Professional Documents
Culture Documents
Cyber Secuirty (1)
Cyber Secuirty (1)
Unit Topics
No.
1 Introduction to Cyber Crime and Cyber Security
Introduction
Cybercrime and Information Security
Data Privacy and Data Protection
Difference between Data privacy and Data protection
Contraventions: Sections 43 to 45
Tools and Methods Used in Cybercrime
Phishing
Password Cracking
Keyloggers and Spywares
Virus and Worms
Trojan Horses and Backdoors
DoS and DDoS Attacks
SQL Injection
CIA triad
Digital Signature and Electronic Signature
E- commerce under Information Technology Act, 2000
and other important laws
3 Cyber Law: International Perspective
2. Computer Security: Principles and Practice -William Stallings and Lawrie Brown, 3rd
edition, Pearson, 2015.
3. Cyber Security Essentials- James Graham Richard Howard Ryan Olson
4. Cyber Security – Nina Godbole and Sunit Belapure , Wiley
Cyber Security's main objective is to ensure data protection. The security community
provides a triangle of three related principles to protect the data from cyber-attacks.
This principle is called the CIA triad. The CIA model is designed to guide policies for
an organization's information security infrastructure. When any security breaches are
found, one or more of these principles has been violated.
Confidentiality, integrity and availability, also known as the CIA triad, is a model
designed to guide policies for information security within an organization.
Confidentiality, integrity and availability together are considered the three most
important concepts within information security.
Considering these three principles together within the framework of the "triad" can
help guide the development of security policies for organizations. When evaluating
needs and use cases for potential new products and technologies, the triad helps
organizations ask focused questions about how value is being provided in those
three key areas.
Confidentiality
Training can help familiarize authorized people with risk factors and how to guard
against them. Further aspects of training may include strong passwords and
password-related best practices and information about social engineering methods
to prevent users from bending data-handling rules with good intentions and
potentially disastrous results.
Data encryption is another common method of ensuring confidentiality. User IDs and
passwords constitute a standard procedure; two-factor authentication (2FA) is
becoming the norm. Other options include Biometric verification and security tokens,
soft tokens. In addition, users can take precautions to minimize the number of places
where information appears and the number of times it is actually transmitted to
complete a required transaction.
Integrity
These measures include file permissions and user access controls. Organizations
must put in some means to detect any changes in data that might occur as a result
of non-human-caused events such as an electromagnetic pulse (EMP) or server
crash. Backups or redundancies must be available to restore the affected data to its
correct state.
Availability
Bitcoin and other types of cryptocurrencies have exploded onto the market in recent years, and based
on virtual currency's popularity, it seems to be here to stay. Cryptocurrencies are digital or virtual
currencies secured by cryptography, with many using decentralized networks based on blockchain
technology – an open, distributed ledger that records transactions in code. Crypto is stored in a digital
"wallet," which can be on a website, on a computer or an external hard drive. To put it simply,
cryptocurrencies as systems that allow for secure payments online, which are denominated in terms
of virtual "tokens."
Bitcoin, the first cryptocurrency that launched a little over a decade ago, was created by Satoshi
Nakamoto, who described it as "an electronic payment system based on cryptographic proof instead
of trust." Other common types of cryptocurrencies include Litecoin, Namecoin, Dogecoin, Ethereum,
Cardano and others. In March 2021, there were reportedly over 18.6 million bitcoins in circulation,
with a total market cap of around $927 billion.
Unlike the U.S. dollar, there is no physical coin or bill involved in cryptocurrency. It is a type of
digital currency that only exists electronically, with no backing from a government and no central
authority managing the value. One advantage of cryptocurrency is that it can be easily exchanged
online, using a computer or phone, usually for quick payments to avoid transaction fees charged by
traditional banks. However, due to the semi-anonymous nature of the transaction, users could be
opening themselves up for a host of different types of scams or even illegal activities like money
laundering.
In early May 2021, a ransomware attack struck the Colonial Pipeline. A hacker group known as
DarkSide forced the company to shut down over 5,000 miles of pipeline in the south-eastern United
States until the hackers received a total of $5 million in bitcoin ransom payments. Luckily, U.S. law
enforcement officials were able to recover $2.3 million of the ransom paid after identifying a virtual
currency wallet the hackers used to collect the payment. However, in total, DarkSide reportedly has
been paid $90 million in bitcoin ransom payments from 47 victims, with the average amount being
$1.9 million.
The Federal Trade Commission (FTC) states that one of the biggest signs of a cyber scam is when a
cybercriminal asks an individual or company to pay by cryptocurrency. Whenever there's a request to
pay by gift card, wire transfer or cryptocurrency, it's a major red flag that you're about to fall victim to
a cyber- attack. Once the scammer is paid in one of those ways, it becomes nearly impossible to
recover the money. Cryptocurrency can be mysterious, complicated and confusing to many people,
and as it continues to grow in popularity, so does the opportunity for crypto scams. The FTC reports
that between October 2020 and May 2021, Americans lost over $80 million to cyberattacks on
cryptocurrency.
Investment Scams
Investment scams, for example, lure individuals to websites with seemingly legitimate testimonials
and credible-looking charts and wording that make it appear an investment is growing. However, the
victim is asked to send more crypto when they attempt to withdraw their profits and soon find out
they get nothing in return.
Giveaway Scams
Giveaway scams are also popular cyberattacks on cryptocurrency. The hackers pose as well-known
investors or even celebrity figures who offer to help small investors. However, when the victim sends
their crypto, instead of growing their own investment, the money goes right into the scammer's
hands.
Scammers also have found ways to hack into crypto wallets or use bitcoin-stealing malware to
commit their attacks. What's known as ICO (initial coin offering) fraud is also a common type of
crypto scam, as victims get lured into investing in the launch of a new cryptocurrency that turns out
to be fake.
Scammers generally promise that you will make a profit, offering big payouts with guaranteed
returns or even promise free money. They may make big claims without any explanations or details.
It's important for business owners to understand where their investment is going and how it works,
so always research both the company name and the type of cryptocurrency offered.
More and more public companies and major financial institutions have begun to recognize digital
currencies, amplifying the need for crypto-related insurance policies. The Colonial Pipeline attack
was one of the most disruptive cyberattacks in history, resulting in substantial expenses, including
days of lost revenue and the $5 million ransom payment. Unlike other cybersecurity scams that target
personal data, this attack had a major impact on the entire country's infrastructure and became a
wake-up call to consumers everywhere.
There are pros and cons when it comes to businesses and cryptocurrency.
Cyber liability insurance is vital to protect a company from a wide range of cyberattacks. While
policies specifically designed for crypto-related risks remain limited, cyber liability insurance helps
cover ransomware payments, the costs associated with an investigation, data breach notifications and
legal defence should there be third-party lawsuits related to the attack.
What are the measures businesses can take to protect themselves from cryptocurrency scams?
Businesses can take a few measures to protect themselves from cryptocurrency scams.
1. Educate yourself and your employees about cryptocurrency and how it works. It will help
you spot red flags that indicate a scam.
2. Only deal with reputable exchanges and businesses. Do your research to make sure you’re
dealing with a legitimate company.
3. Keep your computer security up-to-date to protect yourself from mining malware and
other attacks.
4. Be careful when accepting cryptocurrency as payment. Make sure you understand the
risks involved before you agree to receive it.
5. If you use cryptocurrency to buy or sell goods and services, only deal with reputable
companies. Be aware of the risks involved in doing this.
Cyber Crime and Cyber Security
What is cybercrime
Cybercrime refers to any criminal activity accomplished through using a network, technological
devices, and the internet. Common motives behind committing cybercrimes include monetary gains,
personal gains, and creating chaos within an organization or an individual’s life.
What are the common types of cyber-attacks
Cyber theft
Cyber theft is a type of cybercrime that involves an individual stealing money, personal information,
financial data, or intellectual property through infiltrating another person or company’s system.
Fraudulent crimes such as identity theft and embezzlement can also fall under the cyber theft crimes
umbrella.
Cyberbullying
Cyberbullying refers to instances of bullying an individual online. Acts of cyberbullying include any
threat to a person’s safety, coercing a person to say or perform an action, and displays of hate or bias
towards someone or a group of people.
While children tend to fall victim to cyberbullying more often, adults are not necessarily
immune. According to a study, 40% of teenagers surveyed stated they had faced online harassment,
and 24% of adults between ages 26–35 reported having experienced cyberbullying.
Malware
Malware is a word used to refer to any program or software designed to infiltrate or damage a device.
Viruses are an example of programs that fall under the malware umbrella. Viruses perform a variety
of harmful actions once they land in a device. They may destroy files, log your keystrokes, reformat
your hard drive, or manipulate your files.
Phishing
Phishing occurs when cybercriminals pose as an organization to trick victims into sharing their
sensitive information. Oftentimes, cybercriminals successfully achieve their phishing goals by using
scare tactics such as informing the victim that their bank account or personal device is under attack.
Cyber extortion
Cyber extortion is a form of online blackmailing. In these cases, cybercriminals attack or threaten to
attack the victim and demand some form of compensation or response to stop their threats.
Ransomware
Ransomware is a type of cyber extortion which uses malware to reach its end goal. This malware
threatens to publish the victim’s data or prevent the victim from accessing her data until the
cybercriminal receives a specified amount of money.
Crypto jacking
Crypto jacking refers to when hackers use other people’s computing power to mine cryptocurrencies
without consent. Crypto jacking differs from cybercrimes that use malware to infect a device since
cryptojackers do not wish to pursue a victim’s data. Instead, cryptojackers use the processing power
of their victim’s device.
Despite seeming less harmless than other cybercrimes, individuals should not take cryptojacking
lightly because falling victim to it can significantly slow one’s device and make it vulnerable to other
cyber attacks.
Cyber spying
When hackers attack the network of a public or private entity to access classified data, sensitive
information, or intellectual properties, they commit cyber spying. Cybercriminals may use the
classified data they find for other ends, such as blackmail, extortion, public humiliation of an
individual or organization, and monetary gains.
Spyware
Spyware refers to software that cybercriminals use to monitor their victim’s activities and record their
personal information. Often, a victim accidentally downloads spyware onto their device, which is
how they unknowingly provide access to their data to a cybercriminal. Depending on the type of
spyware used, cybercriminals can access a victim’s credit card numbers, passwords, web cam, and
microphone.
Adware
Adware is the software you may accidentally install onto your computer while downloading another
application. Developers of adware programs gain monetary benefits from their activities on people’s
computers every time someone views or clicks on an advertisement window.
While some adware programs are legal and harmless, others are intrusive because of the type and
frequency of the advertisements they show. Some adware programs are illegal in many countries
because they carry spyware, viruses, and other malicious software.
Botnets
Botnets are networks of malware-infected computers. Cybercriminals infect and take control of these
computers to perform tasks online without the user’s permission to carry out fraudulent acts without
being tracked. Their actions may include sending spam emails and carrying out targeted breaches
into a company’s assets, financial data, research data, and other valuable information.
Romance scams
Some cybercriminals use dating sites, chat rooms, and dating applications to masquerade as potential
partners and seduce people to gain access to their data.
Hacking
Hacking commonly refers to any unauthorized access to a computer system. When a hacker breaks
into the computers and networks of any company or individual without permission, they can gain
access to sensitive business information or personal and private data without authorization.
Nonetheless, not all hackers are criminals. Some hackers often called “white hat” hackers, are hired
by software companies to find flaws and holes in their security systems. These hackers hack their way
through a company’s network to find existing flaws in their client’s system and offer them solutions
to those flaws.
Sometimes, cybercriminals or “black hat” hackers might want to go clean and turn away from crime.
In these cases, working as a security consultant for the companies they used to torment is one of the
best options. These have more knowledge and experience about the infiltration of networks than
most computer security professionals.
Cyber security solutions
What does cyber security mean?
Cyber security, sometimes referred to as IT security or computer security, is the body of technologies
and processes designed to protect computer systems, networks, and devices from the dangers of
cybercrimes. Moreover, cyber security solutions prevent damage to hardware, software, electronic
data, or any disruption or misdirection of the services they provide.
The importance of cyber security solutions stems from their ability to provide comprehensive
protection to users. If you wish to keep your networks and devices safe from unauthorized access or
malicious attacks, then consider the different types of cyber security to determine the best one for
your needs.
1. Antivirus
The first step in securing your device(s) is installing proper antivirus software on them.
Antivirus programs scan data and incoming files to detect unsafe software and remove any threats
before they cause an issue. These programs identify and eliminate known viruses, worms, and
malware based on what is available in their extensive database.
2. Internet security
Internet security programs establish measures against attacks over the internet to ensure the security
of devices and networks. These programs prevent attacks targeted at browsers, networks, operating
systems, and other applications.
Internet security software uses many methods to protect the transfer of data, including encryption
and from-the-ground-up engineering. The most common and significant ones include firewalls,
access controls, data loss prevention (DLP), distributed denial-of-service prevention, and email
security.
3. Firewall
Firewalls act as filters that allow or deny access to a network, thus protecting the devices connected to
it. Firewalls keep harmful files away and prevent malicious codes from being embedded into
networks. Apart from that, they also screen and block dangerous traffic.
Moreover, firewalls create checkpoints between an internal private network and the public internet.
They limit network exposure by hiding your private network system and information from the public
internet.
4. Endpoint security
Endpoint security refers to a software approach for ensuring that all the endpoint devices, such as
computers, tablets, scanners, and others, connected to a network remain safe. Such devices serve as
access points to an enterprise network since they offer attack paths and points of entry that malicious
files can exploit. Therefore, endpoint security aims to secure every endpoint to avoid potential
threats.
