality test.

2. NATIONAL SECURITY VERSUS DIGITAL RIGHTS

2.1 Whose rights are violated?

  • We need to be more specific about whose rights are being affected.
  • The rights of Chinese companies whose apps have been banned have surely been affected.
  • However, as far as the Indian individuals are concerned who used platforms like TikTokeither to run their business or gain popular, their rights have not been entirely violated as they go about their existing business by moving to another platform.

2.2 Discretionary use of Section 69A of the Information Technology Act (IT Act)

  • The Union Government has used its power under Section 69A [of the Information Technology Act], which has already been used by the government during a time of national security emergency.
  • However, the national security risk must be genuine and the government must clearly state the necessity of banning of the 59 apps.
  • Only clearly stated reasons for use of such discretionary power by the Union Government can clearly demarcate the trade-off between national security, and rights, both of which are equally important in their own domain.

2.3 Why Digital Rights are important?

  • In India there should be a certain basic understanding that regulation of the Internet or Internet-based services by governments has to respect basic human rights standards for at least two reasons:
    1. India is a constitutional democracy where citizens enjoy certain fundamental rights and basic freedoms guaranteed by the constitution.
    2. India is also a signatory to International Conventions like
      • International Covenant on Civil and Political Rights
      • Universal Declaration of Human Rights

2.4 The three-part test

  • The three-part test is a doctrine used in International law to evaluate the following acts of a government:
    1. blocking of any service
    2. blocking any access to a content
    3. taking other coercive steps that may intrude upon people’s fundamental rights and freedoms
  • The three tests are fairly simple and require that:
    1. the action that is very clear
    2. the action could not have been done by a less intrusive means
    3. the action follows standards of necessity and proportionality
  • In India, it is very clear that our fundamental right to free speech and expression extends to online content as well and the Hon’ble Supreme Court has affirmed the same.

3. THE CURRENT BAN

3.1 Evaluating the current ban

  • The blocking of an entire service and apps by the Union Government is remarkable and rather extraordinary and raises many concerns and questions.
  • Less intrusive measures - It is still unclear if the government could have undertaken a less intrusive measure to achieve the same result.
  • Security concerns - Concerns regarding security and especially data and cybersecurity are cited to justify the action of the government.
  • While the Indian law allows such actions on the grounds of security, presently the government does not have any legal basis to take clear action on because it itself has not enacted a law on that subject.
  • Experts have hailed that in this particular instance, concerns around national security or other geopolitical concerns have intervened to result in censorship administrative action and the test of a proportionate restriction might not have been met.

3.2 Impact of the ban on domestic companies

  • The banning of Chinese apps should be viewed in the context of the larger problem of the border standoff between India and China.
  • If the border standoff resolves, this will resolve on its own.
  • These apps were popular because they worked and China owes its place in the Global Supply Chain due to its production of desired quality at a competitive rate.
  • Indian tech companies should try to make their products globally competitive.

4. MISUSE OF SECTION 69AOF THE INFORMATION TECHNOLOGY ACT

4.1 Use of Section 69A

  • Some quarters have criticized the use of Section 69Aof the Information Technology Act.
  • One of the criticism is that Section 69A is not designed for data protection compliance.
  • Experts suggest that Section 69A provides a set for more specific violations rather than broad general violations.

4.2 Details regarding Section 69A of the Information Technology Act

  • Section 69A of the IT Act entails a limited set of defined grounds under which the government can take action.
  • The grounds mentioned under the act are wide, including the security of the state.
  • Over the last few years, the Union Government, as well as several state governments, have taken a very wide view of national security but data protection has not been one of them.
  • Similar actions were taken by other regulators sare usually initiated under a data protection framework wherein the entity is investigated to see if other mechanisms as orders and fines can be followed instead of using Section 69A.
  • We should also bear in mind that while striking down Section 66Ain the Shreya Singhal case the Supreme Court upheld Section, hence instead of the law a change in mindset is required.

4.3 What the government could have done?

  • Instead of initiating the process under the data protection framework, here we jumped to the topmost level.
  • There are two mechanisms under our existing legal framework regarding the blocking of content
    • The normal process by which a government department complains to the Central government officer and a committee reviews it,
    • An emergency process by which orders are issued and then a subsequent review is taken.
  • The Government should have issued the emergency blocking and the blocked platforms should have been given a chance to put up a defence.
  • Section 69A is a censorship power, a controversial one that is not well designed to protect people’s rights.
  • Banning of the Chinese apps should be seen as a proxy for a larger geopolitical battle between India and China.

