Tuesday, December 3, 2013

Facebook Wants to Listen to Your Phone Calls and invade Privacy

Facebook Wants to Listen to Your Phone Calls !!
Cellphone users who attempt to install the Facebook Messenger app are asked to agree to terms of service that allow the social networking giant to use the microphone on their device to record audio at any time without their permission.
As the screenshot above illustrates , users are made to accept an agreement that allows Facebook to “record audio with the microphone….at any time without your confirmation.”
The Terms Of Sservice also authorizes Facebook to take videos and pictures using the phone’s camera at any time without permission, as well as directly calling numbers, again without permission, that could incur charges.
But wait, there’s more! Facebook can also “read your phone’s call log” and “read data about contacts stored on your phone, including the frequency with which you’ve called, emailed or communicated in other ways with specific individuals.”
Although most apps on Android and Apple devices include similar terms to those pictured above, this is easily the most privacy-busting set of mandates we’ve seen so far.
Since the vast majority of people will agree to these terms without even reading them, cellphone users are agreeing to let Facebook monitor them 24/7, green lighting the kind of open ended wiretap that would make even the NSA jealous.

Thursday, September 26, 2013

Online Banking & Credit Card Fraud Advisory !!

Online Banking & Credit Card Fraud Advisory !!
After listening to plight of sufferers from various online and credit card banking related frauds and handling so many cases of fraud right from Rs. 15 thousand  to Rs. 52 Lakhs, i have humbly by experience come to following conclusion and Advisory
1. Every Net banking users should have two bank accounts
2. One in technology oriented banks like icici, hdfc,axis,yes,sbi etc with online banking option etc
3. One account in any other cooperative bank but balance up to Rs. 100000/- only na d if you want to have more balance at hand Rs. 1 lakh each in different trustworthy cooperative banks. Rest can be in fixed Deposits 
[ This is said coz RBI only insures up to 1 lakh i.e if the bank goes kaput up to 1lakh RBI will pay you]
4. In the technology oriented bank maintain only amount needed for handling online transactions as Bill payment or ticketing e.t.c
5. When ever required, money can be transferred to online banking account by cheque/DD/cash etc
6. Go back to your banks and check whether in your account opening form you have ticked for Online Banking or Mobile Banking , please untick the same
7. Please go to your bank immediately and ask them to issue chip based credit/debit cards to avoid cloning(this can take time but RBI had asked banks to do this by june 2013)
8. Any extra cash in the online banking account can be moved to Fixed deposits .
9. Avoid Mobile Banking / mobile payment gateway completely till standards, rules and regulations are formulated, take my word i m getting ready to handle mobile banking and payment related frauds as cases have started tickling. 
10. Even though i personally  hate handling cash, but in Indian markets cash still remains a king and various frauds in banking are asserting the faith in cash based economy again..
God Bless You by Lots of Money and Bless You further to Keep it safe safe and safe always

Wednesday, September 4, 2013

What is Sensitive Personal Data or Information in India ?

What is Sensitive Personal Data or Information in India ? 
Sensitive Personal Data or Information though not directly defined in The Section 2 of The IT Act, 2000. But the definition which has force of law is  defined under the section 3  of  THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 made by Central Government In exercise of the powers conferred by clause (ob) of sub­section (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000). Section 3 reads as 
3.    Sensitive personal data or information.
 Sensitive personal data or information of a person means such personal information which consists of 
 information relating to;―
(i)  password;
     (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
       (iii) physical, physiological and mental health condition;
       (iv) sexual orientation;
       (v) medical records and history;
       (vi) Biometric information
      (vii) any detail relating to the above clauses as provided to body corporate for providing service; and
      (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
        provided that, any information that is freely available or accessible in public domain or furnished under  the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as  sensitive personal data or information for the purposes of these rules. 
        To enlarge this definition further 
Definition’s of
1.   Data
2.   Information
3.   Personal Information 
4.   Body corporate
Have to be added to the definition of “Sensitive Personal Data or Information” as legislature have defined them separately.
Section 2(1)(o) of The IT ACT,2000 Defines "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

Section 2(1)(v) of The IT ACT,2000 Defines "Information" as
        "Information" includes data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated micro fiche; 