Moreover, network administrators can use endpoint security solutions to restrict the use of sensitive
data and access to certain websites to maintain compliance with the policies and standards of the
organization.
These features make endpoint security solutions particularly well-suited for small and large
organizations.
Cyber security
Cyber Crime
It refers to all the criminal activities done using medium of communication
devices such as computers, mobile phones, tablets, etc.the internet ,cyber
space & the world wide web.Cyber crimes are a new class of crimes that is
rapidly expanding due to extensive use of internet.
Eg. Phishing cyberstalking, identify theft, etc.
Cyber Law
The law that governs cyber space. It is the term used to describe legal issues
related to the use of communication technology, particularly cyber space i.e
the internet. It is an attempt to apply laws designed for physical world, to
human activity on the internet.
Cyber security
It means protecting equipment, devices, computers, computer resources,
communication devices and information stored there in from un-authorized
access, use, disclosure, disruption, modification or destructions. The term
incorporates both the physical security of devices as well as the information
stored there.
Cyber crimes
1. Email spoofing
A spoofed email is the one that appears to originate from
one source but actually has been sent from another source.
2. Spamming
Spam is the abuse of electronic messaging system to send
unsolicited bulk messages indiscriminately.
3. Internet time theft
Such theft occurs when an unauthorized person uses
the internet hours paid for by another person. It comes under hacking
because the person who gets access to someone else’s ISP users ID and
password either by hacking or by gaining access to it by illegal means,
uses it to access the internet without the other persons knowledge.
One can identify time theft if the Internet time has to be recharged
often, even when one’s own use of the Internet is not frequent.
The issue of Internet time theft is related to the crimes conducted
through “identity theft”.
4. Salami attack
These attacks are used for committing financial crimes.
The idea here is to make the alternations so insignificant that in a single
case it would go completely unnoticed.
e.g A bank employee inserts a program into the bank servers, that
deducts a small amount of money say Rs.2 from the account of every
customer. No account holder will probably notice this unauthorized
debit but the bank employee will make a sizable amount every month.
5. Web Jacking
Web jacking occurs when someone forcefully takes control
of the website (by cracking the password and later changing it). Thus the
first stage of this crime involves password sniffing. The actual owner of
the website doesn’t have any more control over what appears on that
website.
6. Hacking
It may be done for the following reasons:
a. greed
b. power
c. publicity
d. revenge
e. adventure
7. Software Piracy
Cyber crime investigation cell of India defined software
piracy as theft of software through the illegal copying of genuine
programs or the counter feiting the distribution of products intended to
pass from the original.
e.g a. End users copying friends loaning disks to each other.
b. hard disk loading with elicit means hard disk vendors load pirated
software.
c.Counter feiting – large scale duplication and distribution of illegally copied
software.
d.Illegal downloads from the internet – by intrusion,by cracking serial
number,etc.
Following problems may be faced on buying pirated software.
a. Getting untested software that may have been copied thousands of
times over.
b. The software is pirated may contain hard drive infecting viruses.
c. There is no technical support in the case of software failure that is lack
of technical product support available to properly licensed users.
d. There is no warranty protection
e. There is no legal right to use the product
a. Traditional techniques
This is paper based fraud wherein a criminal
uses stolen or fake documents such as utility bills and bank
statements that can build up useful personally identifiable
information to open an account in someone else’s name. Illegal use
of lost and stolen cards is another form of traditional technique.
Stealing a credit card is either by pickpocket or from postal service
before it reaches its final destination.
b. Modern techniques
Sophisticated techniques enable criminals to
produce fake and proctored cards. Skimming is also used to commit
frauds. Skimming is where the information held on either the
magnetic strip on the back of the credit card or the data stored on
the smart chip are copied from one card to another. Site cloning and
false merchant sites on the internet are becoming a popular method
of fraud. Such bogus or fake sites are designed to handover their
credit card details without realizing that they have been directed to a
fake weblink or website.
Do’s
1) Put your signature on the card immediately upon its receipt.
2) Change the default personal identification number (PIN) received
from the bank before doing any transaction.
3) Always carry the details about contact numbers of your bank in
case of loss of your card. Report the loss of card immediately in
your bank and at the police station if necessary.
4) Ensure the legitimacy of website before providing any of your card
details.
5) Preserve all the receipts to compare with credit card invoice.
Dont’s
15.Password cracking
It is a process of recovering passwords from data that
have been stored in/or transmitted by a computer system. It is
categorized into
a) Online attack
An attacker can create a script file that will be executed to try each
password in a list and when matches an attacker can gain the access
to the system. The most common online attack is the Man-in-the-
middle attack.it is a form of active eavesdropping in which the
attacker establishes a connection between a victim and server to
which a victim is connected. When a victim client connects to the
fraudulent server the man-in-the-middle server intercepts the call,
hashes the password and passes the connection to the victim’s
server. This type of attack is used to obtain passwords for email
accounts on public website such as Gmail, Yahoo and also used to get
the password for financial website that would like to gain the access
to banking websites.
b) Offline attacks
Offline attacks are mostly performed from a location other than the
target(i.e. either a computer system or while on the network) where
these passwords reside or are used. Offline attacks usually require
physical access to the computer and copying the password file from
the system onto a removable media.
a. Dictionary attack
Attempts to match all the words from the dictionary to get the
password
b. Brute-force attack
Attempts all possible permutations and combination of letters,
numbers and special characters.
Hardware keyloggers
17. Spyware
Spyware is a type of malware that is installed on computers
which collect information about users without their knowledge. The
presence of spyware is typically hidden from the users. It is secretly
installed on the user’s personal computer. Spyware program collect
personal information about the victim such as internet surfing habits
and the websites visited. Spyware may also have an ability to change
computer settings which may result in slowing of the internet
connection speed and slowing of response time that may result into user
complaining about the internet speed connection with internet service
provide.
The future of technology is truly mind blowing. Artificial intelligence, robotics, quantum computing, augmented/virtual
reality, and IoT represent only a fraction of the major technological advancements that are set to reshape our world in the
coming years.
One of the most exciting and anticipated advancements it appears is the metaverse; a virtual space where individuals can
socialise and engage in various activities, such as concerts, video games, workspaces and so much more. The metaverse has
the potential to create new markets and industries that haven’t even been thought of until now, however, as with any new
innovation, the metaverse comes with its own set of risks and challenges.
Due to the sheer amount of data that they contain, metaverse platforms are susceptible to a number of system disruptions,
which may result in major inconveniences for users, and in some cases, financial losses if transactions are disrupted.
Additionally, such outages may be caused by malicious actors with the intent to destabilise and disrupt the platform,
highlighting the importance of users remaining vigilant when online.
We are all probably guilty of spending a little too long looking at our screens. However, prolonged screen exposure and
extensive social media engagement, especially relating to that of the metaverse, may begin to have an effect on the
psychological well-being of the user. Extended time spent in virtual worlds could also begin to significantly disrupt sleep
patterns and quality, which would result in the users’ behaviour changing in the real world, potentially affecting work,
relationships, and simple daily routines.
There are a number of aspects in the metaverse, including virtual currencies, digital property, and user-generated content,
which have legal implications that remain unclear or are not understood at this time.
Ransomware attacks
Ransomware refers to malicious software that has been designed to encrypt users’ data, preventing both the user and others
from accessing it. Following this encryption, a message will typically be displayed on the screen with the hacker demanding
a specific sum of money in order for the user to restore access to their data. A user’s metaverse profile contains a wealth of
information, often including sensitive data, far beyond that of a typical social media page, which renders it highly vulnerable
to these types of attacks.
Collection of unauthorised data
Data collection is an integral component of the metaverse experience. As users engage in these virtual environments, the
platform gathers information about their actions and preferences, even their physical attributes through avatars, which can
possibly lead to an increased risk of discrimination. Once accumulated, this data can then be used for unwanted targeted
advertising or sold to third parties for financial gain, heightening the risk of unauthorised use of personal data. As well as
this, businesses may no longer require an individual's consent or independent verification to access and maintain their data,
due to the metaverse’s decentralised nature.
Identity Theft
The decentralised structure of the metaverse makes it considerably easier for cybercriminals to stealthily access users' data,
resulting in private information being more susceptible to fraud or unauthorised access to their accounts or services. Identity
theft in the metaverse is a cause for concern, as there are no current measures to prevent a user from creating a digital avatar
that replicates another person's identity and appearance.
To address these issues effectively, user authentication needs to be implemented, combining biometric verification with
multi-factor authentication and integrating blockchain technology. Through the use of biometric data like fingerprints, facial
recognition, and voice recognition, we will begin to see a reduction in identity theft and fraud risks, since biometric data is
considerably more challenging to replicate compared to conventional identification methods.
Data Privacy and Data Protection
Data Privacy:
Data Privacy refers to the proper handling of data means how a organization or user is
determining whether or what data to be shared with third parties. Data privacy is
important as it keeps some data secret from others/third parties. Data privacy is all about
authorized access. It is also called as Information privacy.
Example –
In Bank, A lot of customers have their account for monetary transactions. So the bank
needs to keep customers data private, so that customers identity stays safe and protected
as much as possible by minimizing any external risks and also it helps in maintaining the
reputation standard of banks.
2. Data Protection:
Data Protection refers to the process of keeping safe the important information. In simple
it refers protecting data against unauthorized access which leads to no corruption, no
compromise, no loss and no security issues of data. Data protection is allowed to all forms
of data whether it is personal or data or organizational data.
Example –
A bank has lot of customers, so the bank needs to protect all types of data including self
bank records as well as customer information from unauthorized accesses to keep
everything safe and to ensure everything is under the control of bank administration.
The terms Data Privacy and Data Security are used interchangeably and seems to be same.
But actually they are not same. In reality they can have different meanings depending
upon its actual process and use. But it is sure they are very closely interconnected and one
complements the other during the entire process. So, now let’s know how Data Privacy is
different from Data Protection from the below table.
Data Privacy controls are mainly exits at the Data Protection is mainly controlled by the
end user level. The users knows which data organization or company end. They tech all the
is shared with whom and which data they required measures to protect their data from
06. can access. being exposed to illegal activities.
Data privacy teams are made of experts Data protection teams are made of experts
with law making, policies and some from technical background, security
07. engineering experts. background etc
the main revenue source for the social media applications is by selling advertisements, but
this is not the only way. For example, if we take the example of Facebook. Facebook does
user profiling on the basis of demographics, on the basis of brands you like, movies you
see etc and show you the relevant advertisements, links for apps of your interest and so
on.
Facebook even keeps a track of all the activities that you do in offline world, that are not
even shared on the platform.
Please read Terms and Conditions carefully.
Go through privacy settings in your account. Don’t rely on default settings.
Stop clicking on posts like “Check your death day”, “Find which celebrity do you look
like” and so on.
Install a good antivirus software in your laptop and phone.
Turn off your location. Some sites even keep track of your activities in the offline world,
but turning off location will at least do the least possible loss.
Never leave your account logged in. You are in a way inviting cyber criminals to hack
your account or act as an impostor.
Always check and analyse your post before posting. Try not to put too much revealing
photos online.
Always try to create strong password for a site and try to change it in regular interval of
time. Never ever set same passwords for multiple sites.
.
Below is the list of few security threats that we might face in social media accounts:
1. Most social networking sites have information like Birthday or Email address.
Hacker can hack your email account by using social information and can have
access to all the information he/she wants. You don’t need to hide all
information. You just need to take the following precautions:
Always set strong passwords. Don’t go for the easy passwords built
using your Birthday or child’s name etc. i.e., from the information
that is easily accessible from the social media account.
Don’t reveal too much information in a post. Be careful with what
you post online. For example, if I write “Happy Mother’s Day Mumma
Richa Sahani”. Now you see one can guess an answer to one of my
security question “What is your Mother’s Maiden Name?”. This how
it works for the thieves to get information by just analyzing your
posts. They get so much information that they can even compromise
your account.
Don’t reveal your location. Try to keep the location section either
blank or set it to a false location.
Do not use social media accounts from untrusted devices and
networks in hotels, cafés, hospitals etc.
Do not elect to remember passwords/passphrases for social media
accounts when offered by web browsers.
2. With the advent of Social Media like Twitter, there comes URL Shorteners in
picture. Twitter allows a post to be maximum of 280 characters. Thus limiting
the size and amount of information that can be shared. Shortened URL’s can
trick users into visiting harmful sites since full URL’s are not visible. It is best to
keep following points in mind before clicking on shortened URL to avoid being
hacked.
Before clicking a link, place the cursor on the shortened URL. This
will show the complete URL and will give you an idea about where
the full URL actually points.
Check the shortened URL using the services that are available online
like Sucuri to check whether the link is secure or not.
Use services like URL Void or MyWOT to check the safety status of
the link.
3. Avoid posting too much details online. Will you ever stand in the middle of the
crowd and shout that you are going on a vacation to so and so place? So why
you post all the details of your trip on social media, with every second detail
like “Travelling to London, United Kingdom from Air India Business Lounge New
Delhi”. You are clearly giving your house keys to burglars. Try to take following
precautions while posting any information online:
Avoid posting specific travel plans and itinerary. Never mention
exact date and time.
Never post photos during the trip. Try to post photos after your
return home from the vacation.
Try to stay offline during vacation.
Use the highest privacy controls to let only selective groups like
family, selected friends to view your status updates and photos.
4. Have you ever wondered how we see a product on Flipkart and when we open
another site, it will show the advertisement related to the product that we
earlier searched on Flipkart. Every time we visit a website, it put invisible
marker which we call Cookies in technical terms in our computer. Job of these
cookies is to track the user activity as we navigate from one site to another. This
is the reason we are able to see the advertisements of our interest on the new
page that we open. Cookies are the major loophole in the entire secure scenario.