5. TOWARDS A FAIRER SYSTEM

5.1 Lack in Present system

  • Currently, the Government of India asserts secrecy and confidentiality while blocking orders under Section 69A of the Information Technology Act.
  • The government should bring in more transparency and reveal to the public the reasons for such blocking of contents.
  • This is now a constitutional requirement as the Supreme Court in the AnuradhaBhasin judgment on Internet shutdowns held that any order blocking people’s rights to liberty, especially in relation to the Internet, requires to be published.
  • The Government should undertake broader reforms, including a review of Section 69A itself.
  • India has blocked tens of thousands of websites since the late 1990s, given the democratic setup of India, these numbers are shocking.

5.2 Change in mindset

  • The government mindset that agencies can work best when they work outside the law particularly on issues of national security needs to be changed.
  • We can learn from the example of the United States where security agencies work well within the fold of the law.
  • All security agencies must be brought under a legal framework with clear demarcation of everyone's power and associated consequences in case anyone oversteps their bounds.

6. CONCLUSION

Presently, India lacks a clear strategy in cybersecurity architecture although the government has been trying to resolve the legal ambiguity surrounding cybersecurity.

While the geopolitical reasons behind the government's decision make it a little more unfortunate it also allows China to claim a higher moral ground in trade talks.

Today we need an honest conversation around privacy and data that recognizes that we are part of a global interlinked Internet. That is not yet happening.

Given the border standoff with China and keeping national security interests in mind, a national strategy needs to be developed which contains and restricts online content in a manner that protects human rights but is effective as well.

ADDITIONAL INFORMATION

Section 69A in the Information Technology Act, 2000

  • 69A Power to issue directions for blocking for public access of any information through any computer resource.
  • Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-section (2) for reasons to be recorded in writing, by order, direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource.
  • The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.
  • The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

Source:  The Hindu

On the Proportionality of AarogyaSetu

1. CONTEXT OF THE NEWS

The AarogyaSetu app developed by the government appears to be the commendable use of technology to provide efficient solutions.

This editorial discusses the proportionality of technological-solutionism vis-à-vis inadequate privacy protection.

2. UNDERSTAND TRANSMISSION AND NEED OF ANALYSIS

2.1 Transmission of COVID-19

  • There are two ways of transmission of COVID-19 according to the virologists viz. :
    • direct person-to-person transmission by inhalation of droplets or aerosols carrying the virus
    • inadvertently picking up droplets from contaminated surfaces
  • For direct person-to-person transmission of COVID-19, the precise relation between risk of infection and proximity is not clearly modelled but there is a consensus that the person-to-person distance should approximately be within 2m for sufficient virus load inhalation.
  • For picking up droplets from a contaminated surfaces, it is known that the viruses can survive for different time-periods on different surfaces, particularly on hard metallic surfaces, ranging from several hours to even days.

As Centre 'mandates' download of Aarogya Setu app, a debate ensues ...2.2 Need of Analysis

  • The government has excessively pushed AarogyaSetu and hailed it as the major instrument in India's fight against COVID-19.
  • Several experts and technocrats have expressed serious concerns about privacy and trust issues in an app-based approach (AarogyaSetu).
  • There needs to be a careful analysis of the effectiveness and utility of the app and the balance of the two and it becomes all the more important because there are no publically available detailed and credible evaluations of the efficacy of AarogyaSetu. 

3. ANALYSIS OF AAROGYA SETU

3.1 Working of AarogyaSetu

  • Electronic risk assessment of COVID-19 like the AarogyaSetu uses two main principles
    1. GPS based geolocation
    2. Bluetooth based proximity sensing

3.2 Assessment using Global Positioning System (GPS)

  • GPS is often unavailable indoors.
  • Even outdoors in dense metropolitan areas average unavailability of GPS ranges in 30-40%.
  • Even during its availability, the GPS can have errors to the tune of several tens of meters on a consistent basis.

