Author Archives: Praveen Dalal

Hacking Of Aadhaar Is Hacking Of Life Of A Person And Not Just His Identity

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB3Aadhaar is a unique project not only in India but also worldwide. This is because nowhere in the world a biometric database has been created at such a mammoth scale. However, the mere concept of Aadhaar and using biometric in an omnipresent present manner is very dangerous and undesirable.

Firstly, creating a biometric database of entire country is a serious national security threat. When such a large scale exercise is done, many loopholes and shortcomings are natural. This happened with Aadhaar as well and many criminals, terrorists and undesirable elements have also obtained Aadhaar. Many people in India are openly making fake Aadhaar cards that are in use for various types of government and private services in India like purchasing SIM cards, making passports, etc. No time in the history of India, national security was jeoparadised so much.

Secondly, clubbing Aadhaar biometric database and non biometric data with virtually everything is a sure recipe for disaster. When a database like Aadhaar is used everywhere no technology of the world can keep it safe. I used the words keep it safe because Aadhaar database is not safe and this is a reality whether we like it or not. The only question is for how long we can hide Aadhaar and its biometric database from the eyes of crackers and ransomware gang?

Thirdly, cyber security of Aadhaar and its biometric database is not at all adequate. Indian Government has already surrendered before the data breaches that have been happening in the Aadhaar ecosystem. Sensitive personal information, including Aadhaar numbers, phone numbers, bank account numbers, etc, are already in public domain as Government departments and agencies have no idea about cyber security and data security.

Fourthly, India has no dedicated laws on privacy and data protection. Indian Government is deliberately avoiding formulation of privacy and data protection laws. On the contrary, Indian Government pleaded before Supreme Court of India that Indians do not have a right to privacy as a Fundamental Right. However, this claim of Indian Government kick backed as now in the proceedings against WhatsApp, Supreme Court cannot do much. Indian Government and Supreme Court have no basis whatsoever to make WhatsApp liable for privacy and data breaches as far as they are concerned with Indians and their data.

Fifthly, we have no dedicated law for cyber security in India. Indian Government has been using guidelines/rules as a substitute for full fledged laws and these guidelines/rules are clearly not enough. Some guidelines/rules have been issued regarding privacy, data protection and some aspects of cyber security but the legislative vacuum remains in the cyber security field.

Sixthly, we have no cyber security breach disclosure norms in India. Government departments, agencies, etc have no obligation to report to a Government appointed authority about cyber attacks and cyber breaches. UIDAI is also under no obligation to disclose cyber breaches of biometric database and is the sole investigation and prosecution agency for breaches affecting Aadhaar CIDR or Aadhaar ecosystem. Naturally, we do not have even a single CIDR and biometric breach of Aadhaar so far though Aadhaar based biometric authentication notifications are flooding the e-mails of Aadhaar holders.

Let us analyse the cyber security infrastructure of India as well. Cyber security infrastructure in India is in bad condition. In fact, it has yet to make a beginning. It is really surprising that for such bad cyber security infrastructure, UIDAI and Government are claiming that Aadhaar and its biometric database are fully secure. India is the only country in the world that believes that it can achieve 100% cyber security for even a single project. That would have been a great achievement if this fact was true. Unfortunately, this claim is far from reality and the truth is that Aadhaar is a highly vulnerable system from cyber security, data security and privacy perspectives.

Cyber security is only as strong as is the weakest link. In case of Aadhaar it is very difficult to find its weakest link as all links are competing themselves to be the weakest one. From the design of Aadhaar to acquisition of biometric to their safe custody to their authentication, everything is insecure. Biometric can be leaked from any part of this weakest cyber security chain that is suffering from both a design flaw as well as classic example of bad cyber security practices. Who needs a bug or cyber security vulnerability when the flawed design itself is both a front door and backdoor entry as a feature?