Most sites provide a option to opt out of the tracking feature, but if you don’t
get that option, Please be careful to clear the cache and the cookies on your
browser regularly.
I hope after having such a detailed discussion on Privacy and Security in Social Media,
you will surely try to implement these steps and Try to achieve a Private and Secure Social
Media Account.
There is a cool new gaming app available online. Now, what do you do if you want to
download it? Well, you quickly run through the terms and conditions without looking and
then move right on to the game. And what if a site wants to store your credit card
information? You may allow it to do this so that you don’t have to enter the data again
and again.
But have you ever wondered what happens to the data that you so casually share online?
This data may end up in the hands of third-party companies that use it to analyze your
online habits and create a profile that can be used in various ways like customized ads etc.
And that’s the relatively harmless option. In the worst-case scenario, your online data can
also be used maliciously to cause great personal or financial harm. So what are the steps
you can take to protect your online data privacy and prevent these things from occurring?
This article provides you some basic tips that will make your online presence much more
private and secure.
But what anonymous mode can do for you is block cookies so that most online tracking of
you is defeated. Normally you see ads on websites that are tailored according to your
browser history and the sites you have visited. This is achieved using cookies that store
information about your online interactions. And browsing in Anonymous Mode is the first
step in blocking these cookies and achieving more privacy online.
Do you ever wonder how the search engine you are using is making money? How are they
paying for the service they are offering you? Well, there are only 2 ways for the search
engine to do that and that’s either using donations from people or using profits from ads.
And if the search engine is free for you, then most likely it’s making money using you!!!
Search engines record all your data from your searching habits such as your likes and
dislikes, your personal information, etc. Then they sell this data about customer profiles to
various advertisers and make money off that.
In case you wish to avoid that, use a search engine that is funded by donations and is
privacy oriented. Some examples of these alternate search engines that you can use
are DuckDuckGo, Qwant, Startpage, etc.
Most messaging apps employ encryption, but it’s only encryption in transit which means
that your encrypted messages are decrypted on the provider’s side and then stored in
servers. But that’s hardly safe! So it’s best to use end-to-end encrypted messaging apps to
provide you some privacy. The most popular end-to-end encrypted messaging app that
you can use is WhatsApp. Other options are Viber, LINE, Telegram, etc.
Do you think that if you are browsing the internet from your home connection your data is
safe. In fact, there is a high chance that your internet service provider may actually be
collecting and selling your browsing data to third parties. And it’s not even illegal to do so
since the data protection laws are quite unclear.
You can use a VPN (Virtual Private Network) that creates a private network across a
public network. So your data will be encrypted in this manner and no other third party
will be able to view it. Some of the good VPN services for usage
are ExpressVPN, NordVPN, Hotspot Shield, IPVanish etc.
You can always improve your online privacy and increase your security by using
some extensions and online security tools. For example: Make HTTPS Everywhere
extension your best friend as it will encrypt your communication with most websites
leading to a secure connection with fewer chances of anyone snooping in.
The Ghostery Browser Extension is another great option as that will make your online
browsing much safer by detecting and blocking all the third-party data-tracking items.
Also, another great online security tool is AdBlock. This handy little tool will filter out all
the annoying ads you don’t want and also protect you from malicious ads that can be used
to infect your machine.
Another free cybersecurity tool is CheckShortURL that checks where shortened URLs are
taking you because double-checking is always good!
You should definitely not use public storages that are meant for sharing data for storing
private information as that is hardly safe! For example, It’s not a good idea to store
your passwords or other confidential information in Google Docs as it is relatively easy
to access them from there.
Similarly, don’t store important scans or other documents in your Dropbox unless they are
in an encrypted archive.
Always assume that all information stored on public storages may actually become public
at some point (accidentally or on purpose) and so store that information accordingly.
There is no encryption on public Wi-Fi networks and so anyone can snoop onto your
connections and access your data.
So if you are just using public Wi-Fi networks, you are risking the loss of your personal
information, the leakage of your digital identity and even loss of money in the worst cases.
So always avoid transmitting any sensitive data like logins, credit card data,
passwords, etc. over public Wi-Fi if you are using it. Also, use a VPN as that creates a
private network across the public Wi-Fi network. So your data will be encrypted in this
manner and no other third party will be able to view it.
Using weak or basic passwords to secure your important information is like keeping the
key next to the lock! So make sure to keep secure and complex passwords for your data if
want them to be useful. Passwords should be sufficiently long and complex with at
least 12 characters which include upper and lower-case alphabets, numbers and special
characters. Also, never use personal information like your name, birthday, pet’s name, etc.
for your password as that is easy information to guess.
Another basic thing to remember is that you should not use the same password for
multiple applications. Now it may be difficult to remember multiple unique passwords
but it is worth it if you want to protect your data.
Websites use cookies to gather information relating to your browsing history. These
websites can also sell this analysis based on customer profiles to various third parties and
make money off that. In case you wish to avoid that, make sure you have at least some
control over where your data ends up. Therefore, it is best to control your cookies settings
so that websites cannot access your data without your permission. You can do this
on Chrome by clicking Cookies under Privacy and Security and then clicking off the
cookies.
The biggest mistake you can make is just to keep on using the default settings as social
media companies also make money as search engines do. By selling all your online data to
the highest bidder!
Adjust your social media privacy settings to provide the maximum possible privacy. For
example, You can change the privacy settings on Facebook to regulate your posts,
locations, faces, etc. that are freely available.
Data Protection Laws in India
Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one's privacy
caused by the collection, storage and dissemination of personal data.
Personal data generally refers to the information or data which relate to a person who can be identified from that information
or data whether collected by any Government or any private organization or an agency.
India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in
India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified
law on the subject of data protection is likely to be introduced in India in the near future.
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and
punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in
respect of personal data.
Granting legal recognition to all transactions done through electronic data exchange, other means of electronic
communication or e-commerce in place of the earlier paper-based communication.
Providing legal recognition to digital signatures for the authentication of any information or matters requiring
authentication.
Facilitating the electronic filing of documents with different Government departments and also agencies.
Providing legal sanction and also facilitating the electronic transfer of funds between banks and financial
institutions.
Granting legal recognition to bankers for keeping the books of accounts in an electronic form. Further, this is
granted under the Evidence Act, 1891 and the Reserve Bank of India Act, 1934.
Features of the Information Technology Act, 2000
a. All electronic contracts made through secure electronic channels are legally valid.
c. Security measures for electronic records and also digital signatures are in place
d. A procedure for the appointment of adjudicating officers for holding inquiries under the Act is finalized
e. Provision for establishing a Cyber Regulatory Appellant Tribunal under the Act. Further, this tribunal will
handle all appeals made against the order of the Controller or Adjudicating Officer.
f. An appeal against the order of the Cyber Appellant Tribunal is possible only in the High Court
g. Digital Signatures will use an asymmetric cryptosystem and also a hash function
h. Provision for the appointment of the Controller of Certifying Authorities (CCA) to license and regulate the
working of Certifying Authorities. The Controller to act as a repository of all digital signatures.
j. Senior police officers and other officers can enter any public place and search and arrest without warrant
k. Provisions for the constitution of a Cyber Regulations Advisory Committee to advise the Central Government
and Controller.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011. The Rules only deals with protection of "Sensitive personal data or information
of a person", which includes such personal information which consists of information relating to:-
Passwords;
Financial information such as bank account or credit card or debit card or other payment instrument details;
Physical, physiological and mental health condition;
Sexual orientation;
Medical records and history;
Biometric information.
The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of
body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with
"Personal sensitive data or information". In case of any breach, the body corporate or any other person acting on behalf of
body corporate, the body corporate may be held liable to pay damages to the person so affected.
Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and
intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made
punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000
It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the
information, provides that where the Government is satisfied that it is necessary in the interest of:
It may by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer
resource. This section empowers the Government to intercept, monitor or decrypt any information including information of
personal nature in any computer resource.
Where the information is such that it ought to be divulged in public interest, the Government may require disclosure of such
information. Information relating to anti-national activities which are against national security, breaches of the law or
statutory duty or fraud may come under this category.
The Information Technology Act, 2000 (hereinafter referred to as the "IT Act") is an act to provide legal recognition
for transactions carried out by means of electronic data interchange and other means of electronic communication,
commonly referred to as "electronic commerce", which involve the use of alternative to paper-based methods of
communication and storage of information to facilitate electronic filing of documents with the Government agencies.
The Government has also notified the Information Technology (Procedures and Safeguards for Blocking for Access of
Information) Rules, 2009, under section 69A of the IT Act, which deals with the blocking of websites. The Government has
blocked the access of various websites.
Penalty for Damage to Computer, Computer Systems, etc. under the IT Act
Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing any of the following acts:
2. downloads, copies or extracts any data, computer data base or information from such computer, computer system or
computer network including information or data held or stored in any removable storage medium;
3. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or
computer network;
4. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any
other programmes residing in such computer, computer system or computer network;
6. denies or causes the denial of access to any person authorised to access any computer, computer system or computer
network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
7. charges the services availed of by a person to the account of another person by tampering with or manipulating any
computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person
so affected.
8. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it
injuriously by any means;
9. steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for
a computer resource with an intention to cause damage.
Tampering with Computer Source Documents as provided for under the IT Act, 2000
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer
source code used for a computer, computer programme, computer system or computer network, when the computer source
code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to
three years, or with fine which may extend up to Rs 2,00,000, or with both.
Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in section 43, he shall be
punishable with imprisonment for a term which may extend to three years or with fine which may extend to Rs 5,00,000 or
with both.
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person
who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured
access to any electronic record, book, register, correspondence, information, document or other material without the consent
of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which
may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.
Section 10A was inserted in the IT Act which deals with the validity of contracts formed through electronic means which
lays down that contracts formed through electronic means "shall not be deemed to be unenforceable solely on the ground that
such electronic form or means was used for that purpose".
The following important sections have been substituted and inserted by the IT Amendment Act, 2008:
3. Section 66A – Punishment for sending offensive messages through communication service, etc. (This provision had been
struck down by the Hon'ble Supreme Court as unconstitutional on 24th March 2015 in Shreya Singhal vs. Union of India)
4. Section 66B – Punishment for dishonestly receiving stolen computer resource or communication device.
5. Section 66C – Punishment for identity theft.
10. Section 67A – Punishment for publishing or transmitting of material containing sexually explicit act, etc, in electronic
form.
11. Section 67B – Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc, in
electronic form.
13. Section 69 – Powers to issue directions for interception or monitoring or decryption of any information through any
computer resource.
14. Section 69A – Power to issue directions for blocking for public access of any information through any computer
resource.
15. Section 69B – Power to authorize to monitor and collect traffic data or information through any computer resource for
cyber security.
16. Section 72A – Punishment for disclosure of information in breach of lawful contract.
Email spoofing is possible due to the way email systems are designed. Outgoing
messages are assigned a sender address by the client application; outgoing email
servers have no way to tell whether the sender address is legitimate or spoofed.
The goal of email spoofing is to trick users into believing the email is from someone
they know or can trust—in most cases, a colleague, vendor or brand. Exploiting that
trust, the attacker asks the recipient to divulge information or take some other action.
As an example of email spoofing, an attacker might create an email that looks like it
comes from PayPal. The message tells the user that their account will be suspended
if they don’t click a link, authenticate into the site and change the account’s
password. If the user is successfully tricked and types in credentials, the attacker
now has credentials to authenticate into the targeted user’s PayPal account,
potentially stealing money from the user.
More complex attacks target financial employees and use social engineering to trick
a targeted user into sending millions to an attacker’s bank account.
To the user, a spoofed email message looks legitimate, and many attackers will take
elements from the official website to make the message more believable.
Types of spam
Email spam filters catch many of these types of messages, and phone carriers often
warn you of a “spam risk” from unknown callers. Whether via email, text, phone, or
social media, some spam messages do get through, and you want to be able to
recognize them and avoid these threats.
Phishing emails
Phishing emails are a type of spam cybercriminals send to many people, hoping to
“hook” a few people. Phishing emails trick victims into giving up sensitive information
like website logins or credit card information.
Email spoofing
Spoofed emails mimic, or spoof, an email from a legitimate sender, and ask you to
take some sort of action. Well-executed spoofs will contain familiar branding and
content, often from a large well-known company such as PayPal or Apple. Common
email spoofing spam messages include:
In a tech support scam, the spam message indicates that you have a technical
problem and you should contact tech support by calling the phone number or clicking
a link in the message. Like email spoofing, these types of spam often say they are
from a large technology company like Microsoft or a cybersecurity company like
Malwarebytes.
If you think you have a technical issue or malware on your computer, tablet, or
smartphone, you should always go to the official website of the company you want to
call for tech support to find the legitimate contact information.
This type of spam promises a financial reward if you first provide a cash advance.
The sender typically indicates that this cash advance is some sort of processing fee
or earnest money to unlock the larger sum, but once you pay, they disappear.
While it may not be possible to avoid spam altogether, there are steps you can take
to help protect yourself against falling for a scam or getting phished from a spam
message:
All of us can fall victim to phishing attacks. We may be in a rush and click a malicious
link without realizing. If a new type of phishing attack comes out, we may not readily
recognize it. To protect yourself, learn to check for some key signs that a spam
message isn’t just annoying—it’s a phishing attempt:
Sender’s email address: If an email from a company is legitimate, the sender’s email
address should match the domain for the company they claim to represent.
Sometimes these are obvious but other times the changes are less noticeable, like
example@paypa1.com instead of paypal.com.