3.3 Reliability of Global Positioning System (GPS)

  • Hence, for assessment within 2m person-to-person direct transmissions, especially in dense gatherings, the GPS is clearly not a reliable instrument, especially in dense gatherings.
  • Using GPS if everybody within a few meters of an infected individual will be declared infected, it will generate too many false positives.
  • In addition, for a cautious and COVID-19 aware person taking all safety precautions, mere colocation does not necessarily imply a high risk of contracting the infection.
  • Hence, GPS may overestimate risks for direct transmissions.
  • Similarly, GPS is also unreliable for indirect transmissions as the proximity with a potential infected indoor surface is most likely to be missed entirely, leading to false negatives.

3.4 Assessment using Bluetooth based proximity sensing

  • For this method of assessment, each device transmits low energy radio beacons isotopically in all directions at periodic intervals.
  • The listening device picks the signal establishing a communication channel between the two devices.
  • The distance between the two devices is estimated on the basis of the strength of the received signal.

3.5 Reliability of Bluetooth based proximity sensing

  • An optimum effective interval rate of radio transmission for effective risk assessment of direct person-to-person infections is not clear.
  • While excessive frequent transmissions will drain out batteries, too wide time gaps in radio transmission on the other hand will lead to false negatives.
  • Another concern is the generation of too many false positives.
  • Bluetooth based proximity sensing can overestimate the risk because radio transmissions can establish connections even across large distances in open spaces and across walls, which the radio transmission can penetrate but the virus cannot. This is a major drawback.
  • False negatives are also possible while assessment through Bluetooth due to the weakening of radio signals through human bodies like in case when victim carries the phone in the front pocket while the infected person is present in close proximity behind the victim.
  • The Bluetooth based proximity sensing is also ineffective for assessing indirect transmission of infection. The coronavirus can survive on contaminated surfaces for hours or even days hence foe effective assessment the intersection of smartphone trajectories will need to be computed not only in space but also over large temporal windows.
  • For this assessment, the Bluetooth based proximity sensing which are isolated communication events over narrow temporal windows between two smartphones will be rendered ineffective.

4. PRIVACY CONCERNS IN AAROGYA SETU

  • The privacy aspects in AarogyaSetu app have also not been effectively implemented.
  • AarogyaSetuuses a static transmission id for every smartphone which is fixed at the time of registration.
  • Other tracing applications like Apple and Google’s proposal, DP3T, MIT’s Private-Kit, and PACT, Singapore’s TraceTogether generate a new random token to be used as a fresh id after a pre-specified interval.
  • AarogyaSetu also collects more metadata compared to the other apps.
  • Metadata includes details as the timestamp of the contact, the MAC address, the Bluetooth model name, and the number of the contacted device.
  • Additionally, while other applications (except TraceTogether) assume the centralized server to be untrusted AarogyaSetu, on the other hand completely trusts the centralized server.
  • Both, the static id and the collection of additional metadata by the AarogyaSetu app, especially the timestamps and geolocations make it vulnerable to privacy attacks by users.

5. CLOSING ANALYSIS

5.1 Lack of error model

  • A basic engineering principle states that all measurements must be entailed with an associated error model clearly specifying the least count and a confidence interval for the measurement.
  • Similarly, for using technology in risk measurement, precise estimates of the rates of false positives and false negatives need to be specified.
  • AarogyaSetu does not specify such rates.
  • Additionally, there are currently no models or principles for estimating the infection risks for both GPS and Bluetooth proximity-based estimation.

5.2 Other drawbacks

  • Additionally, AarogyaSetu reveals an estimation of “infection risk" within a radius of 10−500m to its users.
  • Given that the stigma and fear of COVID-19 have outgrown the disease itself and there are several reports and incidences of targeting and stigmatizing doctors, service staff, as well as members of vulnerable communities for fear of spreading the virus, using a large radius of 10−500m for risk estimation is unwise.
  • Although the source code of a version of the app is now made public, the design details the underlying conceptual principles, and server-side details are yet not publically available.

5.3 Final Verdict

  • The combined use of GPS colocation and Bluetooth radio proximity for risk estimation of COVID-19 appears to be a leap of faith.
  • The problem is compounded by low smartphone penetration in India.
  • Too many false positives and false negatives may lead to an unbounded noise-to-signal ratio for infection transmission creating confusion and detraction from the main effort by sending administrators and policy-makers on a wild chase.
  • Without clearly specified protocols and details regarding the central server and in the absence of regulatory oversight, illegal identification of users and other violations are also possible at the server.