Section 2(1)(i) defines Personal Information as “Personal Information” means any information that  relates to a natural person, which, either directly or indirectly, in combination with other information  available or likely to be available with a body corporate, is capable of identifying such person.
        "Body Corporate" is defined under Explanation (i) of The Section 43-A of The IT Act, 2000 as "Body corporate" means any company and includes a firm, sole proprietorship or other  association of individuals engaged in commercial or professional activities; 
       So the full length definition of Sensitive Personal Data or Information would be 
       Sensitive personal data or information of a person means any information that  relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities, is capable of identifying such person  which consists of  data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated micro fiche relating to;―
         (i)  password;
        (ii) financial information such as Bank account or credit card or debit card or   other payment instrument details ;
        (iii) physical, physiological and mental health condition;
        (iv) sexual orientation;
        (v) medical records and history;
        (vi) Biometric Information
        (vii) any detail relating to the above clauses as provided to body corporate for providing service; and
       (viii) any of the information received under above clauses by body corporate for processing, stored or  processed under lawful contract or otherwise:
        provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as 
       sensitive personal data or information for the purposes of these rules. 
       Also, reading carefully clause (viii) above the further intention of legislature could also be found out that Information any information that is NOT freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall  be regarded as sensitive personal data or information for the purposes of these rules. 
       even though presence of the word shall gives it a directive meaning.
       So the questions could be :
if someone lays hand on my mobile phone  CDR(Call Data Record) illegally and finds out  whether i am calling which Specialist Doctor or psychiatrist or Specialist Lab like Thyrocare e.t.c does it reveal my medical record or history or Mental health condition or it gives certain conclusion to the  person who has illegally procured  my CDR. 
 I feel Yes !!
        If i am calling my banker or my stock broker or private equity guy or any lender or investor isn't the CDR revealing it all my financial details.
 I feel Yes !!
       CDR (call data record) thus falls under definition of Sensitive Personal Data or Information under the IT Act, 2000
Other Examples of Sensitive Personal Data would be:
1.   Pathology Lab Reports.
2.   Sex determination test.
3.   Height or Weight of the person
4.   Bank Statement.
5.   Credit card /Debit card Statements.
6.   Cheque or Demand Draft or Pay order or echeque details
7.   PIN Number
8.   DIN Number
9.   Secret Question to reveal password
10. Electronic keys e.t.c

The Supreme Court of India has interpreted the right to life to mean right to dignified life in Kharak Singh case especially the minority judgment of Subba Rao, J. In Gobind v. State of M.P, Mathew J.,
delivering the majority judgment asserted that the right to privacy was itself a fundamental right, but subject to some restrictions on the basis of compelling public interest. Privacy as such interpreted by our Apex Court in its various judgments means different things to different people. Privacy is a desire to be left alone, the desire to be paid for
ones data and ability to act freely.
Right to privacy relating to a person’s correspondence has become a debating issue due to the technological developments. In R.M. Malkani v. State of Maharashtra, the Supreme Court observed that, the Court will not tolerate safeguards for the protection of the citizen to be imperilled by permitting the police to proceed by unlawful or irregular methods. Telephone tapping is an invasion of right to privacy and freedom of speech and expression and also Government cannot impose prior restraint on publication of defamatory materials against its officials and if it does so, it would be violative of Article 21 and Article 19(1)(a) of the Constitution. In Peoples Union for Civil Liberties v. Union of India the Supreme Court held that right to hold a telephonic conversation in the privacy of one’s home or office without interference can certainly be claimed as right to privacy. In this case the Supreme Court had laid down certain procedural guidelines to conduct legal interceptions, and also provided for a high-level review committee to investigate the relevance for such interceptions.
Conclusion :
So if Body Corporate Do not follow reasonable security practices to safe guard Sensitive Personal Data or Information of all the data they possess have to pay severe compensation to the entity/ person whose data so gets compromised.
Sensitive Personal Data or Information though defined in the IT Rules of 2011under The IT Act, cannot be construed strictly as it is said law lies in its interpretation and history has shown interpretation differs in different times .The definition cannot be strictly construed for two reasons. One because the definition encompasses various words which are defined separately and cognizance have to be taken to arrive at intentions of the legislature and society at large and Second because what can be sensitive to one person at one time cannot be sensitive to other person at different timings. As today if we get Call Data Records of Harshad Mehta or Nathuram Ghodse even though the data so obtained would remain personal but not sensitive coz of time has passed by and so is relevance.