Missing personal information: If you are a customer, the company should have your
information and will likely address you by your first name. A missing personal
greeting alone isn’t enough to spot a phishing email, but it’s one thing to look for,
especially in messages that say they are from a company with whom you do
business. Receiving an email that says your account has been locked or you owe
money is cause to worry, and sometimes we rush to click a link in order to fix the
problem. If it’s phishing, that’s exactly what the sender wants, so be careful and
check if the email is generic or addressed specifically to you.
Links: Beware of all links, including buttons in an email. If you get a message from a
company with whom you have an account, it’s wise to log in to your account to see if
there is a message there rather than just clicking the link in the message without
verifying first. You can contact the company to ask if a suspicious message is
legitimate or not. If you have any doubts about a message, don’t click any links.
Grammatical errors: We all make them, but a company sending out legitimate
messages probably won’t have a lot of punctuation errors, poor grammar, and
spelling mistakes. These can be another red flag to indicate that the email could be
suspect.
Attachments: Unless you are expecting an email with attachments, always be wary
before opening or downloading them. Using anti-malware software can help by
scanning files that you download for malware.
Report spam
Email providers have gotten pretty good at filtering out spam, but when messages
make it through to your inbox, you can report them. This is true for spam calls and
text messages, as many carriers give you the ability to report spam as well. You can
also choose to block the sender, often in the same step as reporting the message.
Reporting spam can help your email provider or phone service carrier get better at
detecting spam. If legitimate emails get sent to your spam filter, you can report that
they should not be marked as spam, and that also provides useful information on
what should not be filtered. Another helpful step is to add senders you want to hear
from to your contacts list proactively.
Identity theft is a fraud involving another person’s identity for an illicit purpose. This occurs
when a criminal uses someone else’s identity for his/her own illegal purposes.
Examples – fraudulently obtaining credit , stealing money from the victim’s bank account,
using the victim’s credit card number
- 1 -
8 Protect your PII Be cautious about giving out your personally
identifiable information (Pll) to anyone. Find out why
the information is needed and if it’s absolutely
necessary to give out. Be careful about the details
you provide about yourself online, such as on social
networking sites.
9 Stay alert to the latest Awareness and caution are effective methods to
scams counter fraud. Create awareness among your
friends and family members by sharing security tips
you learn with them.
Spywares
Spyware is a type of malware that is installed on computers which collects information about
users without their knowledge. The presence of Spyware is typically hidden from the user;
it is secretly installed on the user’s personal computer. Sometimes, however, Spywares such
as keyloggers are installed by the owner of a shared, corporate at public computer on
purpose to secretly monitor other users.
It is clearly understood from the term Spyware that it secretly monitors the user. The
features and functions of such Spyware are beyond simple monitoring. Spyware programs
collect personal information about the victim, such as the Internet surfing habits/patterns
and websites visited. The Spyware can also redirect Internet surfing activities by installing
another stealth utility on the users’ computer system. Spyware may also have an ability to
change computer settings, which may result in slowing of the Internet connection speeds
and slowing of response time that may result into user complaining about the Internet speed
connection with Internet Service Provider (ISP).
- 2 -
Malwares
Malware short for malicious software, is a software designed to infiltrate a computer system
without the owner’s informed consent. The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive or annoying software or program
code. Malware can be classified as follows:
1. Viruses and worms: These are known as infectious malware. They spread from one
computer system to another with a particular behaviour.
2. Trojan Horses: A Trojan Horse, Trojan for short, is a term used to describe malware
that appears to the user, to perform a desirable function but, in fact, facilitates
unauthorized access to the user’s computer system.
3. Rootkits: Rootkits is a software system that consists of one or more programs
designed to obscure the fact that a system has been compromised.
4. Backdoors: Backdoor in a computer system (or cryptosystem or algorithm) is a
method of bypassing normal authentication, securing remote access to a computer,
obtaining access to plain text and so on while attempting to remain undetected.
Computer virus ia program that can infect legitimate programs by modifying them to include
a possibly evolved copy of itself. Viruses spread themselves, without the permission or
knowledge of user, to potentially large number of programs on many machines. A computer
virus passes from computer to computer in a similar manner as a biological virus passes
from person to person. Viruses may also contain malicious instructions that may cause
damage or annoyance. The combination of malicious code with the ability to spread is what
makes viruses a considerable concern. Viruses can often spread without any readily visible
symptoms. A virus can start on event-driven effects (e.g. triggered after a specific number
of executions), time-driven effects (e.g. triggered on a specific date, such as Friday the 13th)
or can occur at random.
- 3 -
4. Cause erratic screen behaviour
5. Halt the screen (PC)
6. Just replicate themselves to propagate further harm
Backdoor
A backdoor works in background and hides from the user. It is very similar to a virus and
therefore is quite difficult to detect and completely disable. Most backdoors are automatic
malicious programs that must be somehow installed to a computer. Some parasites do not
require installation, as their parts are already integrated into particular software running on
a remote host. Programmers sometimes leave such backdoors in their software for
diagnostics and troubleshooting purposes. Attackers often discover these undocumented
features and use them to intrude into the system.
Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it get control and cause harm, for example
ruining the file allocation table on the hard disk.
Like Spyware and Adware, Trojans can get into the system in a number of ways,
including from a web browser, via E-Mail or in a bundle with other software downloaded from
the Internet. It is also possible inadvertently transfer malware through a USB flash drive or
other portable media. It is possible that one could be forced to reformat USB flash drive or
other portable device to eliminate infection and avoid transferring it to other machines.
(Users would not know that these could infect their network while bringing some music along
with them to be downloaded.)
Unlike viruses or worms, Trojans do not replicate themselves, but they can be equally
destructive. On the surface, Trojans appear benign and harmless, but once the infected
- 4 -
code is executed, Trojans kick in and perform malicious functions to harm the computer
system without the user’s knowledge.
Follow the following steps to protect your systems from Trojan Horses and backdoors:
It may be experienced that, after downloading the file, it never works and here is a
threat that – although the file has not worked, something must have happened to the
system – the malicious software deploys its gizmos and the system is at serious
health risk. Enabling Spam filter “ON” is a good practice but is not 100% fool proof,
as spammers are constantly developing new ways to get through such filters.
Phishing
The word Phishing comes from the analogy that Internet scammers are using E-mail lures
to fish for passwords and financial data from the sea of Internet users.
The E-mail will usually ask the user to provide valuable information about himself/herself or
to “verify” information that the user may have provided in the past while registering for online
- 5 -
account. To maximize the chances that a recipient will respond, the phisher might employ
any or all of the following tactics:
1. “Verify your account”: The organization will never ask the user to send passwords,
login names, permanent account numbers (PANs) or SSNs and other personal
information through E-mail. For example, if you receive an E-mail message from
Microsoft asking you to update your credit card information, do not respond without
any confirmation with Microsoft authorities – this is a perfect example of Phishing
attack.
2. “You have won the lottery”: The lottery scam is a common Phishing scam known
as advanced fee fraud. One of the most common forms of advanced fee fraud is a
message that claims that you have won a large sum of money, or that a person will
pay you a large sum of money for little or no work on your part. The lottery scam often
- 6 -
includes references to big companies, for example, Microsoft. There is no Microsoft
lottery. It is observed that most of the phished E-mails display the name of the
agencies/companies situated in Great Britain and hence it is extremely important for
netizens to confirm/verify the authenticity of such E-mail before sending any
response.
3. “If you don’t respond within 48 hours, your account will be closed”: These
messages convey a sense of urgency so that you will respond immediately without
thinking. A Phishing E-mail message might even claim that your response is required
because your account might have been compromised.
1. Phishing is used to get the victim to reveal valuable (or at times invaluable)
information about him/her. Phishers would use Spoofing to create a fake E-mail.
2. Spoofing is not intended to steal information but to actually make the victim do
something for phishers.
3. Phishing may, at times, require Spoofing to entice the victim into revealing the
information but Spoofing does not always necessarily result in Phishing someone
else’s account.
Phisher sends an E-mail, during Income Tax return filing period, from an official looking
IT (Income Tax) account which is spoofed. The E-mail would contain URL to download
a new tax form that was recently issued. Once the victim clicks the URL, a “virus cum
Trojan Horse” is downloaded to the victim’s system. The IT Form may seem official, but
like a Trojan Horse, the payload has already been delivered. The virus lies in wait,
logging the actions of the victim. Once the victim inputs certain keywords, like bank
names, credit card names, social networking websites and so forth, it logs the site and
the passwords used. Those results are flagged and sent to the phisher. The virus could
then gather the user’s E-mail contacts and send a fake E-mail to them as well, containing
the virus. The phisher now has gained the required personal information as well as virus
was sent, downloaded, and spread to entice other netizens.
- 7 -
How to avoid being victim of Phishing attack
- 8 -
certificate that provides the https service. Always
ensure that the webpage is truly encrypted
5 Use anti-Spyware Keep Spyware down to a minimum by installing an
software active Spyware solution such as Microsoft anti-
Spyware and also scanning with a passive solution
such as Spybot. If for some reason your browser
is hijacked, anti- Spyware software can often
detect the problem and provide a fix
6 Get educated Always update the knowledge to know new tools
and techniques used by phishers to entice the
netizens and to understand how to prevent these
types of attacks. Report any suspicious activity
observed to nearest cyber security cell
7 Use the Microsoft The netizens on the Microsoft platform should use
Baseline Security MBSA to ensure the system is up to date by
Analyzer (MBSA) applying all the security patches. MBSA is a free
tool available on Microsoft’s website. This protects
the IT systems against known exploits in Internet
Explorer and Outlook and Outlook that can be
used in Phishing attacks
8 Firewall Firewall can prevent Malicious Code from entering
into the system and hijacking the browser. Hence,
a desktop (software) such as Microsoft’s built-in
software firewall in Windows-XP and/or network
(hardware) firewall should be used. It should be up
to date in case any cyber security patches have
been released by the vendor
9 Use backup system Always keep a backup copy or image of all
images systems to enable to revert to a original system
state in case of any foul play;
10 Do not enter sensitive or A common Phishing technique is to launch a bogus
financial information into pop-up window when someone clicks on a link in a
pop-up windows Phishing E-mail message. This window may even
be positioned directly over a legitimate window a
- 9 -
netizen trusts Even if the pop-up window looks
official or claims to be secure entering sensitive
information should be avoided because there is no
way to check the security certificate
11 Secure the hosts file The attacker can compromise the hosts file on
desktop system and send a netizen to a fraudulent
site. Configuring the host file to read only may
alleviate the problem, but complete protection will
depend on having a good desktop firewall such as
Zone Alarm that protects against tampering by
outside attackers and keeps browsing safe
12 Protect against DNS This is a new type of Phishing attack that does not
Pharming attacks Spam you with E-mails but poisons your local DNS
server to redirect your web request to a different
website that looks similar to a company website
(e.g. eBay or PayPal).
- 10 -
Cyber Crime
It refers to all the criminal activities done using medium of communication devices
such as computer, mobile phones, tablets, etc., the internet, cyber space & the
world wide web. Cybercrimes are a new class of crimes that is rapidly expanding
due to extensive use of internet.
E.g. phishing,cyberstalking, identity theft, etc.
Cyber Law
The law that governs cyber space. It is the term used to describe legal issues
related to the use of communication technology, particularly cyber space i.e. the
internet. It is an attempt to apply laws designed for physical world, to human
activity on the internet.
Cybercrimes are often committed beyond the national border. It is very difficult to
identify the perpetrator of wrong because internet facilitates anonymity. Thus,
cybercrimes pose challenges that are unique in character unlike traditional
crimes.
Challenges posed by Cyber Crime.
1) Legal challenges which are dependent on the statutory provisions to be used
as a tool to investigate and control the cyber crimes.
2) Operational challenges require well trained and well-equipped force of
investigators operating and coordinating at national and international level.
3) Technical challenges stopping the efforts of law enforcement agencies’ ability
to catch and prosecute the online offenders.
Cyberstalking
Cyberstalking has been defined as the use of information and communication technology,
particularly the Internet, by an individual or group of individuals to harass another individual,
group of individuals or organisation.
The behaviour includes false accusations, monitoring, transmission of threats, ID theft,
damage to data or equipment and gathering information for harassment purposes.
1. Personal information gathering about the victim: Name, family background; contact
details such as cell phone and telephone numbers (of residence as well as office);
address of residence as well as of the office; E-Mail address; date of birth, etc.
2. Establish a contact with victim through telephone/cell phone. Once the contact is
established, the stalker may make calls to the victim to threaten/harass.
3. Stalkers will almost always establish a contact with the victims through E-Mail.
4. Some stalkers keep on sending repeated E-Mails asking for various kinds of favours
or threaten the victim.
If you are a victim of stalking, consider suspending your social networking accounts until the
stalking has been resolved. If you decide to continue to use social networking sites, here are
a few tips to help keep you safe:
• Take advantage of privacy settings. With some social networking sites, you may be
able to make your profile completely private simply by checking a box. With others,
such as Facebook, privacy settings can be complex to navigate.
• Take advantage of added security settings. One of the best examples is two-factor
authentication. When you enable this, your account will require you to provide
something you know (like a password) with something you have (like a specific
device). Therefore, if someone gets your password, he or she will not be able to log in
to the account without the specific code that the service sends to your device
• Limit how much personal information you post to your account. For example, you may
not want to include contact information, your birth date, the city you were born in or
names of family members.
• Do not accept "friend requests" (or "follow requests") from strangers. If you recognize
the individual sending the request, contact him or her off-line to verify he or she sent
the request.
• Warn your friends and acquaintances not to post personal information about you,
especially your contact information and location.
• Avoid online polls or quizzes, particularly those that ask for personal information.
• Don't post photographs of your home that might indicate its location. For example,
don't post photographs showing a house number or an identifying landmark in the
background.