For instance, more than 75% of biometrics collected by private agencies engaged by UIDAI used plain form/text acquisition and storing in the past. It is only now that UIDAI has asked them to encrypt the same while acquiring the biometric. Still it is not clear how much this direction has been followed by Aadhaar enrolment agencies as they are poorly paid by UIDAI. It would be safe to presume that they are still not using encryption methods while acquiring biometric as their due are still to be cleared by UIDAI. They have not been able to even get back their investments and are using all available methods to earn money so that the capital initially invested can be recovered. But even presuming that Aadhaar enrollments are now secured by encryption, still more than 75% of biometric acquired by enrollment agencies was managed in unencrypted and plain text form. Nothing can be done about those people whose biometric have been compromised for life and can be abused at any point of time in future.

This is not the end of the story. In many cases biometrics were directly stored on pen drives and in some cases hard disks containing biometrics of crore of Indians were gone missing. Outsourcing of work by UIDAI to private players and foreign companies has also resulted in migration of biometric of Indians even beyond India to foreign jurisdictions. Abuse of Aadhaar and its biometric cannot be ruled out even when rouge service providers authorised to conduct EKYC would manipulate the systems to retain a copy of authenticated EKYC and biometric prints. Besides there are diverse methods to break encryption and other security protocols as deployed by UIDAI.

So the claims of UIDAI and Indian Government that Aadhaar, its CIDR database and biometric of Indians are absolutely secure is novice at the best. Let us proceed further with the reality that Aadhaar is vulnerable to diverse forms of cyber attacks, ransomware attacks and other forms of attacks and would be compromised in near future.

Now once compromised, it would create serious life and security problems for Indians. This is because hacking of Aadhaar is hacking of the life of an individual and not just his identity. An identity theft or simple cyber crime can be reversed but not theft of biometric of a person. Once biometric of an individual are gone, they cannot be changed or reversed unlike a password or other system. Now if biometric of an individual have been associated with a single or two services, the loss of such biometric is insignificant. But when the biometric of an individual are associated with or seeded with virtually everything, this creates a serious problem for life and liberty of the concerned individual. This is more so when such biometrics are set to be used for Digital India and other E-Governance projects of Indian Government.

In the Indian context, this means forcibly putting the life, liberty, cyber security, data security, Fundamental Rights and virtually everything of an Indian Citizen/resident in the hands of a technology savvy criminal. Of course, these dangers are very real and fatal when our own Government and Intelligence Agencies would use various centralised database of which Aadhaar is the obvious key.

Cyber Security Infrastructure In India

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB3Infrastructure is the backbone of any nation. Infrastructure’s shape and nature has been changing from time to time. With the advancement in technology, infrastructure is also dependent upon many facets of information and communication technology (ICT). This has made the task both easier and dangerous. Infrastructure utilisation has become easier with use of sophisticated technology whereas this use of technology has also made these infrastructures vulnerable to various forms of cyber attacks.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that the Cyber Security Infrastructure of India must be urgently established by Indian Government. We also recommend that a Cyber Attack Crisis Management Plan of India must also be formulated as soon as possible. Further, the Cyber Security Policy of India 2015 must also be formulated by Indian Government on a priority basis as the 2013 policy is highly defective in nature.

This Cyber Security Policy must address the issues of Cyber Attacks and Cyber Terorrism, prventing Cyber Attacks on Power Utilities, Cyber Security of Indian Satellites and Critical Infrastructure, International Legal Issues of Cyber Security, Conflict of Laws in Cyberspace, formulation of a Techno Legal Framework, Cyber Security Disclosure Norms, etc.

We are living in an era of Cyber Warfare, Cyber Terrorism, Cyber Espionage, etc. To make the matter worst, we have no International Harmonisation and Regulatory Framework for areas like Cyber Law, Cyber Security, Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc. Even the Tallinn Manual on the International Law is not Applicable to International Cyber Warfare Attacks and Defence. In the absence of International Harmonisation and this “Great Legal Void”, Nations are free to Interpret and Apply their own “Norms and Regulations” to International Cyber Security Issues.

As far as India is concerned, Cyber Security in India has now become an essential part of Indian Polity and Economic Affairs. For instance, the Cyber Security Policy of India would be formulated very soon. However, Cyber Security has still not been understood and applied in true perspective. We have to think about Cyber Security beyond Anti Virus, Firewalls and Hardware and Software Procurements.

