India leads in mobile phone penetration, social networking and internet, yet surprisingly India lacks comprehensive regulation on privacy. Citizen awareness also in this regard is very low.

Few decades back privacy was not a major issue. The cost of simple violation of privacy was high. Paper data records were prevalent, there was no internet, e-data or gps. But today technology has advanced. Digital devices and seamless connectivity between devices have aided in easy sharing and broadcasting of information. Hence the opportunity of a privacy breach has increased manifold. The advancing economy and the largest consumer base is making India more vulnerable to the menace of privacy breach.

Everyone needs privacy to a certain extent. And by nature we expect bodies and organisations to protect our privacy without us asking for it.

Not long ago the honourable Supreme Court of India asked TRAI and telecom operators to stop sharing mobile numbers with telemarketers without the consent of the owner.

The bodies who collect data or process data should only use data for the intended purpose and ensure that they are not disclosing it to unwanted audience.

These days we talk about women safety. However a reservation chart put up by railways displays name, sex and age along with the seat details and destination. Unaccompanied women can become susceptible to crime due to this.

In India privacy is considered to be enshrined in Article 21 of the constitution: Right to life and personal liberty. Along with this Section 43A of IT Act talks about privacy. However these are not comprehensive and are ambiguous when interpreted. India needs a privacy law which should be comprehensive for different sectors in India. Our industries and outsourced centers today often depend on European privacy laws and US laws. However an Indian privacy law will help the industry by preserving the national values like culture, demography and local customs.

Enacting a privacy law will empower the public with a strong legal resource and also act as a deterrent for bodies who misuse customer data for other benefits.

There are some areas where we need to be careful when enacting a privacy law:

1. Consent should be proper. Customers are often misguided to provide consent for sharing of data.
2. Only necessary data should be asked. A shopping centre may ask for more than needed information for their business analysis and can prevent transaction without it. Care must be taken to ensure such activities don’t go unpunished.
3. Similarly the law shouldn’t be misused by the public. A candidate should not refuse information to employer under privacy laws just because the information will cause the employer refusing the candidate.
4. Care should be taken that data transferred to a different country is protected similarly.
5. Last but not the least National Interest should also be preserved. Prone to terrorist activities, the law should not become a tool for miscreants.

An independent constitutional body should come up to oversee the implementation and compliance of the privacy laws in India.

India as an emerging economy needs a privacy law of its own. Citizens and organisations should also play in important role in ensuring safety and security of the private information of our lives.

Rahul Das
Consultant | PwC India
MS-CLIS (2011-2013) | IIIT-A

What they can do?

With the CMS they can listen to your calls, listen it, track a mobile phone and location, read all your text messages and personal emails and chat conversations, can see Google search, website visit and even your username and password if not encrypted. Although, NSA denied about content monitoring, they say we just monitor the context information i.e. metadata.

What can we do to prevent ourselves?

Like for an email if you are sending any mail then the information about the sender and recipient ip address, location and Gmail id etc. are monitored by the NSA previously and these type of information falls in context portion. But now Gmail adopted the encryption for the context portion also done in the last month to prevent the privacy of any user from the snooping. And that’s the reason why Security experts and hackers use PGP like software to send the mail in encrypted form.

What makes us concern?

So this time I am quite tensed about what are the rules, regulation and Privacy in India for the surveillance. Can we stop them?  Can we enforce any punishment for doing illegal? Does any act really favors? Or it is just favors non technological?                         So there are many questions arise when we deal with this and this is really a big issue now a days for the government and law enforcement that how we can stop anybody for such kind of illegal activities. Is there any Warrant required before any wiretapping or surveillance to the network of victim? or not?

What Case Law and Legislation says?

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence.

The first case to address the issue was M.P. Sharma v Satish Chandra, in 1954.In that case court sustained search and seizure in following: “A power of search and seizure is required for the protection of social security by the state and it should necessarily be regulated by law. But when constitutional maker thought of it by recognition of fundamental right to privacy, corresponding to American Fourth we have no justification to import it. Although, court did not reject the right to privacy altogether but some specific because our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.