• Use caution when joining online organizations, groups or "fan pages." Never publicly
RSVP to events shown online.
• Use caution when connecting your cell phone to your social networking account. If
you do decide to connect your cell phone to your online account, use extreme caution
in providing live updates on your location or activities.
• Avoid posting information about your current or future locations, or providing
information a stalker may later use to hone in on your location, such as a review of a
restaurant near your house.
• Always use a strong, unique password for every social networking site.
SQL Injection
Attackers target the SQL servers - common database servers used by many
organizations to store confidential data. The prime objective behind SQL injection attack is to
obtain the information when accessing a database table that many contain personal
information such as credit card numbers, social security numbers or passwords. During an
SQL injection attack, Malicious Code is inserted into a web form field or the website’s code to
make a system execute a command shell or other arbitrary commands. Just as a legitimate
user enters queries and additions to the SQL database via a web form, the attacker can
insert commands to the SQL server through the same web form field. For example, an
arbitrary command from an attacker might open a command prompt or display a table from
the database. This makes an SQL sever a high-value target and therefore a system seems to
be very attractive to attackers.
The attacker determines whether a database and the tables residing into it are
vulnerable, before launching an attack. Many webpages take parameters from web user and
make SQL query to the database. For example, when a user logs in with username and
password, an SQL query is sent to the database to check if a user has valid name and
password. With SQL injection, it is possible for an attacker to send crafted username and/or
password field that will change the SQL query.
1. The attacker looks for the webpages that allow submitting data, that is, login page,
search page, feedback etc. The attackers also looks for the webpages that display the
HTML commands such as POST or GET by checking the site’s source code.
2. To check the source code of any website, right click on the webpage and click on “view
source” (if you are using IE – Internet Explorer) – source code is displayed in the
notepad. The attacker checks the source code of the HTML and look for “FORM” tag in
the HTML code. Everything between the <FORM> and </FROM> have potential
parameters that might be useful to find the vulnerabilities.
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
3. The attacker inputs a single quote under the text box provided on the webpage to
accept the username and password. This checks whether the user-input variable is
sanitized or interpreted literally by the server. If the response is an error message such
as use “a” = “a” (or something similar) then the website is found to be susceptible to an
SQL injection attack.
4. The attacker uses SQL commands such as SELECT statement command to retrieve
data from the database or INSERT statement to add information to the database.
SQL injection attacks occur due to poor website administration and coding. The following
steps can be taken to prevent SQL injection.
1. Input validation
• Replace all single quotes (escape quotes) to two single quotes.
• Sanitize the input: User input needs to be checked and cleaned of any characters or
strings could possibly be used maliciously. For example, character sequences such
as ; ,--,select, insert and xp_ can be used to perform an SQL injection attack.
• Numeric values should be checked while accepting a query string value. Function
IsNumeric( ) for Active Server Pages (ASP) should be used to check these numeric
values.
• Keep all text boxes and form fields as short as possible to limit the length of user
input.
2. Modify error reports: SQL errors should not be displayed to outside users and to avoid
this, the developer should handle or configure the error reports very carefully. These
errors some time display full query pointing to the syntax error involved and the
attackers can use it for further attacks.
3. Other preventions
• The default system accounts for SQL server 2000 should never be used.
• Isolate database server and web server. Both should reside on different machines.
• Most often attackers may make use of several extended stored procedures such as
xp_cmdshell and xp_grantlogin in SQL injection attacks. In case such extended
stored procedures are not used or have unused triggers, stored procedures, user-
defined functions, etc. then these should be moved to an isolated server.
Why is cyber security important?
Today we live in a digital era where all aspects of our lives depend on the network,
computer and other electronic devices, and software applications.
Some of their information, such as intellectual property, financial data, and personal
data, can be sensitive for unauthorized access or exposure that could have harmful
effects.
This information gives intruders and threat actors to infiltrate them for financial gain,
extortion, political or social motives, or just vandalism.
Cyber-attack is now an international concern that hacks the system, and other security
attacks could endanger the global economy. Therefore, it is essential to have an
excellent cybersecurity strategy to protect sensitive information from high-profile
security breaches.
------------------------------------------------------------------------------------------------------
� Cyber Criminals
� Cyber Terrorists
� Cyber Espionage
� Cyber Hacktivist
National Cyber Security Indian Government has come up with the National Cyber Security
Strategy 2020 Strategy 2020 entailing the provisions to secure cyberspace in India.
Cyber Surakshit Bharat MeitY in collaboration with National e -Governance Division (NeGD)
Initiative came up with this initiative in 2018 to build a cyber -resilient IT set up
The Indian Computer Emergency Response Team (CERT -In) serves as the national agency
for performing various functions in the area of cyber security in the country as per the
provisions of section 70B of the Information Technology Act, 2000.
CERT-In Functions
In the IT Amendment Act 2008, CERT -In has been designated to perform the following
functions in the area of cyber security –
� In order to facilitate incident response measures, CERT -In issued directions relating
to infor mation security practices, procedures, prevention, response and reporting of
cyber incidents under the provisions of sub -section (6) of section 70B of
the Information Technology Act, 2000 .
� The directions cover aspects relating to –
o synchronisation of ICT system clocks
o mandatory reporting of cyber incidents to CERT -In (within six hours)
o maintenance of logs of ICT systems (for 180 days)
o subscriber/customer registrations details by Data centres, Virtual Private
Server (VPS) providers, VPN Service providers, Cloud service providers
o KYC norms and practices by virtual asset service providers, virtual asset
exchange providers and custodian wal let providers.
These directions shall enhance the overall cyber security posture and ensure safe & trusted
Internet in the country.
The National Cyber Security Policy
The National Cyber Security Policy, which was first drafted in the wake of reports that the
US government was spying on India and there were no technical or legal safeguards against
it.
� Before 2013, India did not have a cybersecurity policy. The need for it was felt during
the NSA spying issue that surfaced in 2013.
� Information empowers people and there is a need to create a distinction between
information that can run freely between systems and those that need to be secured.
This could be personal information, banking and financial details, security
information which when passed onto the wrong hands can put the country’s safety
in jeopardy.
� This Policy has been drafted in consultation with all the stakeholders.
� In order to digitise the economy and promote more digital transactions, the
government must be able to generate trust in people in the Information and
Communications Technology systems that govern financial transactions.
� A strong integrated and coherent policy on cybersecurity is also needed to curb the
menace of cyber terrorism.
Coronavirus Pandemic Microsoft has reported that cyber crooks are using Covid -19 situation in
Based Cyber Attack 2020 to defraud people through phishing and ransomware in India and
the world
Wannacry Ransomware In May 2017, various computer networks in India were locked down by
the ransom -seeking hackers.
Data Theft In May 2017, the food tech company Zomato faced the theft of information
of 17 million users.
Petya Ransomware Container handli ng functions at a terminal operated by the Danish firm
AP Moller -Maersk at Mumbai’s Jawaharlal Nehru Port Trust got affected
Mirai Botnet In September 2016, Mirai malware launched a DDoS attack on the website
of a well -known security expert.
Data Privacy and Data Protection
Data Privacy:
Data Privacy refers to the proper handling of data means how a organization or user is
determining whether or what data to be shared with third parties. Data privacy is
important as it keeps some data secret from others/third parties. Data privacy is all about
authorized access. It is also called as Information privacy.
Example –
In Bank, A lot of customers have their account for monetary transactions. So the bank
needs to keep customers data private, so that customers identity stays safe and protected
as much as possible by minimizing any external risks and also it helps in maintaining the
reputation standard of banks.
2. Data Protection:
Data Protection refers to the process of keeping safe the important information. In simple
it refers protecting data against unauthorized access which leads to no corruption, no
compromise, no loss and no security issues of data. Data protection is allowed to all forms
of data whether it is personal or data or organizational data.
Example –
A bank has lot of customers, so the bank needs to protect all types of data including self
bank records as well as customer information from unauthorized accesses to keep
everything safe and to ensure everything is under the control of bank administration.
The terms Data Privacy and Data Security are used interchangeably and seems to be same.
But actually they are not same. In reality they can have different meanings depending
upon its actual process and use. But it is sure they are very closely interconnected and one
complements the other during the entire process. So, now let’s know how Data Privacy is
different from Data Protection from the below table.
It can be said as a security from sales means It can be said as s security from hacks means
05. holding the data from shared and sold. keeping the information away from hackers.
Data Privacy controls are mainly exits at the Data Protection is mainly controlled by the
end user level. The users knows which data organization or company end. They tech all the
is shared with whom and which data they required measures to protect their data from
06. can access. being exposed to illegal activities.
Data privacy teams are made of experts Data protection teams are made of experts
with law making, policies and some from technical background, security
07. engineering experts. background etc
the main revenue source for the social media applications is by selling advertisements, but
this is not the only way. For example, if we take the example of Facebook. Facebook does
user profiling on the basis of demographics, on the basis of brands you like, movies you
see etc and show you the relevant advertisements, links for apps of your interest and so
on.
Facebook even keeps a track of all the activities that you do in offline world, that are not
even shared on the platform.
Please read Terms and Conditions carefully.
Go through privacy settings in your account. Don’t rely on default settings.
Stop clicking on posts like “Check your death day”, “Find which celebrity do you look
like” and so on.
Install a good antivirus software in your laptop and phone.
Turn off your location. Some sites even keep track of your activities in the offline world,
but turning off location will at least do the least possible loss.
Always check and analyse your post before posting. Try not to put too much revealing
photos online.
Always try to create strong password for a site and try to change it in regular interval of
time. Never ever set same passwords for multiple sites.
.
Below is the list of few security threats that we might face in social media accounts:
1. Most social networking sites have information like Birthday or Email address.
Hacker can hack your email account by using social information and can have
access to all the information he/she wants. You don’t need to hide all
information. You just need to take the following precautions:
� Always set strong passwords. Don’t go for the easy passwords built
using your Birthday or child’s name etc. i.e., from the information
that is easily accessible from the social media account.
� Don’t reveal too much information in a post. Be careful with what
you post online. For example, if I write “Happy Mother’s Day Mumma
Richa Sahani”. Now you see one can guess an answer to one of my
security question “What is your Mother’s Maiden Name?”. This how
it works for the thieves to get information by just analyzing your
posts. They get so much information that they can even compromise
your account.
� Don’t reveal your location. Try to keep the location section either
blank or set it to a false location.
� Do not use social media accounts from untrusted devices and
networks in hotels, cafés, hospitals etc.
� Do not elect to remember passwords/passphrases for social media
accounts when offered by web browsers.
2. With the advent of Social Media like Twitter, there comes URL Shorteners in
picture. Twitter allows a post to be maximum of 280 characters. Thus limiting
the size and amount of information that can be shared. Shortened URL’s can
trick users into visiting harmful sites since full URL’s are not visible. It is best to
keep following points in mind before clicking on shortened URL to avoid being
hacked.
� Before clicking a link, place the cursor on the shortened URL. This
will show the complete URL and will give you an idea about where
the full URL actually points.
� Check the shortened URL using the services that are available online
like Sucuri to check whether the link is secure or not.
� Use services like URL Void or MyWOT to check the safety status of
the link.
3. Avoid posting too much details online. Will you ever stand in the middle of the
crowd and shout that you are going on a vacation to so and so place? So why
you post all the details of your trip on social media, with every second detail
like “Travelling to London, United Kingdom from Air India Business Lounge New
Delhi”. You are clearly giving your house keys to burglars. Try to take following
precautions while posting any information online:
� Avoid posting specific travel plans and itinerary. Never mention
exact date and time.
� Never post photos during the trip. Try to post photos after your
return home from the vacation.
� Try to stay offline during vacation.
� Use the highest privacy controls to let only selective groups like
family, selected friends to view your status updates and photos.
4. Have you ever wondered how we see a product on Flipkart and when we open
another site, it will show the advertisement related to the product that we
earlier searched on Flipkart. Every time we visit a website, it put invisible
marker which we call Cookies in technical terms in our computer. Job of these
cookies is to track the user activity as we navigate from one site to another. This
is the reason we are able to see the advertisements of our interest on the new
page that we open. Cookies are the major loophole in the entire secure scenario.
Most sites provide a option to opt out of the tracking feature, but if you don’t
get that option, Please be careful to clear the cache and the cookies on your
browser regularly.
I hope after having such a detailed discussion on Privacy and Security in Social Media,
you will surely try to implement these steps and Try to achieve a Private and Secure Social
Media Account.
There is a cool new gaming app available online. Now, what do you do if you want to
download it? Well, you quickly run through the terms and conditions without looking and
then move right on to the game. And what if a site wants to store your credit card
information? You may allow it to do this so that you don’t have to enter the data again
and again.
But have you ever wondered what happens to the data that you so casually share online?
This data may end up in the hands of third-party companies that use it to analyze your
online habits and create a profile that can be used in various ways like customized ads etc.
And that’s the relatively harmless option. In the worst-case scenario, your online data can
also be used maliciously to cause great personal or financial harm. So what are the steps
you can take to protect your online data privacy and prevent these things from occurring?
This article provides you some basic tips that will make your online presence much more
private and secure.
1. Always Browse in Anonymous Mode
Browsing in Anonymous Mode is only the first line of defense! Incognito Mode on Google
Chrome or Private Windows on Firefox and Safari only provides an extra layer of
protection and not complete online privacy. That’s maybe not even possible!!!
But what anonymous mode can do for you is block cookies so that most online tracking of
you is defeated. Normally you see ads on websites that are tailored according to your
browser history and the sites you have visited. This is achieved using cookies that store
information about your online interactions. And browsing in Anonymous Mode is the first
step in blocking these cookies and achieving more privacy online.