To start with, Cyber Security Skills Development in India must be ensured. Without a “Capable Cyber Security Workforce”, India cannot have an Effective Cyber Security. Similarly, in the absence of adequate Skills, Offensive and Defensive Cyber Security Capabilities of India cannot be achieved.

Malware have become “Sophisticate and State Sponsored” these days. Take the examples of malware like Stuxnet, Duqu, Flame, etc that are not works of Script Kiddies but Professional Programmers and Coders hired by various Nations. Clearly, the face of Cyber Attacks and Cyber Security is changing rapidly and firewalls and Anti Virus Software stands nowhere in this scenario.

Signatures based Anti Virus Software are “Long Dead” and so are simple Firewalls. Ironically, Anti Virus Updates are Potential Tool to Install Malware, Steal Information and Launch Cyber Warfare Attacks. We need a totally different Cyber Security Infrastructure for India as on date.

Today the Malware game has reached a totally different level. Malware are not used for Fun anymore. Neither are they used for merely stealing information. Malware today are also used for rendering Computer Systems and Devices useless. The Wiper Malware overwrites the Master Boot Record (MBR) and corrupt relevant portion of the Hard Disk. When the Computer cannot be booted, it cannot serve any purpose.

Critical Infrastructure Protection in India is another aspect that must be considered “Very Seriously” by Indian Government. The National Critical Information Infrastructure Protection Centre (NCIPC) of India must be made “Operational” as soon as possible. The Internet is Full of Unprotected and Unsafe Devices, SCADA Systems and Computers. Further, SCADA has become the new Cyber Attack Battlefield for India. The Cyber Security of Power Sector in India needs to be streamlined. Power Grids Cyber Security in India and its Challenges are now well known. Similarly, Healthcare and Medical/Life Sciences Industries are under Cyber Attack thereby risking the Lives of millions.

India must also “Absolutely Ensure” Human Rights Protection in Cyberspace. While doing so Civil Liberties and National Security Requirements Must be Reconciled by India. Issues like E-Surveillance in India, Cell Site Location Based E-Surveillance in India, Surveillance of Internet Traffic in India,  Central Monitoring System (CMS) for Telephone Tapping in India, etc must be “Thoroughly Analysed” before implementing them. E-Surveillance Tools like FinFisher must be avoided at all costs.

Some “Positive Developments” have already been undertaken by Indian Government in this direction. For instance, a National Cyber Coordination Centre (NCCC) of India has been proposed to be established by Indian Government. Similarly, Regulations and Guidelines for Effective Investigation of Cyber Crimes in India may also be formulated very soon. The Indian Cyber Security Policy would be formulated very soon. The Critical Information Infrastructure Protection Agency of India may also be constituted soon. Finally, Indian Government is planning a Legislation Mandating Strict Cyber Security Disclosure Norms in India. As on date we have no dedicated Cyber Security Laws in India.

We at P4LO and PTLB wish Indian Government all the best for its Cyber Security Endeavours.

National Cyber Security Policy Of India 2013 (NCSP 2013)

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLBThe National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was recently declared by Indian Government. It is a Good Policy on many counts but it also failed to address many crucial aspects as well. For instance, the National Cyber Security Policy of India has failed to protect Privacy Rights in India. Nevertheless, this is a good step in the right direction and it must be updated and improved as the time passes

A sound Cyber Security Policy must be Techno Legal and Holistic in nature. It must be Techno Legal in nature so that it can accommodate both Technological and Legal aspects. It must be Holistic as it should cover as much areas as possible. It must be realistic as well as a single Policy cannot be considered to be Panacea for all Cyber Crimes and Cyber Attacks against India.

Thus, the Indian Cyber Security Policy must be supplemented by other Techno Legal Policies. For instance, the E-Mail Policy of India must supplement the Cyber Security Policy. The Cyber Security Policy must also be supplemented with the Telecom Security Policy of India and National Telecom Policy of India 2012 (NTP 2012). In fact, the National Security Policy of India must have the Cyber Security Policy as an essential component.

