CYBER SECURITY

Data deprivation makes cyber crime difficult to

tackle
.
How does it affect India

In recent times, there have been many instances of the hard-earned money of Indians
being taken out of bank accounts and charges loaded onto credit cards through online
frauds

1. We are making a huge transition to a cashless economy. So, public faith in the
digital system needs to be consistently reinforced.
2. Cybercrimes affect the emerging “startup” ecosystem. Customers of genuine
startups and Indian businesses have been subjected to online fraud.
3. The skepticism on online transactions also hurts the potential of emerging
companies that could take India to the $5 trillion economies that the country
aspires to.

How online money frauds work:

1. Fraudsters start by creating various websites or accounts on social media

platforms that host some content to make them look similar to the
authentic companies’ websites or social media interfaces.
2. Such websites and social media accounts list fake customer care
numbers for relevant brands.
3. When a customer tries to search for a company name by using a search
engine, the customer care numbers or email IDs that pop up as results are
often these fraudulent ones.
4. The customer may end up calling such a fake number, and get entrapped
by fraudsters into sharing his or her bank information, which enables the
anonymous con artists to siphon off money from the customer’s account.
5. These fraudsters send online links, asking customers to share their UPI details
or other such information.
6. Unsuspecting customers are also asked to download screen mirroring apps,
through which they gain access to information on mobile phones.

Challenges in tackling cyber crimes

1. All the players, including banks, telecom companies, financial service

providers, technology platforms, social media platforms, e-commerce
companies, and the government, need to play a responsible role.
2. The customer also has a responsibility to maintain basic cyber hygiene by
following practices and taking precautions to keep one’s sensitive information
organized, safe and secure.
3. Law enforcement agencies in different states are not fully equipped to
understand and act upon complaints of such frauds.
 4. Victims of fraud are too ashamed to admit that they have been conned, and
often do not even tell their families. If the losses are large, the results can be
devastating for fraud victims.
5. While many cases aren’t even reported, in cases that are, the
investigations make little or no progress due to lack of access to data.
6. Despite multiple requests for data from Indian Start-ups, search engines, and
social media platforms have generally been unresponsive, taking cover under
the privacy principles or laws of the countries they are based in.
7. The US Electronic Communications Privacy Act bars US-based service
providers from disclosing electronic communications to law enforcement
agencies of any country unless US legal requirements are met.
8. The bilateral mechanism of the India-US Mutual Legal Assistance Treaty is
a bit outdated and does not seem to work.
9. The US Cloud (Clarifying Lawful Overseas Use of Data) Act, however,
enables law enforcement authorities in India to request electronic content
directly from US service providers under an executive agreement with the US
government.

Data localization

 Since most search engines and social media platforms have no “permanent
establishment” in India, law enforcement agencies have hit a wall on data access for
the purpose of solving cybercrimes.
 This has often raised calls for complete data localization, which could have been
avoided had a collaborative mechanism for data access, based on agreed criteria,
been put in place.
 The Sri Krishna Commission recommended that data be stored in the country
either directly or through mirror servers to serve law enforcement needs.

I. Data localization
 The IT Ministry’s Bill on data protection
 Worldwide, the data flow debate at the World Trade Organisation (WTO) and G20.

Background

1. RBI asked payments firms to adhere to data localization norms,

suggesting these companies had to store data on Indian servers only.
2. While foreign companies are adhering to RBI’s data localization rules, they
have maintained that storing data on Indian servers would require setting
up data storage infrastructure in the country, which would increase their
costs.

The ‘Data’ under debate

 Data is any collection of information that is stored in a way so computers can

easily read it.

Why is Data important?

 This large collection of information about people’s online habits has become an
important source of profits.
 Your online activity can expose a lot about who you are, and companies find it
valuable to use the information to target advertisements to you.
 Governments and political parties have also gained interest in these data sets
for elections and policymaking.

Data Localization

1. It is a concept that the personal data of a country’s residents should be

processed and stored in that country (even if collected by foreign company). Some
directives may restrict flow entirely, while others more leniently allow for conditional
data sharing or data mirroring – in which only a copy has to be stored in the country.
2. As of now, much of cross-border data transfer is governed by individual bilateral
“mutual legal assistance treaties” (MLATs).
3. The government also argues for data localisation on the ground of national
security, to prevent foreign surveillance and attacks.

India in favour of Data Localization

 Along with a RBI directive to payment companies to localize financial data, the
Ministry of Commerce’s draft e-commerce policy is currently in public consultation.
 The IT Ministry has drafted a data protection law
 In some cases, they restrict what type of data these companies can collect.
 In others, it requires only a copy of the data to be in the country.
 By requiring a copy of the data to be stored in India (data mirroring), the
government hopes to have more direct control over these companies, including the
option to levy more taxes on them.