Sunday, June 16, 2013

Google User Search Logs – Is it Personal Data or Information as per LAW?

Google User Search Logs – Is it Personal Data or Information?

Privacy concerns relate to personally information or personal data, that is, as defined in The IT Rules under The ITAct, 2000 i.e “Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Information which can be used to uniquely identify, contact, or locate a specific individual person. Federal privacy legislation protects personal data in a number of contexts, such as health information, financial data, or credit reports. Similarly, the European data protection framework applies to "personal data," defined as "any
information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."
Information that cannot be linked to an individual person is not problematic from a privacy standpoint. Imagine we have highly revealing data about Sify user 200805, but we do not know, nor can we find out, who the user is. Or consider I tell you that X is a drugs-addicted, searches for teen sex, who earns Rs.80,000 a month, half of which is spent on online porn. Absent any indication as to the identity of X, this information is meaningless from a privacy perspective.
Do users' search logs constitute "personal data"?
Can the data in search logs be traced to specific individuals?
I show that they do, and therefore raise serious privacy problems. First, as noted above, search engines log a user's queries under such user's IP address. An IP address is a unique string of numbers assigned to a user's computer by his/her Internet Service Provider (ISP) in order to communicate with her computer on the network. Simply put, it is the cyberspace equivalent of a real space street address or phone number. An IP address may be dynamic, meaning a different address is assigned to a user each time He/she logs on to the network; or static, that is assigned to a computer by an ISP to be its permanent Internet address. The question of whether an IP address constitutes "personal data" has been much debated in the EU. It is equivalent to asking whether "Plot no. 435, Malabar Hill, Mumbai" or "919821763157" constitutes personal data. The answer depends on whether the address might be linked to an "identified or identifiable natural person" through reasonable means. Clearly, a static address is more "personal" than a dynamic address; and in either case, an address is more "personal" in the possession of an ISP, which has the capacity to link it to a specific user's registration information, than in the hands of other parties. The European data protection watchdog, the Article 29 Working Party, has already opined that even dynamic IP addresses constitute "personal data." It stated that "unless the ISP is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will
have to treat all IP information as personal data, to be on the safe side."
Consequently, even if Google could not link an IP address (and therefore her search log) to a specific individual, the fact that ISPs have such capability and that the government may order them to do so renders search logs "personal data" for privacy purposes. It is the capacity to link, not the actual linking, that makes the data personal.
Second, to overcome the difficulty of profiling users who access search engines using a dynamic IP address, search engines set "cookies" which tag users' browsers with unique identifying numbers. Such cookies enable search engines to recognize a user as a recurring visitor to the site and amass her search history, even if she connects to the Internet via a different IP address. As a result of pressure by EU data protection
regulators, Google has already shortened the duration of its cookie,
which was initially set to expire in 2038, to a period of two years after a user's last Google search. The privacy benefits of such a move are doubtful, however, since as long as Google remains the Internet's leading search engine, users are bound to renew the two-year period on a daily basis.
The Google privacy policy states: "When you use our services or view content provided by Google, we may automatically collect and store certain information inserver logs. This may include: cookies that may uniquely identify your browser or your Google Account.
We use various technologies to collect and store information when you visit a Google service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites. You may also set your browser to block all cookies, including cookies associated with our services, or to indicate when a cookie is being set by us. However, it’s important to remember that many of our services may not function properly if your cookies are disabled. For example, we may not remember your language preferences”. See Privacy Policy of Google. As a matter of fact, few users change their browser's default settings to reject cookies
One of the major weaknesses of a cookie as a tracking device is the fact that it is accessibly only by the web server that placed it on a user's computer. In other words, the Times of India cookie is read by the Times of India web site, but not by Yahoo or Wikipedia. You might therefore think of a cookie as a device that helps one snoop after a guest in his/her own house, but not in neighboring houses or public areas. However, this weakness has been overcome by Google in its takeover of advertising powerhouse DoubleClick. DoubleClick was the leading provider of Internet-based advertising, tracking users' behavior across