6. WAY AHEAD

  • The use of an app like ArogyaSetu for estimating the risk of infection at the micro-level is not as effective as a local community based manual contact tracing.
  • The manual contact tracing has been applied to much success in Kerala and Dharavi in Mumbai leading to impressive containments.
  • However, the application of the contact tracing method is highly restrictive in cases of community transmission, as many instances of spreading will not be caught by it.
  • GPS based geo-location, however, can be effectively used in identifying hotspots at the macro-level.

7. CONCLUSION

Public applications like AarogyaSetu must definitely be more transparent in their design and implementation.

Aarogyasetu is an exemplary use of technology to provide social solutions but the fears of inadequate privacy protection and effective risk assessment can not be ignored.

For an app emerging as a foremost scientific and policy response tool in India's fight against COVID-19, AarogyaSetu needs closer introspection.

Source: Live Mint

Banning of the ‘Chinese Apps’

1. CONTEXT OF THE NEWS

Amid the rising tension and escalations between India and China on the LAC (Line of Actual Control), the Government of India announced an interim ban on 59 apps originating in China on 29 June.

This editorial analyses the move in its entirety.

2. BANNING THE CHINESE APPS

2.1 Why the ban?

  • The Union Government announced the ban on these apps with Chinese links citing “emergent threats” to India's sovereignty and national security.
  • The list of banned apps includes some very popular mobile apps, which have a combined user base running in several hundred million.
  • Some apps also have a significance presence in India in terms of revenue, employees, and payrolls.
  • The Ministry of Information and Technology revealed that it had received numerous complaints from various sources including the misuse of some of these apps to steal and surreptitiously transmitting users’ data to servers located outside India in an unauthorized manner.
  • Such actions ultimately impinge upon the national sovereignty and integrity of India, which is a grave concern and requires emergency measures.

2.2 Effect of the Ban

  • Some of these apps are very popular in India and have a wide user base.
  • These apps are the only source of income for Indian creators on some of these platforms.
  • The income of these creators and the offices and employees shut due to banning these apps could put a few thousand jobs at stake.

2.3 Legal Basis for the Ban

  • The Union Government has enforced the ban under the powers available to it under Section 69A of the Information Technology Act, 2000.

3. INFORMATION TECHNOLOGY ACT, 2000

  • The Information Technology (IT) Act, 2000 gives the legislative base and legal framework and sanctity to all electronic records and other e-commerce transactions (transactions occurring through electronic communication).

3.1 Some Highlights of the Act

1. Legal sanction to electronic documents.

2. Legal sanction to use of Digital Signature to authenticate an electronic record.

3. Details entailing Electronic Governance

4. Regulation of certifying authorities

5. Offenses and contraventions

6. Justice dispensation systems for cybercrimes - talks of an Adjudicating Officer with the powers of a Civil Court.

7. Establishment of a Cyber Regulations Appellate Tribunal - to hear appeals against the orders passed by the Adjudicating Officers

8. Establishment of a Cyber Regulations Advisory Committee to advice the government on any rules and purpose concerned with the act

3.2 Information Technology (Amendment) Act 2008 –

  • The IT Act 2000 was amended in 2008 to add the following important provisions:

1. Data Protection -There were no specific provisions regarding Data protection in the IT Act 2000. The IT Act 2008 introduces two sections to address this concern.

  • Section 43A (Compensation for failure to protect data)
  • Section 72A (Punishment for disclosure of information in breach of lawful contract.

2. Information Preservation - Section 67C provides for the Preservation and retention of information by intermediaries. It provides that:

  • Intermediary shall preserve and retain such information as may be pecified for such duration and in such manner and format as the Central Government may prescribe.
  • Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.

3. Blocking, monitoring and collection of information

  • Section 69A grants power to issue directions for blocking for public access of any information through any computer resource.
  • Section 69B authorizes to monitor and collect traffic data or information through any computer resource for Cyber security.

3.3 Section 69A in the Information Technology Act, 2000

69A Power to issue directions for blocking for public access of any information through any computer resource.

(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-section (2) for reasons to be recorded in writing, by order, direct any agency of the Government or intermediary to block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource.