This NCSP 2013 intends to protect information and information infrastructure in Cyberspace, build capabilities to prevent and respond to cyber threat, reduce vulnerabilities and minimise damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.

The NCSP 2013 aims at facilitating creation of Secure Computing Environment and enabling adequate trust and confidence in electronic transactions and also guiding stakeholders’ actions for protection of Cyberspace. It outlines a road-map to create a framework for comprehensive, collaborative and collective response to deal with the issue of Cyber Security at all levels within the country. It also recognises the need for objectives and strategies that need to be adopted both at the National level as well as International level.

The NCSP 2013 envisages a vision and mission statement aimed at building a secure and resilience Cyberspace for citizens, businesses and Government. It strives to enable goals aimed at reducing national vulnerability to cyber attacks, preventing cyber attacks and cyber crimes, minimising response and recover time and effective cyber crime investigation and prosecution. It intends to facilitate monitoring key trends at the national level such as trends in cyber security compliance, cyber attacks, cyber crime and cyber infrastructure growth.

The Objectives of the NCSP 2013 include to create a secure cyber ecosystem in the country, generate adequate trust and confidence in IT system and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy,  to create an assurance framework for design of security policies and promotion and enabling actions for compliance to global security standards and best practices by way of conformity assessment (Product, process, technology and people), to strengthen the Regulatory Framework for ensuring a Secure Cyberspace Ecosystem, to enhance and create National and Sectoral level 24X7 mechanism for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive, protective response and recovery actions, to improve visibility of integrity of ICT products and services by establishing infrastructure for testing & validation of security of such product, to create workforce for 5,00,000 professionals skilled in next 5 years through capacity building skill development and training, to provide fiscal benefit to businesses for adoption of standard security practices and processes, to enable Protection of information while in process, handling, storage and transit so as to safeguard privacy of citizen’s data and reducing economic losses due to cyber crime or data theft, to enable effective prevention, investigation and prosecution of cyber crime and enhancement of low enforcement capabilities through appropriate Legislative Intervention.

Although the Objectives and Aims of the NCSP 2013 are Laudable yet their “Actual Implementation” is the real problem. India has not been able to achieve these Cyber Security Objectives so far. Since India is a late entrant in the Cyber Security field, it would only be fair to give it some more time to implement these Objectives successfully.

National Security Policy Of India Needs Techno Legal Boost

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLBNational Security has undergone a see change these days. It is wrong to assume that the National Security Policy is confined to traditional threats alone. National Security of India is facing many challenges these days that are mainly attributable to the use and abuse of Information and Communication Technology (ICT).

For instance, Cyber Crimes, Cyber Attacks, Cyber Security Incidences, Cyber Warfare, Cyber Terrorism, Cyber Espionage, etc are some of the problems that are peculiar to the contemporary times. These threats are intimidating the National Security of India by striking at the Financial, Economic, Social and Political Environment of India.

An implementable Techno Legal Crisis Management Plan of India for Cyber Attacks and Cyber Terrorism is need of the hour. The National Cyber Coordination Centre (NCCC) of India must also be made operational immediately.

Critical Infrastructure Protection in India must also be ensured by Indian Government. For instance, Supervisory Control and Data Acquisition (SCADA) Systems is a favourite target for Cyber Criminals and Cyber Terrorists. By targeting SCADA these cyber miscreants can damage the Critical Infrastructure of India. We must ensure sufficient Cyber Protection of SCADA Systems in India in general and Critical Infrastructure in particular.

Malware like Stuxnet and Duqu have already shown how Critical Infrastructures and SCADA systems are vulnerable to Cyber Attacks. Indian Critical Infrastructures have also been targeted by these Malware. It is believed that Stuxnet was responsible for shutting down an Indian Communication Satellite. These Malware have also been targeting Indian Nuclear Systems and Facilities.

The National Critical Information Infrastructure Protection Centre (NCIIPC) of India, established under the guidance and control of Defence Research and Development Organisation (DRDO) must also play a more pro active role in this regard.

Although NCIIPC has issued the Guidelines For Protection of National Critical Information Infrastructure in India (PDF) yet the role of NCIIPC in India is still not clear due to absence of a Gazette Notification by the Government of India under section 70A of the Information Technology Act, 2000.