cyberspace and placing advertising banners on web sites. The company is a long-time nemesis of privacy advocates. In February 2000, EPIC filed a complaint with the FTC alleging that DoubleClick was unlawfully tracking the online activities of Internet users and combining surfing records with detailed personal profiles contained in a national marketing database. The case ended in a settlement, pursuant to which DoubleClick undertook a line of commitments to improve its data collection practices, increase transparency and provide users with opt out options. DoubleClick continues to utilize third-party cookies as well as its "DART" (Dynamic, Advertising Reporting, and Targeting) technology to track user activity across multiple web sites.
In its complaint to the FTC about the Google-DoubleClick merger, EPIC
had alleged that by purchasing Doubleclick, Google expanded its ability to pervasively monitor users not only on its web site but also on cyberspace as a whole.
Third, much like IP addresses, cookies are arguably not "personal data" because they identify a specific browser (typically, a computer) as opposed to an individual person. Yet, if a cookie and related search log could be cross-referenced with an individual's name, the cookie itself would become personal data. Think of the cookie as a label on
a "box of personal data" of an unnamed person, who is under investigation by a Investigating Officer. Typically, the label says something like "740674ce2123e969," and thus does not implicate anyone's privacy. Yet, once the Investigating Officer comes across the person's name, she immediately affixes it to the label, rendering the
contents of the box "personal data." The box of personal data is of course analogous to a user's search log and Google to the Investigating Officer. And there are plenty of instances in which Google comes across a user's real name. In addition to its search engine, Google provides users with a wide array of online services, many of which require registration using real name and e-mail address credentials. First and
foremost is Gmail, the ubiquitous web based e-mail service launched in April 2004 as a private beta release by invitation only and opened to the public in February 2007.
Gmail gained its prominence and notoriety by providing a simple bargain for users: get an unprecedented amount of online storage space; [When Gmail was initially launched in 2004 with 1GB of storage space, Hotmail, its leading competitor, provided users with 2MB (that is, 0.2% of what Gmail gave). ] gave Google the opportunity to scan your e-mails' contents and add to them context-sensitive advertisements. The launch of Gmail turned out to be one of the most controversial product launches in the history of the Internet and placed Google at the center of a fierce privacy debate.
Privacy advocates criticized the precedent set by Google of eliminating a person's expectation of privacy in the contents of her communications, as well as the consequential violation of non-subscribers' privacy interests in their correspondence.
This Blog does not address the serious privacy issues raised by Gmail itself, but rather the synergetic privacy risk created by cross-referencing user search logs with information collected by Gmail as part of the registration process. In other words,registration to Gmail or additional Google services such as Google Talk (instant messaging service), Google Reader (RSS feeds), Google Calendar (a user’s schedule),
or Google Wallet (credit card/payment information for use on other sites), places the missing "name tag" on a user's search log, thereby rendering its contents highly combustive from a privacy perspective.Notice that cross-referencing user search logs with registration information is distinct from Google correlating search logs with users' e-mail contents, the prospect of which is an additional cause of concern for privacy advocates. It simply means Google can pick the name of a user off of his/her registration form and attach it to a cookie, which serves as the key to her search log.
In other words, because Google uses the same cookie to maintain a particular user's search history and to identify her when she logs-on to her Gmail account, the anonymous nature of the cookie is lost and the search log becomes sensitive personal data.
Finally, even thoroughly anonymized search logs can be traced back to their originating user. This can be done by combing search queries for personal identifiers, such as a social PAN Numbers or credit card details. It becomes simpler yet by the tendency of users to run "ego
searches" (also known as "vanity searches" or "egosurfing"), the practice of searching for one's own name on Google (once, twice, or many times per day). In fact, in its effort to quash the government subpoena issued in Gonzales v. Google, Google itself  posited that "search query contents can disclose identities and personally identifiable information such as user-initiated searches for their own social security or credit card
numbers, or their mistakenly pasted but revealing text."
There is also Google Web History, of course, which provides consenting users with a personalized search experience linked to a personal account. Hence, Google Web History explicitly de-anonymizes one's search log.
While it is true that users may register for services such as Gmail with a false or pseudonymous name, I suspect few do. I use Gmail as my main e-mail account due to its geographic and chronological versatility (you do not have to change e-mail addresses each time you relocate or switch jobs) and storage space. I use my real name, since I would not want colleagues or friends to receive e-mails from
"ADV" or "Prashant197" and have to guess that I am the sender.

To sum, the contents of user search logs are clearly personal in nature. The question is whether such contents may be traced to a specific user. Google's ability to combine IP addresses, persistent cookies and user registration information renders the data in search logs not only personal but also personally identifiable.