Do you ever wonder how the search engine you are using is making money? How are they
paying for the service they are offering you? Well, there are only 2 ways for the search
engine to do that and that’s either using donations from people or using profits from ads.
And if the search engine is free for you, then most likely it’s making money using you!!!
Search engines record all your data from your searching habits such as your likes and
dislikes, your personal information, etc. Then they sell this data about customer profiles to
various advertisers and make money off that.
In case you wish to avoid that, use a search engine that is funded by donations and is
privacy oriented. Some examples of these alternate search engines that you can use
are DuckDuckGo, Qwant, Startpage, etc.
Do you think that if you are browsing the internet from your home connection your data is
safe. In fact, there is a high chance that your internet service provider may actually be
collecting and selling your browsing data to third parties. And it’s not even illegal to do so
since the data protection laws are quite unclear.
You can use a VPN (Virtual Private Network) that creates a private network across a
public network. So your data will be encrypted in this manner and no other third party
will be able to view it. Some of the good VPN services for usage
are ExpressVPN, NordVPN, Hotspot Shield, IPVanish etc.
You can always improve your online privacy and increase your security by using
some extensions and online security tools. For example: Make HTTPS Everywhere
extension your best friend as it will encrypt your communication with most websites
leading to a secure connection with fewer chances of anyone snooping in.
The Ghostery Browser Extension is another great option as that will make your online
browsing much safer by detecting and blocking all the third-party data-tracking items.
Also, another great online security tool is AdBlock. This handy little tool will filter out all
the annoying ads you don’t want and also protect you from malicious ads that can be used
to infect your machine.
Another free cybersecurity tool is CheckShortURL that checks where shortened URLs are
taking you because double-checking is always good!
You should definitely not use public storages that are meant for sharing data for storing
private information as that is hardly safe! For example, It’s not a good idea to store
your passwords or other confidential information in Google Docs as it is relatively easy
to access them from there.
Similarly, don’t store important scans or other documents in your Dropbox unless they
are in an encrypted archive.
Always assume that all information stored on public storages may actually become public
at some point (accidentally or on purpose) and so store that information accordingly.
7. Stay Private on Wi-Fi Networks
There is no encryption on public Wi-Fi networks and so anyone can snoop onto your
connections and access your data.
So if you are just using public Wi-Fi networks, you are risking the loss of your personal
information, the leakage of your digital identity and even loss of money in the worst cases.
So always avoid transmitting any sensitive data like logins, credit card data,
passwords, etc. over public Wi-Fi if you are using it. Also, use a VPN as that creates a
private network across the public Wi-Fi network. So your data will be encrypted in this
manner and no other third party will be able to view it.
Using weak or basic passwords to secure your important information is like keeping the
key next to the lock! So make sure to keep secure and complex passwords for your data if
want them to be useful. Passwords should be sufficiently long and complex with at
least 12 characters which include upper and lower-case alphabets, numbers and special
characters. Also, never use personal information like your name, birthday, pet’s name, etc.
for your password as that is easy information to guess.
Another basic thing to remember is that you should not use the same password for
multiple applications. Now it may be difficult to remember multiple unique passwords
but it is worth it if you want to protect your data.
Websites use cookies to gather information relating to your browsing history. These
websites can also sell this analysis based on customer profiles to various third parties and
make money off that. In case you wish to avoid that, make sure you have at least some
control over where your data ends up. Therefore, it is best to control your cookies settings
so that websites cannot access your data without your permission. You can do this
on Chrome by clicking Cookies under Privacy and Security and then clicking off the
cookies.
The biggest mistake you can make is just to keep on using the default settings as social
media companies also make money as search engines do. By selling all your online data to
the highest bidder!
Adjust your social media privacy settings to provide the maximum possible privacy. For
example, You can change the privacy settings on Facebook to regulate your posts,
locations, faces, etc. that are freely available.
India’s Digital Personal Data Protection Act, 2023: Key provisions
Initially introduced in 2019, the Digital Personal Data Protection Act holds considerable importance as a legislative measure
aimed at safeguarding individuals’ privacy rights. Its primary focus lies in regulating the collection, storage, processing, and
transfer of personal data in the digital landscape. The DPDP Bill underwent 81 amendments after its initial introduction,
resulting in a comprehensive overhaul to its present form.
By prioritizing privacy and security, the DPDP Act strives to create a robust framework that addresses the challenges posed
by data handling in the digital age. Key provisions of the DPDP Act, 2023 are as follows:
� Definitions: Although many concepts in the DPDP Act closely resemble those found in the EU’s General Data
Protection Regulation (GDPR), framework, there are differences in how terminology is used.
a) Data fiduciary: This refers to the entity that, either independently or in collaboration with others, establishes
both the purpose and the methods for processing personal data (similar to a data controller). The government can
classify any data fiduciary or a specific group of data fiduciaries as ‘significant data fiduciaries’ (SDFs). The
criteria for this classification as an SDF includes he nature of processing activities (such as the volume and
sensitivity of personal data involved and the potential impact on data principals’ rights) to broader societal and
national concerns (such as the potential effects on India’s sovereignty and integrity, electoral democracy, state
security, and public order). The designation of SDF comes with heightened compliance obligations as explained
below.
b) Data processor: This is an entity responsible for processing digital personal data on behalf of a data fiduciary.
c) Data principal: These are individuals whose personal data is gathered and processed (equivalent to a data
subject).
d) Consent manager: A person registered with the Data Protection Board, who acts as a single point of contact to
enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent, and
interoperable platform.
� Applicability: The DPDP Act applies to all data, whether originally online or offline and later digitized, in India.
Additionally, the Act applies to the processing of digital personal data beyond India’s borders, particularly when it
encompasses the provision of goods or services to individuals within the Indian territory.
Age verification mechanisms will be necessary for all companies in India (telcos, banks, e-commerce, etc.) under the new
DPDP law, per reporting from The Economic Times. The compliance requirement is not just limited to social media
platforms. This is essential to record the verifiable consent of users per legal experts.
� Personal data breach: This means any unauthorized processing of personal data or accidental disclosure,
acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the
confidentiality, integrity, or availability of personal data.
� Individual consent to use data and data principal rights: Under the new legislation, personal data will be
included and processed only with explicit consent from the individual, unless specific circumstances pertaining to
national security, law, and order require otherwise.
Under data principal rights, individuals also have the right to information, right to correction and erasure, right to
grievance redressal, and right to nominate any other person to exercise these rights in the event of the individual’s
death or incapacity. Currently, there is no specified timeline for the implementation of grievance redressal and data
principal rights.
� Additional obligations of SDFs: Depending on the quantity and sensitivity of the data they manage—data
fiduciaries deemed as SDF are subject to additional obligations under the DPDP Act. Every significant data
fiduciary is required to appoint a Data Protection Officer (DPO) responsible for addressing the inquiries and
concerns of data principals—those individuals whose data is collected and processed. Regarding international data
transfers, the DPDP Act permits data fiduciaries to transfer personal data for processing to any country or territory
outside India. However, the central government can impose restrictions through notifications. These restrictions
will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure the
maintenance of data protection standards during international processing.
� Establishment of a Data Protection Board: The Data Protection Board will function as an impartial adjudicatory
body responsible for resolving privacy-related grievances and disputes between relevant parties. As an
independent regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s
provisions and impose penalties accordingly. The appointment of the chief executive and board members of the
Data Protection Board will be carried out by the central government, ensuring a fair and transparent selection
process. To provide an avenue for customers to challenge decisions made by the Data Protection Board, the
government will establish an appellate body. This appellate body may be assigned to the Telecom Disputes
Settlement and Appellate Tribunal (TDSAT), which will be responsible for adjudicating disputes related to data
protection and hearing appeals against the decisions made by the Data Protection Board.
� Voluntary undertaking: Under this provision, the Data Protection Board has the authority to accept a voluntary
commitment related to compliance with the DPDP Act’s provisions from any data fiduciary at any stage of
complaint proceedings. This voluntary undertaking may entail specific actions to be taken or refrained from by the
concerned party. Furthermore, the terms of the voluntary undertaking can be modified by the Board if necessary.
The voluntary undertaking serves as a legal barrier to proceedings concerning the subject matter of the
commitment, unless the data fiduciary fails to adhere to its terms. In the event of non-compliance, such a breach is
considered a violation of the DPDP Act, and the Board is authorized to impose penalties for this infringement.
Additionally, the Board has the discretion to require the undertaking to be made public.
� Alternate disclosure mechanism: This mechanism will allow two parties to settle their complaints with the help
of a mediator.
� Offence and penalties: Data fiduciaries can face penalties of up to INR 2.5 billion for failing to comply with the
provisions. These include: penalties of up to INR 10,000 for breach of the duty towards data principals; penalty up
to INR 2.5 billion for failing to take reasonable security safeguards to prevent breach of personal data; fines up to
INR 2 billion for failure to notify the Data Protection Board and affected data principals in case of a personal data
breach; penalties of up to INR 2 billion for violation of additional obligations related to children’s data; penalty of
INR 1.5 billion for failure to comply with additional obligations of significant data fiduciary; penalty of INR 500
million for breach of any other provision of the DPDP Act, 2023 and rules made thereunder.
� Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other
law currently in effect. However, in case of any conflict between a provision of this Act and a provision of any
other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict.
� For notified agencies, in the interest of security, sovereignty, public order, etc.
� For research, archiving, or statistical purposes.
� For start-ups or other notified categories of data fiduciaries.
� To enforce legal rights and claims.
� To perform judicial or regulatory functions.
� To prevent, detect, investigate, or prosecute offences.
� To process in India personal data of non-residents under foreign contract.
� For approved merger, demerger, etc.
� To locate defaulters and their financial assets etc.
How can companies prepare for compliance under the Digital Personal Data Protection Act
By following the below steps, companies can prepare for compliance with India’s DPDP Act and protect personal data in
line with regulatory guidelines.
Intellectual property is a broad categorical description for the set of intangible assets owned and
legally protected by a company or individual from outside use or implementation without consent.
An intangible asset is a non-physical asset that a company or person owns.
The concept of intellectual property relates to the fact that certain products of human intellect should
be afforded the same protective rights that apply to physical property, which are called tangible
assets. Most developed economies have legal measures in place to protect both forms of property.
KEY TAKEAWAYS
� Intellectual property is an umbrella term for a set of intangible assets or assets that are not
physical in nature.
� Intellectual property is owned and legally protected by a person or company from outside
use or implementation without consent.
� Intellectual property can consist of many types of assets, including trademarks, patents, and
copyrights.
� Intellectual property infringement occurs when a third party engages in the unauthorized
use of the asset.
� Legal protections for most intellectual property expire after some time; however, for some
(e.g., trademarks), they last forever.
Intellectual Property
Companies are diligent when it comes to identifying and protecting intellectual property because it
holds such high value in today's increasingly knowledge-based economy. Also, producing value
intellectual property requires heavy investments in brainpower and time of skilled labor. This
translates into heavy investments by organizations and individuals that should not be accessed with
no rights by others.
Extracting value from intellectual property and preventing others from deriving value from it is an
important responsibility for any company. Intellectual property can take many forms. Although it's
an intangible asset, intellectual property can be far more valuable than a company's physical assets.
Intellectual property can represent a competitive advantage and as a result, is fiercely guarded and
protected by the companies that own the property.
Patents
A patent is a property right for an investor that's typically granted by a government agency, such as
the U.S. Patent and Trademark Office. The patent allows the inventor exclusive rights to the
invention, which could be a design, process, an improvement, or physical invention such as a
machine. Technology and software companies often have patents for their designs. For example, the
patent for the personal computer was filed in 1980 by Steve Jobs and three other colleagues at Apple
Inc.2
Copyrights
Copyrights provide authors and creators of original material the exclusive right to use, copy, or
duplicate their material. Authors of books have their works copyrighted as do musical artists. A
copyright also states that the original creators can grant anyone authorization through a licensing
agreement to use the work.
Trademarks
A trademark is a symbol, phrase, or insignia that is recognizable and represents a product that legally
separates it from other products. A trademark is exclusively assigned to a company, meaning the
company owns the trademark so that no others may use or copy it. A trademark is often associated
with a company's brand. For example, the logo and brand name of "Coca-Cola," is owned by the Coca-
Cola Company.
Franchises
The franchisee is typically a small business owner or entrepreneur who operates the store or
franchise. The license allows the franchisee to sell a product or provide a service under the company's
name. In return, the franchisor is paid a start-up fee and ongoing licensing fees by the franchisee.
Examples of companies that use the franchise business model include United Parcel Service (UPS)
and McDonald's Corporation (MCD).
Trade Secrets
A trade secret is a company's process or practice that is not public information, which provides an
economic benefit or advantage to the company or holder of the trade secret. Trade secrets must be
actively protected by the company and are typically the result of a company's research and
development (which is why some employers require the signing of non-disclosure agreements, or
NDAs).
Examples of trade secrets could be a design, pattern, recipe, formula, or proprietary process. Trade
secrets are used to create a business model that differentiates the company's offerings to its customers
by providing a competitive advantage.
Digital Assets
Digital assets are also increasingly recognized as IP. These would include proprietary software code
or algorithms, and online digital content.
Type of IP
Attached to intellectual property are certain rights, known as Intellectual Property Rights (IPR), that
cannot be infringed upon by those without authorization to use them.
IPRs give owners the ability to bar others from recreating, mimicking, and exploiting their work.
Patents infringement occurs when a legally-protected patent is used by another person or Company
without permission. Patents filed before June 8, 1995, are valid for 17 years, whereas patents filed
after this date are valid for 20 years.7 After the expiration date, the details of the patent are made
public.
Copyright violations occur when an unauthorized party recreates all or a portion of an original work,
such as a work of art, music, or a novel. The duplicated content need not be an exact replica of the
original to qualify as an infringement.