The very next case to it, In Kharak singh v UP, the UP police conferred surveillance power upon certain “history sheeters” (though not necessarily convicted yet). The surveillance include secret inspection of his house, monitoring his movements, enquiries, domiciliary visits at night etc. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

After a while in a debate between police and legislation court agreed that “restrictions were reasonable and required for social security”. Therefore, this issue was quite hypothetical that on one hand we apply some restrictions by legislation while on other laws like right to privacy (article 21) and all are violated because neither privacy has not mentioned in the constitution completely nor our IT ACT has exactly prevent this . So the question arises what makes surveillance by NSA reasonable under Article 19?

What Indian and US court decides?

So Indian court has found on the basis of above laws and regulations that surveillance is unconstitutional. Last year in December, US Federal court has also held that NSA’s bulk metadata telephony, internet surveillance in “unlikely unconstitutional” under the fourth amendment (which defined to protect the citizens against “Unreasonable  search and seizure” by the federal government).

The basis for the judgment was on two step, first people have reasonable expectation of privacy and second court has found that infringement was unreasonable, because there was no evidence to demonstrate that the suspected victim is really convicted and done on interest of national security.

What we need?

Law enforcement guys and government have to closely studied, as the two step American fourth amendment is substantially similar to Article 21’s right to privacy. And in the interest of it, court’s conclusion if done from other country:

(a) Everybody have a reasonable expectation of privacy in our telephone records or wiretapping issues also.

(b) The government cannot simply assert national security and can’t do bulk surveillance under the shadow of it.

(c) The approval for mass surveillance is required from court.

Now we will see how the privacy issues regarding surveillance or wiretapping handled in the future by the course of time in courts.

References:

1. Stephen B. wicker and Schrader IEEE paper – Privacy Aware design principles

2. http://indconlawphil.wordpress.com

Ayush Gupta
MSCLIS IIIT Allahabad

For retailers the impact can be higher as PCI Security Standard Council (PCI SSC) does not consider the out-of-date operating system which might cause problem for retailers (using Window XP ) with their banks , despite of whatever payment software’s they use. The overarching issue here is how this change will be affecting to those who most notably updated from 2.0 to 3.0 late last year and are bound to comply with the PCI DSS requirements.

The Payment Card Industry Data Security Standard (PCI DSS), a set of 12 requirements that is administered by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of electronic payment data and sensitive authentication data. Recently, the PCI SSC has upgraded PCI DSS 2.0 to PCI DSS 3.0 which includes many new methodologies. A retailer or any organization who deals with payment cardholder data or involved in processing of card transactions must be fully comply with PCI DSS 12 requirements in order to be free from fines and other noncompliance sanctions. So, according to the indication in PCI DSS requirement 6.2:

“Weather all system components and software are protected from known vulnerabilities by installing applicable, vendor-supplied security patches and weather critical security patches are installed within one month of release?”

Now, as soon as the first XP vulnerability will be discovered an organization will automatically be out of PCI DSS compliance and will put all the customer details on risk and organizations out of the official list of PCI compliant service providers and also list of all vendors who are qualified to support those regulated by PCI DSS.

Another concern is of majority of ATM computers run on the OS machines out of this mass of machines use Window XP which if affected can hinder the daily life of people from any country. According to InfoSecIsland report, another major concern here is for the medical device manufacturing industry as majority of medical devices are running on XP and percentage of them also use XP to provide the link to external databases that contain medical data used by these devices. Since, majority of medical devices are having a long life span between 10-20 years and many of them is now likely to be vulnerable to malware, hacking, software errors, and crashing due to absence of new patches to protect from viruses, spyware and other malware. Thus all these medical devices which are running on Window XP platform will be non-compliant to technical requirements of Health Insurance Portability and Accountability Act (HIPAA) to secure devices with protected health care information. This will also lead to zero day malware attacks and operating system errors. Further terminals using Window XP have to proof confidentiality of patient’s health care information as well as all the audit proof for insuring safety and security of patient’s health care information records. Thus organization that are bound to comply with different regulatory compliance standards like SOX,HIPAA,PCI DSS, NERC, Gramm-Leach-Bliley, etc have to deal with greater challenges in terms of  security , cost and corporate brand name.