I suggest this in to be added in the definition of “personal data” of The Indian Privacy (Protection) Act,2013 an also in the definition of “Personal Information” as defined in The IT Act,2000

..Adv Prashant Mali is an Renowed Cyber Law & Cyber Security Expert Lawyer based out of Mumbai

Tuesday, May 28, 2013

Google and Indian Privacy Laws (Part I)

Google and Indian Privacy Laws (Part I)

Search engines are the most important actors on the Internet today and Google is the undisputed king of search. Google dominates the Internet, guiding users to the information they seek through an ocean of unrelated data with astonishing precision and speed. It is a powerful tool, evoking ambivalent feelings. On the one hand, we adore Google for its simple, modest-looking interface masking a hyper-complicated algorithm, which is the very essence of online ingenuity. We admire it for providing superb services at no (evident) cost, a practical miracle in today's market economy.
On the other hand, we grow wary of Google's increasing clout as the ultimate arbiter of commercial success ("to exist is to be indexed by a search engine") and as a central database for users' personal information, not only logging their search queries but also storing their e-mail (Gmail), calendars (Calendar), photos (Picasa), videos (YouTube), blogs (Blogger), documents (Docs & Spreadsheets), social networks (facebook), news feeds (Reader), credit card information (Checkout) – in short, their entire digital lives.
Google's access to and storage of vast amounts of personal data create a serious privacy problem, Princeton computer scientist Edward Felten had called "perhaps the most difficult privacy [problem] in all of human history." Every day, millions upon millions of users provide Google with unfettered access to their interests, needs, desires, fears, pleasures and intentions. Counter to conventional wisdom, this information is logged and maintained in a form which may facilitate the identification of specific users for various purposes, including not only their targetingwith effective advertising but also prosecution by the government or pursuit by private litigants. Let us put it like this, "link by link, click by click, search is building possibly the most lasting, ponderous, and significant cultural artifact in the history of humankind: the Database of Intentions." This "Database of Intentions" constitutes a honey pot for various actors, ranging from the CBI ,NIA, NTRO etc which expend crores of rupees on online surveillance and cannot overlook Google's information treasure trove, to hackers and data thieves, who routinely overcome information security systems no matter how robust.
A leading advocate for human rights, Privacy International, had initially ranked Google's privacy practices as the worst out of more than 20 leading Internet service providers, including Microsoft, Yahoo, Amazon and eBay. 1Privacy International describes Google as "an endemic threat to privacy."It criticizes Google's "aggressive use of invasive or potentially invasive technologies and techniques" and claims the company "fails to follow generally accepted privacy practices such as the OECD Privacy
Guidelines and elements of EU data protection law." EU data protection regulators time and again have also launched an investigation into Google's data retention and privacy practices, which was quickly expanded to cover other search engines as well. China’s Blockage is well known to the world.

How did Google evolve from being a benevolent giant seeking to "do no evil" into a privacy menace, an unruly private sector "big brother" reviled by human rights advocates worldwide? Are the fears of Google's omniscient presence justified or overstated? What personal data should Google be allowed to retain and for how long? Is Google Intermediary as per The IT Act,2000? What rules should govern access to Google's database? What are the legal protections currently available in India  and are they sufficient to quell the emerging privacy crisis? What does India's New The Privacy Protection Act,2013 have to say? These are the main issues I will address in Part II

1.Privacy International, A Race to the Bottom - Privacy Ranking of Internet Service Companies, A Consultation report

Thursday, May 23, 2013

New Malware to Steal your Credit or Debit Card Details

Your Ultimate Bank Money Stealer is Here.. 
A new malware is discovered called “Dump Memory Grabber,” which has already been used to steal debit and credit card information from customers using major US banks including Chase, Citibank and Capital One, The malicious code is evidently being installed directly into point-of-sale (POS) hardware (meaning registers or kiosks) and ATMs, and transmitting the harvested information straight out of the magnetic stripes on credit and debit cards - which includes everything from account numbers, to first and last names and expiration dates.
How are attackers infecting physical systems? It is your favourite USB drives are the likely culprits, as modern register systems often have accessible ports, as well as direct connections to the Web.
The harvested information is then used to produce cloned cards, and they are likely succeeding with the help of individuals with direct access to the POS systems and ATMs - which could include employees.
Please think twice where to use your credit and debit cards !!!!