(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out, shall be such as may be prescribed.

(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

4. WAY AHEAD

4.1 Implementation of the Ban

  • The notification by the government will be followed by more specific and detailed instructions to Internet service providers (ISPs) to block these apps.
  • Users will see a message regarding the banning of the app on request of the government.

4.2 Government to seek more details

  • The two social media apps TikTok&Helo among the list of banned apps are operated by Bytedance (India) Technology Pvt Ltd and taken together to have more than 170 million active users in India.
  • Bytedance India is not owned by a Chinese entity, its parent entity Bytedance Ltd is registered in the Cayman Islands. The parent company has five subsidiaries, TikTok Ltd being one of them and also registered in the Cayman Islands.
  • Singapore-based entity TikTok Pte Ltd (registered under TikTok Ltd) handles operations in India and Southeast Asia.
  • A Chinese law requires the companies of Chinese origin to share data with the other country’s intelligence agencies, irrespective of wherever in the world they are operating and the Indian IT Ministry is soon expected to seek details from the companies running these data-sharing apps in India under this law.

5. DATA PROTECTION LAWS

5.1 Data protection laws in the world

  • Today most social and economic interactions are moving online and therefore the importance of privacy and data protection cannot be stressed enough.
  • Collection, use and sharing of personal information to third parties without the prior consent or even acknowledgment to the consumer is also a rising concern.
  • Today 132 out of 194 countries have legislations securing the protection of data and privacy.
  • In Africa and Asia, 55% of nations have enacted such legislation including 23 least developed countries.

5.2 Global Status of Data Protection Legislation

  • 66% Countries with Legislation
  • 10% Countries with Draft Legislation
  • 19% Countries with No Legislation
  • 5% Countries with No Data

5.3 General Data Protection Regulation (GDPR)

  • European Union General Data Protection Regulation (GDPR) is a watershed moment in data protection regimes in the last two decades.
  • The GDPR is designed to protect the personal data of E.U. residents.
  • Personal data refers to the data that relates to an identifiable living individual and includes names, email IDs, ID card numbers, physical and IP addresses.
  • The GDPR entails a fundamental shift in the understanding of the relationship between individuals and their personal data.
  • GDPR grants the citizen substantial rights in their interaction with data controllers and data processors.
  • Data controllers are entities who determine the reason and manner of collection of data such as a government or several websites.
  • Data processors are entities who process the data on behalf of controllers. When an E.U. firm outsources its data to an Indian firm for data analysis, the Indian firm here is a data processor.
  • The GDPR provides that a data controller will have to provide clearly distinguishable consent terms. It means that the consent terms cannot be hidden in a fine print incomprehensible to the layperson.
  • GDPR also requires data controllers to provide information on the ‘who collects the data’ and ‘how the data is collected’. 
  • It also provides individuals with the right to have their personal data deleted under certain conditions.
  • GDPR also makes reporting obligations and enforcement stronger.

6. THE PERSONAL DATA PROTECTION (PDP) BILL

India introduced The Personal Data Protection (PDP) Bill, 2019, in the lower house, Lok Sabha and is presently referred to a joint select committee.

The Bill defines three types of personal data (data from which a particular individual can be identified)

1. Sensitive Personal Data - it relates to financial data, biometric data, genetic data, sexual orientation, religious or caste data, biometric data and genetic data.

2. Critical Personal data - A data can be deemed as critical data by the government at any time and it includes data such as military or national security data.

3. General Data-  All non-sensitive and non-critical data.

The draft version of the bill was prepared by the Justice B N Srikrishna Committee. The bill has three important aspects that were not a part of the draft.

1. Storing and processing personal data

  • The draft required all fiduciaries to store a copy of all personal data in India. This provision was criticised by foreign technology companies who store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
  • The bill removes this impediment requiring only individual consent for data transfer abroad.
  • The Bill requires sensitive personal data to be stored only in India and can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA)
  • However, Critical personal data must be stored and processed only in India.

1. The Bill mandates fiduciaries to give the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data.

3. The Bill requires all those social media companies, which are deemed as significant data fiduciaries to develop their own user verification mechanism.

  • A social media company is deemed significant data fiduciary on factors such as volume and sensitivity of data and their turnover.