Recently DRDO sought Penal Provisions in National Telecom Security Policy of India for Telecom Companies violating the norms. However, recently the Computer Systems of DRDO and Security Officials were breached and Sensitive Files were leaked. Thus, DRDO must also enhance its own Cyber Security besides managing the Cyber Security of other Institutions.

We must develop Offensive and Defensive Cyber Security capabilities of India. A Cyber Command for Armed Forces of India is already in pipeline. The Cyber Command has also become necessary as Countries across the world have started utilising Cyber Attacks and Malware against others. As per a recent report, U.S. is the Biggest Buyer of Malware in the world.  Similarly, Global Cyber Espionage Networks are being actively used to spy and engage in E-Surveillance on other Countries. The command and control servers of Malware FinFisher were also found in 36 countries, including India.

Indian Government must Reconcile Civil Liberties and National Security Requirements in India. While protecting the National Security, Civil Liberties Protection in Cyberspace must also be ensured. Recently, United Nations passed a resolution approving Right to Privacy in the Digital Age.

However, India is in no mood of complying with that resolution. India has launched Illegal and Unconstitutional Projects like Aadhar, Central Monitoring System (CMS), National Intelligence Grid (Natgrid), Crime and Criminal Tracking Networks and Systems (CCTNS), etc without any Parliamentary Oversight and Legal Frameworks. In fact, the Internet Spy System Network and Traffic Analysis System (NETRA) of India has been proposed by Indian Government without any Legal Framework.

There is also a lack of Cyber Security Legal Practice in India. Not many Law Firms are providing Legal Services in the field of Cyber Security as it requires Techno Legal Expertise. Indian Government is planning a Legislation mandating strict Cyber Security Disclosure Norms in India. Further, Cyber Law Due Diligence requirements in India are also going to increase in India.

Cyber Security is an essential part and component of National Security of India. Indian Government must keep this fact in mind and draft a suitable Techno Legal National Security Policy of India.

National Cyber Security Policy Of India Has Failed To Protect Privacy Rights In India

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBThe National Cyber Security Policy (NSCP), 2013 has listed many Objectives that Indian Government wishes to pursue to protect the Cyber Security Interests of India. However, from the very beginning the NCSP is facing Implementation Hurdles. The NCSP is also not holistically drafted as it is in active conflict with other Projects and Initiatives of Indian Government.

For instance, consider the example of the Central Monitoring System (CMS) Project of India. The CMS Project has been launched without any Parliamentary Oversight and Legal Framework. The problem has been further aggravated due to absence of Lawful Interception Law and Privacy Laws in India. The net effect of this situation is that Indian Government and its Agencies can do willful e-surveillance and phone tapping without any Parliamentary Oversight and Judicial Scrutiny.

Similarly, the Unconstitutional Aadhaar Project has already been Challenged before various High Courts in India. Aadhaar Project has serious Cyber Security and Data Security Issues that are still unresolved. The truth is that Biometric Collection in India is done in an Illegal and Unconstitutional Manner as on date.

So we have all sorts of private and sensitive personal and biometric information lying openly with Indian Government and its Agencies without any sort of Check and Balances. In these circumstances the claims of Privacy Protection by the NCSP of India have to be judged.

The NCSP claims that it aims at enabling protection of information while in process, handling, storage and transit so as to safeguard privacy of citizen’s data and for reducing economic losses due to cyber crime or data theft. The Policy is silent as to how it would be able to do so. The Policy is also silent as to how it would Balance the Civil Liberty and National Security Requirements while enforcing Indian Cyber Security.

The present Mental Framework of Indian Government as well as the Regulatory Regime of India is “Anti Privacy” and “Anti Civil Liberty” in nature. Despite contrary media claims, the NSCP has maintained this position and Status Quo.

In nutshell, the NCSP of India has failed to protect Privacy Right of Indian Citizens. Rather, accompanied with Projects like CMS, Aadhaar, etc it would be actually violating the same. Let us wait for its actual implementation to see its true effect upon Civil Liberties Protection in Cyberspace.