Monday, May 20, 2013

Denial-of-service (DoS) attack what it is ??

Denial-of-service (DoS) attack

Now all major organizations face DDoS attacks on their public facing servers, mainly banking and finance companies face the most with demands of ransom from attackers sitting in any corner of the world. Old approaches and solutions sometimes seem to not work, but remaining educated about the same(DoS or DDoS Attacks) always helps.

What is DoS ?
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.
The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you type a URL for a particular website into your browser, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can't process your request. This is a "denial of service" because you can't access that site.
An attacker can use spam email messages to launch a similar attack on your email account. Whether you have an email account supplied by your employer or one available through a free service such as Yahoo or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your account at any given time. By sending many, or large, email messages to the account, an attacker can consume your quota, preventing you from receiving legitimate messages.

What is a distributed denial-of-service (DDoS) attack?
In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.

How do you avoid being part of the problem?
Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack, but there are steps you can take to reduce the likelihood that an attacker will use your computer to attack other computers:
·         Install and maintain updated anti-virus software (Please be it Legal avoid freeware)
·         Install a firewall, and configure it to restrict traffic coming into and leaving your computer (Avoid free ones and avoid two at a time).
·         Follow good security practices for distributing your email address. Applying email filters may help you manage unwanted traffic.(Check what solutions your ISP also uses)

How do you know if an attack is happening?
Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack:
·         unusually slow network performance (opening files or accessing websites)
·         unavailability of a particular website
·         inability to access any website
·         dramatic increase in the amount of spam you receive in your account

What do you do if you think you are experiencing an attack?
Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of the attack. Contact the appropriate technical professionals for assistance.
·         If you notice that you cannot access your own files or reach any external websites from your work computer, contact your network administrators. This may indicate that your computer or your organization's network is being attacked.
·         If you are having a similar experience on your home computer, consider contacting your internet service provider (ISP). If there is a problem, the ISP might be able to advise you of an appropriate course of action.

Reasonable Security Practices and Procedures and Sensitive Personal Data in India-provisions required