Other Key provisions of the Bill:

  • The Bill provides for an independent regulator Data Protection Agency (DPA) which will oversee assessments and audits and definition making.
  • The bill requires each company to have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  • The bill grants the right to data portability along with the right to access and transfer one’s own data to the individuals.
  • The bill also provides for an individual to remove consent for data collection and disclosure (Right to be forgotten).

7. CONCLUSION

  • Last year on the order of the Madras High Court, TikTok was banned in India for a few days, but later the court vacated the ban.
  • The nature of the ban this time however is very different. It affects more number of apps and the reasons for restriction are strategic and in the context of India's national security.
  • This ban could be a warning to other big Chinese business in India and in the broader context to China itself.
  • The step shows clear intent from the government and a decisive break from the past.

Source: Indian Express - https://indianexpress.com/article/explained/chinese-59-apps-ban-in-india-tiktok-camscanner-ucbrowser-6484032/

Cyberattacks and COVID-19

1. CONTEXT OF THE NEWS

Recently, the Australian government and institutions are being targeted by what the Australian Prime Minister called a ‘sophisticated state-based cyberattacks’. In the chain of events, now, the Indian Computer Emergency Response Team (CERT-In) has warned about a possible large-scale cyberattack in India.

This editorial discuss about the rise and nature of cyberattacks amidst the COVID-19 pandemic.

2. CYBER ATTACK

2.1 Definition

  • According to the ISO (International Organziation for Standardization), an attack in computer and computer networks 'is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset.'

2.2 Some important type of Cyber attacks

  • Malware - it refers to malicious software, including spyware, ransomware, viruses, and worms. It installs itself on the system after a trigger by the user such as a click. Once installed, the malware can block access to the network, install additional harmful software, spy on sensitive data of the user, or disrupt a complete system.
  • Packet sniffing – it is the act of gathering and logging some or all packets that pass through a computer network irrespective of the address of the packet. Packet sniffers interpret these packets to reveal underlying information.
  • Phishing – it is the act of sending fraudulent mails under the pretext of some credible source intended to steal personal, sensitive, or financial information.
  • Man-in-the-middle attacks – in this attack the attacker relays communication between two parties who think they are communicating directly. The man in the middle may modify the message sent from one party to the other.
  • Denial of services (DoS) – in this attack the perpetrator aims to make a machine or network temporarily or permanently unavailable to the intended user. This is the most widely used attack and also the most difficult to tackle.
  • Brute Force attacks – trying various combinations of login credentials until one gets access into a system.
  • Similarly, viruses, Trojan horse, ransomware, spyware, etc. are also widely used methods of cyber-attack.

3. RECENT REPORTS WARNING ABOUT CYBER ATTACKS IN INDIA

3.1 Details of CERT-In advisory

  • CERT-In released an advisory on June 19, 2020.
  • CERT-In has said that the cyber attackers may use COVID-19 support initiatives especially the ones launched by the government to conceal malicious e-mails.
  • The malicious emails are designed to divert the target audience towards a look-alike Fake website and the attack will take place either by downloading malicious files on the device of the user or will aim to extract personal, sensitive, and financial information.
  • The report further said that the hackers claim to have 2 million individual email IDs and in order to coax the user into submitting personal information, will use catchy lines in the email subject as, 'Free COVID testing for all the residents of a particular city'.
  • These malicious emails will originate from fake email IDs impersonating government authorities and will begin from 21 June.

3.2 Findings of CYFIRMA

  • CYFIRMA, a cyber-intelligence firm found that a group of cyber-hackers knows as Lazarus group are targeting 2 million individual Email IDs in India.
  • The Lazarus groups is believed to have the backing of the North Korean government.
  • Recently, Cyfirma has reported about the conspiracy of a widespread cyber-attack in India targeting government agencies, media houses, pharmaceutical companies, and telecom operators.

3.3 Other Findings

  • Recently a report released by PwC informed about around 6 fake versions of the 'PM CARES'have cropped up and are targeting Indians.
  • According to a NITI Ayog Report, among the cyberattacks forms, the most widely used attack is Phishing forming 57% of all attacks. This is followed by malware attacks, which constitute 41%, spear-phishing at 30%, Denial of Service attack comprising 20%, and ransomware at 19%.