Similarly, trademark infringement occurs when an unauthorized party uses a licensed trademark or a
mark resembling the licensed trademark. For example, a competitor might use a mark similar to its
rival's to disrupt business and attract their customer base. Also, businesses in unrelated industries
may use identical or similar marks in an effort to capitalize on other companies' strong brand images.
Trade secrets are often protected by non-disclosure agreements (NDA). When a party to the
agreement discloses all or parts of a trade secret to uninterested parties, they have violated the
agreement and infringed upon the trade secret. It is possible to be guilty of trade secret infringement
when an NDA is not present.
INTRODUCTION
In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act,
2023.1 The new law is the first cross-sectoral law on personal data protection in India and has been enacted after
more than half a decade of deliberations.2 The key question this paper discusses is whether this seemingly
interminable period of deliberations resulted in a “good” law—whether the law protects personal data
adequately, and in addition, whether it properly balances, as the preamble to the law states, “the right of
individuals to protect their personal data” on one hand and “the need to process such personal data for lawful
Details the key features of the law and compares it to earlier versions, especially the previous official bill
introduced by the government in Parliament in 2019.3 The second part of the paper then examines the DPDP Act
from two perspectives. First, it highlights certain potentially problematic features of this law to understand its
consequences for consumers and businesses as well as the Indian state. Second, it places the act in context of the
developments and deliberations that have taken place over the last five years or so. The third part speculates on
the key factors that will influence the development of data protection regulation in India in the next few years.
The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An initial version was
prepared by a committee of experts and circulated for public feedback in 2018.4 This was followed by the
government’s version of the bill that was introduced in Parliament in 2019—the Personal Data Protection Bill,
2019. This version was studied by a parliamentary committee that published its report in December 2021.5 The
government, however, withdrew this bill, and in November 2022, published a fresh draft for public
consultations—the draft Digital Personal Data Protection Bill, 2022.6 This draft was quite different compared to
the previous versions. The 2023 law is based, in significant part, on this draft. However, it has some new
provisions that are consequential for the questions this paper seeks to answer.
These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court in Justice K.S.
Puttaswamy and Anr. v. Union of India and Ors.7 The judgment declared that the right to privacy is part of the
fundamental right to life in India and that the right to informational privacy is part of this right. The judgment,
however, did not describe the specific contours of the right to informational privacy, and it also did not lay down
Following this, the first government version of the law, the Personal Data Protection Bill, 2019, was introduced
in Parliament in December 2019. This version was expansive in scope and proposed cross-sectoral, economy-
wide data protection regulation to be overseen by an all-powerful data protection regulator—the Data Protection
Authority (DPA). The 2019 bill provided for a preventive framework.8 It imposed a number of obligations on
entities collecting personal data—to provide notice and take consent from individuals, to store accurate data in a
secure manner, and to use it only for purposes listed in the notice. Businesses were also required to delete data
once the purpose was satisfied and to provide consumers rights to access, erase, and port their data. Businesses
were required to maintain security safeguards and transparency requirements, implement “privacy by design”
requirements, and create grievance redress systems. Finally, this bill introduced an entity known as “consent
managers,” who were intermediaries for collecting and providing consent to businesses on behalf of
individuals.9
The bill grouped personal data into different categories and required elevated levels of protection for “sensitive”
and “critical” personal data. Certain businesses were also to be categorized as “significant data fiduciaries,” and
additional obligations were proposed for them—registration in India, data audits, and data impact assessments.
In addition, the bill-imposed localization restrictions on the cross-border flows of certain categories of data. The
DPA was empowered to impose penalties on businesses for violating these requirements. The bill also proposed
The 2019 bill exempted certain entities and businesses from notice and consent requirements under certain
circumstances—for lawful state functions, medical and health services during emergencies or epidemics,
breakdown of public order, employment-related data processing, the prevention and detection of unlawful
The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It allowed the
government to require private entities to hand over specific nonpersonal data that the government asked for as
per conditions it prescribed. In short, the 2019 bill proposed a comprehensive, cross-sectoral framework based
on preventive requirements for businesses (defined as “data fiduciaries”) and rights for individuals or consumers
(“data principals”).
This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna Committee—the
committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court judge, was set up by the Ministry of
Electronics & Information Technology in July 2017 to help frame data protection norms. The recommendations
of this committee, in turn, were based on major regulatory developments that were popular while the work of
the committee was proceeding. Primary among these was the European Union’s (EU’s) General Data Protection
Regulation (GDPR).10 While the general preventive framework of the 2019 bill was welcome, its expansive
scope was problematic. It created a number of significant compliance requirements that would have affected
both big and small firms in the economy. It also proposed the creation of a DPA that had significant regulation-
making and supervisory powers. These regulations would have further detailed the already significant
compliance requirements in the bill. The novelty of the law and the lack of prior experience in implementing a
data protection law of this nature would have created serious risks of overregulation or under-regulation.11
The DPDP Act is based on the draft proposed by the government in November 2022, which adopted a radically
different approach to data protection regulation.12 The next section details the key provisions of the act.
Compared to the 2019 version of the bill, the DPDP Act, 2023 is more modest—it has reduced obligations for
businesses and protections for consumers. On the one hand, the regulatory structure is simpler, but on the other,
it vests the central government with unguided discretionary powers in some cases.
Applicability to Non-residents
The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents. Interestingly, it
also applies to non-citizens living in India whose data processing “in connection with any activity related to
offering of goods or services” happens outside India.13 This has implications for, say, a U.S. citizen residing in
India being provided digital goods or services within India by a provider based outside India.
The 2023 act allows personal data to be processed for any lawful purpose.14 The entity processing data can do so
either by taking the concerned individual’s consent or for “legitimate uses,” a term that has been explained in
the law.
Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and
for a specific purpose. The data collected has to be limited to that necessary for the specified purpose. A clear
notice containing these details has to be provided to consumers, including the rights of the concerned individual
and the grievance redress mechanism. Individuals have the right to withdraw consent if consent is the ground on
specified purpose; (b) the provisioning of any subsidy, benefit, service, license, certificate, or permit by any
agency or department of the Indian state, if the individual has previously consented to receiving any other such
service from the state (this is a potential issue since it enables different government agencies providing these
services to access personal data stored with other agencies of the government);15 (c) sovereignty or security; (d)
fulfilling a legal obligation to disclose information to the state; (e) compliance with judgments, decrees, or
orders; (f) medical emergency or threat to life or epidemics or threat to public health; and (g) disaster or
The DPDP Act also creates rights and obligations for individuals.17 These include the right to get a summary of
all the collected data and to know the identities of all other data fiduciaries and data processors with whom the
personal data has been shared, along with a description of the data shared. Individuals also have the right to
correction, completion, updating, and erasure of their data. Besides, they have a right to obtain redress for their
grievances and a right to nominate persons who will receive their data.
Entities responsible for collecting, storing, and processing digital personal data are defined as data fiduciaries
and have defined obligations. These include: (a) maintaining security safeguards; (b) ensuring completeness,
accuracy, and consistency of personal data; (c) intimation of data breach in a prescribed manner to the Data
Protection Board of India (DPB); (d) data erasure on consent withdrawal or on the expiry of the specified
purpose; (e) the data fiduciary having to appoint a data protection officer and set up grievance redress
mechanisms; and (f) the consent of the parent/guardian being mandatory in the case of children/minors (those
under eighteen years of age). The DPDP Act also states that any processing that is likely to have a detrimental
effect on a child is not permitted. The law prohibits tracking, behavioral monitoring, and targeted advertising
directed at children.18 The government can prescribe exemptions from these requirements for specified
purposes. This is potentially a problem since the powers to exempt are broad and without any guidelines.
While the 2023 act retains the broad categories of obligations for the most part, the key difference from the 2019
bill is the absence of the scope for the regulator, the DPA, to make detailed regulations on these obligations. In
addition, the substantive requirements under each of these categories have been reduced.
There is an additional category of data fiduciaries known as significant data fiduciaries (SDFs). The government
will designate data fiduciaries as SDFs based on certain criteria—volume and sensitivity of data and risks to
data protection rights, sovereignty and integrity, electoral democracy, security, and public order.19
SDFs will have additional obligations that include: (a) appointing a data protection officer based in India who
will be answerable to the board of directors or the governing body of the SDF and will also serve as the point of
contact for grievance redressal; and (b) conducting data protection impact assessments and audits and taking
other measures as prescribed by the government. The 2019 bill required that SDFs register in India. This
The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted certain data flows,
the 2023 law only states that the government may restrict flows to certain countries by notification. While this is
not explicit, the power to restrict data flows seems to be to provide the government necessary legal powers for
national security purposes. The law also states that this will not impact measures taken by sector-specific
agencies that have or may impose localization requirements. For example, the Reserve Bank of India’s
The law provides exemptions from consent and notice requirements as well as most obligations of data
fiduciaries and related requirements in certain cases: (a) where processing is necessary for enforcing any legal
right or claim; (b) personal data has to be processed by courts or tribunals, or for the prevention, detection,
investigation, or prosecution of any offenses; (c) where the personal data of non-Indian residents is being
In addition, the law exempts certain purposes and entities completely from its purview.21 These include:
1. Processing in the interests of the sovereignty and integrity of India, security of the state, friendly
relations with foreign states, maintenance of public order, or preventing incitement to any
cognizable offense. This will allow investigative and security agencies to remain outside the
2. Data processing necessary for research, archiving, or statistical purposes if the personal data is not to
3. The government can exempt certain classes of data fiduciaries, including startups, from some
4. One problematic provision allows the government to, “before expiry of five years from the date of
commencement of this Act,” declare that any provision of this law shall not apply to such data
fiduciary or classes of data fiduciaries for such period as may be specified in the notification. This is
a significant and wide discretionary power and is not circumscribed by any guidance on the basis for
such exemption, the categories that may be exempted, and the time period for which such
The 2023 law completely changes the proposed regulatory institutional design. The 2019 bill proposed an
independent regulatory agency. The DPA was proposed on the lines of similar government agencies in many EU
countries that function independently of government and implement the GDPR. The proposed Indian DPA was
arguably more powerful since it was proposed to have much more extensive regulation-making powers than
DPAs under the GDPR. In addition to framing regulations, the DPA would have been responsible for framing
codes of conduct for businesses, investigating cases of noncompliance, collecting supervisory information, and
In contrast, the 2023 law establishes the DPB.22 The board is not a regulatory entity and is very different from
the DPA. Compared to the latter, the board has a limited mandate to oversee the prevention of data breaches and
direct remedial action and to conduct inquiries and issue penalties for noncompliance with the law.23 The board
does not have any powers to frame regulations or codes of conduct or to call for information to supervise the
The members of the board will be appointed by the government, and the terms and conditions of their service
will be prescribed in rules made by the government.24 The law states that these terms and conditions cannot be
The law allows the board to impose monetary penalties of up to 250 crore rupees (approximately $30.5
million).25 Appeals from the board’s orders will go to an existing tribunal— the Telecom Disputes Settlement
and Appellate Tribunal (TDSAT). In addition to monetary penalties, the bill allows data fiduciaries to provide
voluntary undertakings to the board as a form of settlement of any complaints against them.26 Therefore, the
Finally, the 2023 law contains a novel provision not included or discussed in any previous version. This is
Section 37, which allows the government, based on a reference from the board, to block the public’s access to
any information that enables a data fiduciary to provide goods or services in India. This has to be based on two
criteria: (a) the board has imposed penalties against such data fiduciaries on two or more prior occasions, and (b)
the board has recommended a blockage. The government has to provide the data fiduciary an opportunity to be
This section analyzes the 2023 act from two perspectives. First, it explains the broad structure of the law and
highlights its key features and issues. Second, it contextualizes the law in the background of the different drafts
proposed before this and elaborates upon the deliberations that have led to it.
The 2023 act creates, for the first time, a data privacy law in India. It requires consent to be taken before
personal data is processed and provides a limited number of exceptions that are clearly enumerated in the law. It
provides consumers the right to access, correct, update, and erase their data, in addition to a right to nomination.
It creates additional safeguards for the processing of children’s data. For businesses, it creates purpose
limitations and obligations to provide notice of data collection and processing and mandates security safeguards.
The law requires the creation of grievance redress mechanisms by businesses. The DPB will also handle
complaints and grievances and is empowered to issue penalties for noncompliance with the law.
For the first time, therefore, India has a statutory framework for data protection. The presence of the law will
gradually lead to the development of minimal standards of behavior and compliance among businesses that
collect data. In this regard, the approach of the government toward implementing and enforcing the law will be
the critical variable—for example, whether implementation will be focused on data-heavy businesses or across
However, other than open questions related to implementation, there are some concerns with different
provisions of the law and their potential for undermining the protections seemingly accorded in it.
First, the exceptions carved out for consent empower the state significantly and place state imperatives on a
different pedestal compared to private entities. While this may be truly legitimate in some circumstances, like
disasters or emergencies, the law enlarges the scope of such circumstances. For example, Section 7(b) of the law
enables the government to sidestep consent requirements where a government service beneficiary has previously
consented to receiving any other benefit from the state. While this may allow easier access to personal data of
beneficiaries for receiving government services, it also creates a potential for the government to aggregate
databases. This is because making true use of the potential of this provision would mean that government
agencies would have to be exempted from purpose limitations that require personal data to be deleted after the
Another example of this is the set of exemptions to the state for investigative, prosecutorial, and national
security purposes. In Section 17(1)(c), the law exempts the requirements of notice and consent, among others,
for the purposes of processing for “prevention, detection, investigation or prosecution of any offence or
contravention of any law.”27 While this is understandable, Section 17(2)(a) subsequently provides a blanket
exemption from the whole law to any government agency that the government may notify, in the interests of
sovereignty, security, integrity, public order, and preventing incitement. Given the fact that Section 17(1)(c)
already exists, Section 17(2)(a) only indicates the desire of Parliament to ensure a complete non-application of
Provisions like these create a separate category of activity that is beyond the purview of data privacy
requirements. It is problematic that the Indian state is not subject to many of the constraints that private entities
are, especially in cases where there is no pressing requirement for such an exception.