ITA Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information Rules 2011
The Personal Information Security Rules were notified in April 2011 and serve as
the most comprehensive form of data protection in India. The Rules prescribe procedures
and protocol by which body corporate must adhere to. The Rules can be brought in line
with the National Privacy Principles through the following changes:
1. Notice
Existing Provisions
o Privacy Policy: Anybody corporate that collects, receives, possesses, stores,
deals, or handles information must provide a privacy policy that provides for clear
and easily accessible statements of its practices and policies, type of personal or
sensitive personal data or information collected, purpose of collection and usage
of such information, disclosure of information, and reasonable security practices
and procedures. Rule 4
o During Collection: While collecting information directly from the person
concerned the body corporate shall take steps to ensure that the individual knows
that the information is being collected, the purpose for which the information is
being collected, the intended recipients of the information, the name and address
of the agency collecting the information and the agency that will retain the
information. Rule 5(3)
Missing Provisions
o Data Breach: If a data breach occurs, affected individuals must be notified
o Legal Access: If information is legally accessed, the access must be notified at the
close of the investigation.
o Change in privacy policy: Any changes in a body corporate privacy policy
should be notified to the public and the individual.
o Process to access and correct: At the time of collection body corporates must
provide notice of the processes available to data subjects to access and correct
their own personal information.
2. Choice & Consent
Existing Provisions
o Individual Consent: Body corporates must obtain consent in writing through
letter or Fax, or email from the provider of the sensitive personal data or
information regarding purpose of usage before collection. Rule 5(1)
o Right to withdraw and opt in/opt out: Prior to collection of information, body
corporate must provide the individual not to provide the data sought. The provider
of information will have the right to withdraw consent at any time while availing
services. Rule 5(7)
Missing Provisions
o Mandatory provision: When provision of information is mandated by is should
be in compliance with all other National Privacy Principles. Information collected
on a mandatory basis should be anonymized within one year if published in public
3. Collection Limitation
Existing Provisions
o Necessary & Relevant: Body corporate shall not collect sensitive personal data
unless the information is collected for a lawful purpose connected with a function
or activity of the body corporate. The collection of sensitive personal data is
considered necessary for the purpose. Rule 5(2)
4. Purpose Limitation
Existing Provisions
o Definition of Sensitive Personal Data: password, financial information such as
Bank account or credit card or debit card or other payment instrument details,
physical, physiological and mental health conditions, sexual orientation, medical
records and history, biometric information, any detail relating to the above as
provided to body corporate for providing service, any of this information received
by body corporate for processing, stored or processed under lawful contract. Any
information that is available or accessible in public domain or furnished under the
Right to Information Act, 2005 will not be regarded as sensitive personal data. Rule 3
o Retention: The Body Corporate holding sensitive personal data will not retain
that information for longer than is required for the purposes for which the
information may be lawfully used or is required under any other law in force.Rule 5(4)
o Use: The information collected will be used for the purpose for which it has been
collected. Rule 5(5)
Missing Provisions
o Adequate and Relevant: Personal data collected and processed by an
organization must be adequate and relevant to the purposes for which they are
o Change in purpose: If there is a change in purpose, this must be notified to the
data subject.
o Destruction: After personal information has been used in accordance with the
identified purpose, it must be destroyed as per the identified procedures.
o Data Retention: Data retention mandates by the government should be in
compliance with the National Privacy Principles.
5. Access & Correction
Existing Provisions
o Access: Body corporate must permit the providers of information, when
requested, to review the information they had provided and ensure that any
personal information or sensitive personal data or information found to be
inaccurate or deficient shall be corrected or amended as feasible. Rule 5(6)
Missing Provisions:
o Confirmation of personal information: Data subjects should be able to confirm
that an organization holds or is processing information about them.
o Copy of personal information: Data subjects should be able to obtain a copy of
the personal data undergoing processing.
o Limitation to Access: The information may not be given or access permitted if it
is not possible to do so without disclosing information about another person unless
that persona has consented to the disclosure.
6. Disclosure of Information
Existing Provisions
O Consent for Disclosure: Disclosure of sensitive personal data or information by
body corporate to any third party shall require prior permission from the provider
of such information, unless disclosure has been agreed to by contract or is
necessary by legal obligation. Rule 6
o Prohibition on publishing: The body corporate will not publish the sensitive
personal data or information. Rule 6(3)
o Non-disclosure: The third party receiving the sensitive personal data will not
disclose it further. Rule 6(4)
o Transfer of Information: A body corporate may transfer sensitive personal data
to any body, organization, or country that ensures the same level of data
protection. The transfer can only take place for the performance of a lawful
contract or where the transfer has been consented to. Rule 7
Missing Provisions
o Notice of disclosure: Body corporate must provide notice of disclosure to third
o Bound to Principles: All third parties must be bound to the National Privacy
Conflicting Provisions
o Authorized Agencies: Information will be share with Government Agencies
mandated under law without obtaining prior consent for the purposes of
verification of identity, for prevention, detection, investigation including cyber
incidents, prosecution, and punishments of offences. Rule 6
7. Security
Existing Provisions
o Security standards: A body corporate or person must have a comprehensive
documented information security program and information security policies that
contain managerial, technical, operational, and physical security control measures.
In the event of a breach, the body corporate must be able to demonstrate that they
have implemented security control measures. This includes being IS/ISO/IEC
27001 compliant. Rule 8(1)
o Audit: On any annual basis the body corporate must undergo an audit of his/her
reasonable security practices. Rule 8(4)
8. Openness
Missing Provisions
Transparency: Body corporate must make available to the public information
regarding the steps taken to ensure compliance with the National Privacy Principles
9. Accountability
Existing Provisions
· System of Complaints: Body Corporates must address any discrepancies and
grievances of their provider of the information with respect to the processing of
information in a time bound manner. To achieve this, a Grievance Officer must be
appointed to address these grievances. Rule 5(9)
Missing Provisions
o External verification: All processes related to the handling of sensitive personal
information [in addition to security systems] should undergo external verification
on a regular basis.
o Support to Privacy Commissioner: Body corporate should be held responsible
for giving support to the Privacy Commissioner and complying with general/specific
orders of the privacy commissioner.
10. Verification
Existing Provisions:
· Liability of accuracy: A body corporate is not responsible for the authenticity of
the personal information or sensitive personal data or information supplied by the
provider of information. Rule 5(6)
**Source - Report of the Group of Experts on Privacy

Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...