4. RISE IN CYBER ATTACKS

4.1 Rising Numbers

  • A PwC report suggests that the number of cyber-attacks in March 2020 was twice than the attacks in January 2020.
  • While the governments all over the world are busy tackling the COVID-19 pandemic, for cyber attackers, this is the most suitable opportunity to launch even organization-wide attacks.

4.2 Piggybacking on COVID-19

  • The COVID-19 pandemic has led to worldwide fear, anxiety, and insecurity.
  • Such overwhelming conditions makes an individual more vulnerable to a cyber-attack.
  • Cyber-attackers send phishing mails under the garb of ‘false cure of COVID-19’, ‘free testing for COVID-19’, ‘false advice or medication’ etc.
  • An individual distraught by the COVID-19 fear becomes an easy target for such attackers.
  • These phishing emails can be viruses, malware, worms, Trojan horse, malware, or ransomware aiming to attack an individual, organization, or even while governments.
  • Phishing emails are also sent under the garb of donations and charity to help the destitute under the pandemic.

4.3 Attacks targeting India

  • According to PwC, the major target of COVID-19 related malicious emails were firms in finance and pharmaceutical sector. Banking, defence, and manufacturing firms were also targeted widely.
  • The PwC study noted a 100% increase in attacks within a few days in February. In March 2020, a 66% increase was detected by endpoint security systems and 100% in brute force attacks.
  • PwC findings suggest that organizations in India lose $100 - $200 million per year due to data breaches. The average cost of data breaches in 2019 was $119 million.

5. CYBER THREATS TO INDIA

5.1 Cyberattack from the Chinese

  • Cyber-intelligence firm Cyfirmawarns that Indian government agencies, media houses, pharmaceutical companies, telecom operators may be the target of Chinese hacking groups.
  • CYFIRMA has gathered the information from messages exchanged in Mandarin on the dark web.
  • The attacks stem after the first bloody clash between India and China in 45 years over border issues when earlier this week 20 Indian soldiers died as a result of the clash and several others were injured.
  • The messaged were exchanged between Gothic Panda and Stone Panda, two well-known cyber-hacking groups who have the backing of the PLA (People’s Liberation Army).

5.2 Cyberattack from the Pakistanis

  • India faces a dual challenge from China and Pakistan due to escalation on both the fronts.
  • Cyberattacks from Pakistan based groups have increased ever since India abrogated Article 370 last year.

5.3 Intensity of the Attacks

  • Twenty-four websites related to Union and state governments had been under cyber-attack until May 2019, according to the information provided by CERT-In to the Indian Parliament.
  • A malware designed to extract data was found in the network of Nuclear Power Corporation of India's Kudankulam nuclear power plant in November 2019. The malware was supposed to have been launched from the Lazarus Group from North Korea.

5.4 Cyberattacks globally

  • Australia became a target of cyber-attacks recently after its decision to investigate the origins of COVID-19.
  • Given the scale, type, and intensity of cyberattacks in Australia, the Australian PM called these attacks as state-backed.

5.5 Rising incidents of Cyberattacks

  • Cyber-attacks are now widely used covertly by big nations to retaliate against a rival or to show passive aggression.
  • North Korea is believed to have an army of 7000 hackers, who often engage in espionage, stealing state secrets, the blueprint for weapons, and sensitive political information.
  • North Korea is also believed to have launched widespread cyberattacks on the U.S.A. and South Korea aimed at disabling critical infrastructures such as power plants and electric grids and raised billions of dollars from such attacks to fund their weapons programme.

6. CONCLUSION

The fear and anxiety caused by the COVID-19 pandemic have become a hotspot for malicious cyber-attacks. Furthermore, these attacks are not only financially motivated anymore. They are now extensively used by rival big nations who wish to avoid a full-blown nuclear war.

The Indian government should focus on this issue and look into the matter since these attacks can harm critical infrastructure as power plants, electric grids, steal sensitive information, and can hurt pillars of an economy like the MSME Sector (Micro Small Medium Enterprises), bringing the economy to a halt.

Every organization and firm in India must remain vigilant and be in constant dialogue with law enforcement authorities in the wake of such reports.

Source: The Hindu: https://www.thehindubusinessline.com/info-tech/cert-in-warns-of-largescale-cyber-attack-using-covid-as-bait/article31883295.ece