Arguments in Favour of data localization

1. Ensures National Security by providing ease of investigation to Indian Law

Enforcement agencies as they currently need to rely on Mutual Legal Assistance
Treaties (MLATs) to obtain access to data or any electronic evidence. This especially
gained prominence when incidences of lynching across the country were linked to
WhatsApp rumours whose stance on encrypted content frustrated government
officials.
2. It will give local governments and regulators the jurisdiction to call for the data
when required.
3. Minimises conflict of jurisdiction due to cross border data sharing and delay in
justice delivery in case of data breach.
4. Data regulation for privacy and security will have little teeth without
localisation, citing models in China and Russia.
5. Localisation would lead to a larger presence of MNC’s in India overall, such as
local offices, and increase tax liability and open more jobs.
6. Secures citizen’s data and provides data privacy and data sovereignty from
foreign surveillance. Example – Facebook shared user data with Cambridge Analytica
to influence voting.
7. Data centre industries are expected to benefit due to the data localisation which
will further create employment in India.
8. China has developed similar laws, which proponents say allow for a flourishing
domestic economy of data centres and data processing by blocking foreign players
out. This is why Indian companies, like Reliance and PayTM, usually support data
localisation.
9. The arguments in favour of data localisation are straightforward — it will
address questions on privacy and security, enable greater governmental
access to data, and help develop local data infrastructure.

Argument against data localisation

1. This, in turn, may backfire on India’s own young start-ups that are attempting
global growth, or on larger firms that process foreign data in India.
2. Even if the data is stored in the country, the encryption may still remain out of
the reach of national agencies due to company’s privacy concerns.
3. The Cyber Security Report 2017 reported that businesses in India were most at
risk to cyber security attacks. Thus, a mandatory border control provision by data
localisation may not be the solution to avoiding security breach incidents.
4. Huge costs are involved to fulfil data localisation requirements.

Data Protection Bill

 The Justice Sri Krishna Committee

 The Bill calls for a copy of user data to be mandatorily localised in India.
 A fundamental error that the Sri Krishna Committee seems to have made is in
its belief that the location of data should determine who has access to it
 The draft bill mandates local storage of data relating to Indian citizens only

Is data localisation enough?

 The reason that Indian law enforcement relies on an outdated Mutual Legal
Assistance Treaty (MLAT) process to obtain data stored by U.S. companies is because
the U.S. law effectively bars these companies from disclosing user data to foreign law
enforcement authorities
 Technology companies are allowed to share data such as content of an email or
message only upon receiving a federal warrant from U.S. authorities
 This scenario will not change even after technology companies relocate Indian
data to India
 Localisation can provide data only for crimes that have been committed in India,
where both the perpetrator and victim are situated in India
 Prevalent concerns around transnational terrorism, cyber-crimes and money
laundering will often involve individuals and accounts that are not Indian, and
therefore will not be stored in India. For investigations into such crimes, Indian law
enforcement will have to continue relying on cooperative models like the MLAT
process.

Is location sole measure of claiming data rights?

 Questions around whether access to data is determined by the location of the

user, location of data or the place of incorporation of the service provider have
become central considerations for governments seeking to solve the cross-border
data sharing conundrum
 The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed by the
U.S. Congress earlier this year, seeks to de-monopolise control over data from U.S.
authorities. The law will for the first time allow tech companies to share data directly
with certain foreign governments. This requires an executive agreement between the
 U.S. and the foreign country certifying that the state has robust privacy protections
and respect for due process and the rule of law.
 The CLOUD Act creates a potential mechanism through with countries such as
India can request data not just for crimes committed within their borders but also for
transnational crimes involving their state interests.

Ahead of G20 meet

 A principle titled “Data Free Flow with Trust” (DFFT) — supported by US, Japan,
and Australia — is expected to be a significant talking point at the upcoming G20
summit.

1. No strong data protection law – questions of privacy and security are unlikely
to be addressed.
2. Bilateral Treaties are better – aimed at addressing specific issues might be a
more prudent approach.
3. Definition of critical Data –The Sri Krishna committee report had classified
personal data pertaining to finances, health, biometric and genetic data, religious
and political beliefs, among others, as sensitive personal data.
4. A single agency – It had envisaged a data protection agency which would list
out further categories of sensitive personal data. But it is debatable whether a
single agency is best suited to draw up this list.In Canada, any data may be
sensitive based on the context — sector-specific regulators might be better at
identifying which data is sensitive.

CENTRAL WELFARE
DATABASE OF CITIZENS
 pensions, census data, e-
marriage national national
sample agricultur
e market
data, UPI
Why such centralized database?

 The governments already held a rich repository of administrative, survey,

institutional and transactions data about citizens, but these data were scattered
across numerous government bodies.
 Merging these distinct datasets would generate multiple benefits such as to
enhance ease of living for citizens, enable truly evidence-based policy, improve
targeting in welfare schemes, uncover unmet needs, and integrate fragmented
markets.
 This will bring greater accountability in public services and generate greater
citizen participation in governance, etc.
 The principle is that most data are generated by the people, of the people and
should be used for the people.

Need for stringent safeguards

 It also recommended granting access to select database to private sector for a

fee, given that stringent technological mechanisms exist to safeguard data
privacy.
 The Survey noted that there had been some discussions around the “linking” of
datasets, primarily through the seeding of an Aadhaar number across databases
such as PAN database, bank accounts and mobile numbers.
 However, it clarified that the linking is “one-way.” For example, banks can use
the tokenized Aadhaar number to combine duplicate records and weed out
benami accounts.
 This does not mean that the UIDAI or government can read the bank account
information or other data related to the individual.