Even larger organization which have anything to do with POS or Internet of Things (IoT) or credit card data they may have many distributed systems that are not powerful enough to run Window 7 or Window 8 due to incomplete hardware requirements which is required for upgrading Window XP and possibly all legacy applications running on Window XP. There might be other reasons like mission-critical applications not compatible with Window XP, high migration budget, lack of resources for maintaining day-to-day migration operations, application incompatibility etc. that can stop organizations from OS migration l According to the survey conducted by IDC Research and Flexera Software in September 2013, almost 15% of midsize and large enterprises will still have Windows XP running on at least 10% of their PCs after Microsoft’s support ends. And Window XP migration for these enterprises, if done, can likely to take six to twelve months for complete OS migration. Use of third party applications like Oracle, Adobe etc. also encourages the upgrading of Windows XP.

Taking Next Steps: Compensating Controls

Firstly, if an organization is unsure whether they have Window XP in their environment then this can be found by using Microsoft’s Windows 7 Upgrade Advisor.  Windows Upgrade Assistant can also be used for checking if the systems meet all the Windows 7 or Windows 8 requirements. Also, list of mission-critical programs that have trouble running on Windows 7 or Windows 8 can be checked. Organizations continue using Windows XP after April 8 must monitor and internally mitigate security threats and risks specific to XP or larger businesses can collaborate with Microsoft or a licensed sourcing provider for working on security services in order to manage new or existing vulnerabilities and complying with the PCI DSS requirements and standards for particular applications running on XP. This might help companies to avail lower regulatory liabilities if any breaches in payment card data occur despite on complying with the PCI DSS standard requirements.

Under strict circumstances where applications don’t require internet access or access to other systems outside the network can be isolated from the network that will only allow applications to be accessible from the systems within the isolated network. Apart from negative security software’s like anti-virus (AV) software and host-based intrusion prevention system (HIPS) organization can also rely on the positive security software like Bit9 that won’t allow applications run that are not trusted. This can harden all out-of-date systems, such as XP, so that anything that is suspicious and unknown will be blacklisted, preventing zero-day exploits and targeted attacks.

According to Organizations such as the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST), and the SANS Top 20 positive proactive security models are a best practice for closing the threat window to protect POS systems, servers, endpoints ,lowering the cost of compliance and help in staying compliant with XP.

Retailers willing to migrate to PA-DSS validated applications must check the PCI SSC’s list of PA-DSS validated application under the “Tested Operating Systems” which shows applications running on Window XP and have alternate validated versions available. Before adopting any type of compensating controls retailers must work with their Qualified Security Assessor (QSA) and their acquirer. But regardless of all validation of PA-DSS’s applications, using out-dated OS platform will not make retailers fully compliant to PCI DSS requirements.

Now the bottom line is, organizations, individuals and businesses must upgrade their XP systems to full fledge OS in order to protect their data, customers’ information, business brand and income. Although there are multiple options and resources that can help fend off the coming attacks, but it’s time to act now. All critical XP systems and complicated applications and programs those are difficult to upgrade must adopt compensating controls like positive security solutions and regular audits to comply with the regulatory compliance standards and also for providing full fledge confidentiality of their sensitive data’s and audit reports.

References:

Source:

http://searchsecurity.techtarget.com/answer/How-Windows-XP-end-of-life-conflicts-with-PCI-DSS-requirement-62?asrc=EM_ERU_26645973&utm_medium=EM&utm_source=ERU&utm_campaign=20140218_ERU%20Transmission%20for%2002/18/2014%20(UserUniverse:%20672236)_myka-reports@techtarget.com&src=5213080

PCI DSS Version 3.0 (PDF)

Will the Demise of XP Shut Down Your Businessor Heart

http://www.infosecisland.com/blogview/23692-Will-the-Demise-of-XP-Shut-Down-Your-Businessor-Heart.html

Wikipedia :

http://en.wikipedia.org/wiki/Windows_XP

Times of India

http://timesofindia.indiatimes.com/tech/tech-news/End-of-Windows-XP-Who-all-are-at-risk/articleshow/33431926.cms?utm_source=facebook.com&utm_medium=referral

BBC

http://www.bbc.com/news/technology-26884167

Akansha Pandey
MSCLIS IIIT Allahabad