Second, the discretionary rule-making powers that the government has under the law could, in some cases,
undermine the protections provided in the law. For example, under Section 17(5), the government has the power
to declare that any provisions of this law will not apply to any business or class of businesses within five years
of the commencement of the law. There is no time frame for the operation of this exemption or any guidance on
how this provision is to be used. An optimistic interpretation of this provision would suggest that this could be
used to allow sunrise industries or startups some time to comply with the law. However, provision for this has
already been made in Section 17(3), which provides limited exemptions to startups and other industries the
government may notify. Therefore, Section 17(5) could potentially be used in a manner that defeats the purpose
of the law. It is worth reiterating that the law only limits the government’s power to give these exemptions for
an initial period of five years. It does not provide any limit on how long these exemptions can last for.
Similarly, the government has some unguided rule-making powers for exempting businesses from certain
requirements regarding the processing of children’s data. Sections 9(1) to 9(3) specify certain requirements for
the same—they require parental consent and prohibit profiling, among others. Section 9(4) allows the
government to exempt any business or class of businesses from Sections 9(1) to 9(3) “subject to such
conditions, as may be prescribed.” This provision, again, fails to indicate on what grounds this exemption will
be given, how the conditions are to be determined, and so on. Since there is a lack of sufficient guidance, this
While there are other provisions where the government has powers to prescribe conditions and make substantive
rules, the examples highlighted above provide almost no guidance. This is also problematic when judged against
the tenets of Indian administrative law, which requires that laws should not confer unguided and excessive
discretion on the implementing authority.28 If improperly used, such legal provisions are potentially in violation
the government will create mechanisms for the selection and appointment of its members. While the law sets out
qualifications for members, it does not state how many members shall be on the board and requires only one of
them to be a legal expert. This last provision is a problem since one of the board’s main functions is to issue
In addition, the chairperson of the DPB is empowered to authorize any board member to perform “any of the
functions of the board and conduct any of its proceedings.” It is possible that the chairperson may not authorize
the legal member of the board to conduct the proceedings leading up to the issuance of a penalty. This design
also fails to maintain an internal separation of functions between the members conducting inquiries and the
chairperson. Since the chairperson appoints members to conduct inquiries, they may potentially not discharge
Therefore, while the DPDP Act creates data privacy protections in law for the first time, certain provisions in
the law can effectively undermine its benefits if the government does not act under them in the most scrupulous
manner possible.
UNCITRAL Model Law
The United Nations Commission on International Trade Law (UNCITRAL) facilitates international commerce
through the modernization of trade rules and the harmonization of commercial laws, primarily through the
drafting of treaties, model laws, and explanatory texts. The
United Nations Commission on
International Trade Law (UNCITRAL) was established by the General Assembly in
1966 (Resolution 2205(XXI) of 17 December 1966
These documents are prepared by ad hoc committees of subject specialists known as working groups.
Since its inception, UNCITRAL’s Working Group on Electronic Commerce has produced one treaty, three
Treaty
Model Laws
Explanatory Texts
UNCITRAL’s Working Group on Online Dispute Resolution met from 2010 to 2016. Although it did not
produce any treaties or model laws, the Working Group did publish its Technical Notes on Online Dispute
Resolution.
UNCITRAL has prepared a suite of legislative texts to enable and facilitate the use of electronic means to engage in
commercial activities, which have been adopted in over 100 States.
The most widely enacted text is the UNCITRAL Model Law on Electronic Commerce (1996), which establishes rules for
the equal treatment of electronic and paper-based information, as well as the legal recognition of electronic transactions
and processes, based on the fundamental principles of non-discrimination against the use of electronic means, functional
equivalence and technology neutrality. The UNCITRAL Model Law on Electronic Signatures (2001) provides additional
rules on the use of electronic signatures.
The United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005)
builds on pre-existing UNCITRAL texts to offer the first treaty that provides legal certainty for electronic contracting in
international trade.
Most recently, the UNCITRAL Model Law on Electronic Transferable Records (2017) applies the same principles to
enable and facilitate the use in electronic form of transferable documents and instruments, such as bills of lading, bills of
exchange, cheques, promissory notes and warehouse receipts.
In 2019, UNCITRAL approved the publication of Notes on the Main Issues of Cloud Computing Contracts, while
continuing work towards a new instrument on the use and cross border recognition of electronic identity management
services (IdM services) and authentication services (trust services).
Significant work in cooperation with other organizations has also been conducted in the field of legal aspects of single
windows and paperless trade facilitation. The results of joint work with United Nations ESCAP in that field include the
online Readiness Assessment Guide for Cross-Border Paperless Trade.
Recent advances in information and communications technology and the emergence of new technologies in digital trade
pose new legal questions. Accordingly, UNCITRAL continues its efforts to legally enable emerging technologies such as
artificial intelligence, data transactions, digital platforms and digital assets, including in connection with other areas of
work such as dispute resolution, security interests, insolvency and the international transport of goods, as well as, more
generally, digital trade.
Phishing
Company Overview: XYZ Corporation is a global technology company specializing in software development
and IT services.
Incident Overview: In [Month, Year], XYZ Corporation fell victim to a sophisticated phishing attack that
compromised sensitive information and raised concerns about cybersecurity.
Background:
Attack Vector: The attackers utilized email as the primary vector, sending seemingly legitimate messages to
employees.
Social Engineering Tactics: The phishing emails employed tactics such as urgency, fear, and authority to
manipulate employees into divulging confidential information or performing unauthorized actions.
Timeline of Events:
Initial Phishing Emails: Employees began receiving emails appearing to be from internal departments or trusted
external entities, requesting urgent actions or information.
Clicking on Malicious Links: Some employees unknowingly clicked on links within the emails, leading them to
deceptive websites designed to mimic legitimate login portals.
Credentials Compromised: Employees who entered their credentials on these fake portals unwittingly provided
the attackers with access to their accounts.
Detection and Response:
Internal Alerts: The IT security team detected unusual activities, including multiple login attempts from
unfamiliar locations and multiple failed login attempts.
Incident Response: XYZ Corporation promptly initiated an incident response plan, isolating compromised
accounts, resetting passwords, and investigating the extent of the breach.
Impact:
Data Breach: The attackers gained access to sensitive company data, including client information, intellectual
property, and employee credentials.
Financial Loss: XYZ Corporation suffered financial losses due to the costs associated with incident response,
legal actions, and potential damage to the company's reputation.
Mitigation and Remediation:
Employee Training: XYZ Corporation implemented extensive cybersecurity awareness training for all
employees, emphasizing the identification of phishing attempts and the importance of verifying emails.
Enhanced Email Filtering: The company upgraded its email filtering systems to better detect and block phishing
emails before reaching employee inboxes.
Multi-Factor Authentication (MFA): MFA was enforced across all employee accounts to add an extra layer of
security.
Lessons Learned:
Continuous Education: Regular training and awareness programs are essential to keep employees informed
about evolving phishing tactics.
Technology Enhancements: Regularly updating and improving cybersecurity infrastructure is crucial to stay
ahead of sophisticated phishing attacks.
Incident Response Preparedness: Having a robust incident response plan in place can minimize the impact of a
phishing attack and expedite recovery.
Conclusion:
XYZ Corporation's experience with the phishing attack underscored the importance of proactive cybersecurity
measures and continuous employee education. By implementing stronger security protocols and fostering a
culture of vigilance, the company aims to mitigate the risk of future phishing incidents.
Malware
Organization Overview: ABC Bank is a leading financial institution providing a wide range of banking and
financial services.
Incident Overview: In [Month, Year], ABC Bank experienced a significant cybersecurity incident involving the
infiltration of malware, which posed a threat to the security of sensitive customer data and the overall stability of
the bank's systems.
Background:
Attack Vector: The malware entered the bank's network through a malicious attachment in an email, exploiting a
vulnerability in the email filtering system.
Type of Malware: The malware was identified as a sophisticated banking Trojan designed to steal financial
information and gain unauthorized access to banking systems.
Timeline of Events:
Email Attachment: Employees received seemingly legitimate emails with attachments that purported to be
important documents related to banking regulations.
Malicious Payload Execution: Upon opening the attachment, the malware executed, evading initial detection by
exploiting zero-day vulnerabilities in the bank's outdated software.
Data Exfiltration: The malware successfully infiltrated the bank's systems, exfiltrating sensitive customer
information, including login credentials and financial transaction data.
Impact:
Financial Loss: The bank suffered financial losses due to unauthorized transactions initiated by the malware,
impacting both individual customers and the bank's overall assets.
Reputation Damage: The incident led to a loss of trust among customers and stakeholders, impacting the bank's
reputation in the market.
Mitigation and Remediation:
System Patching: ABC Bank immediately implemented software updates and patches to address the
vulnerabilities exploited by the malware.
Enhanced Email Security: The bank upgraded its email filtering system to better detect and block malicious
attachments, reducing the risk of similar incidents in the future.
Customer Communication: ABC Bank proactively communicated with affected customers, providing guidance
on securing their accounts and offering credit monitoring services.
Lessons Learned:
Regular Vulnerability Assessments: Conducting regular vulnerability assessments and promptly applying
patches can significantly reduce the risk of malware infiltration.
Employee Training: Continuous training on recognizing phishing emails and avoiding the opening of suspicious
attachments is crucial to prevent malware infections.
Incident Response Improvement: Regular testing and refinement of incident response plans are necessary to
ensure a swift and effective response to cybersecurity incidents.
Conclusion:
The malware incident at ABC Bank highlighted the persistent and evolving threats faced by financial
institutions. By implementing robust cybersecurity measures, staying vigilant against emerging threats, and
maintaining open communication with customers, the bank aims to fortify its defenses and rebuild trust in the
aftermath of the incident.
Ransomware
Introduction:
Organization Overview: XYZ Healthcare System is a large medical institution that provides a broad range of
healthcare services, including patient care, research, and education.
Incident Overview: In [Month, Year], XYZ Healthcare System fell victim to a devastating ransomware attack,
compromising critical patient data, disrupting operations, and posing a significant threat to the organization's
ability to deliver healthcare services.
Background:
Attack Vector: The ransomware was introduced through a targeted phishing email, tricking an employee into
clicking on a malicious link that initiated the download of the ransomware payload.
Type of Ransomware: The attackers employed a sophisticated strain of ransomware that encrypted files across
the healthcare system's network, rendering them inaccessible.
Timeline of Events:
Phishing Email: An employee in the finance department received an email that appeared to be from a trusted
vendor, containing a seemingly innocuous invoice attachment.
Ransomware Execution: Upon opening the attachment, the ransomware was activated, quickly spreading
through the network and encrypting critical patient records, administrative files, and research data.
Ransom Demand: The attackers left a ransom note demanding a substantial sum of cryptocurrency in exchange
for the decryption key required to restore access to the encrypted data.
Detection and Response:
File Encryption Alerts: Unusual patterns of file access and encryption triggered alerts in the healthcare system's
security monitoring systems.
Incident Response: The IT and security teams swiftly isolated affected systems, shut down network connections
to prevent further spread, and engaged law enforcement agencies.
Impact:
Operational Disruption: The ransomware attack disrupted normal hospital operations, leading to delayed patient
care, canceled appointments, and a halt in non-emergency medical procedures.
Data Loss and Privacy Concerns: The encrypted data included sensitive patient information, raising concerns
about potential data loss and privacy breaches.
Mitigation and Remediation:
Data Restoration: The healthcare system opted not to pay the ransom and instead focused on restoring systems
from backup files, which had been regularly updated and securely stored.
Enhanced Security Measures: XYZ Healthcare System implemented advanced cybersecurity measures,
including endpoint protection, network segmentation, and regular security audits.
Employee Training: The organization conducted extensive training programs to educate employees on
recognizing and avoiding phishing attempts.
Lessons Learned:
Regular Backup Practices: Regularly backing up critical data and ensuring the availability of offline backups is
essential for swift recovery without succumbing to ransom demands.
Employee Vigilance: Continuous training and awareness programs for employees can help in identifying and
mitigating the risks associated with phishing attacks.
Collaboration with Law Enforcement: Prompt collaboration with law enforcement agencies can aid in tracking
and apprehending the perpetrators.
Conclusion:
The ransomware attack on XYZ Healthcare System underscored the critical need for robust cybersecurity
measures in the healthcare sector. By leveraging the lessons learned from this incident, the organization is
committed to strengthening its
defenses, safeguarding patient data, and ensuring the uninterrupted delivery of healthcare services.
Cyber Extortion
Introduction:
Company Overview: A leading global manufacturing company, referred to as ABC Manufacturing, specializing
in the production of automotive components and industrial machinery.
Incident Overview: In [Month, Year], ABC Manufacturing experienced a cyber extortion attack that involved the
compromise of sensitive intellectual property, disruption of production processes, and a demand for a substantial
ransom.
Background:
Attack Vector: The cybercriminals gained access to ABC Manufacturing's network through a combination of
targeted phishing emails and exploiting vulnerabilities in outdated software.
Type of Cyber Extortion: The attackers utilized ransomware to encrypt critical manufacturing process data,
threatening to release proprietary information if the ransom was not paid.
Timeline of Events:
Phishing and Initial Access: Employees across various departments received phishing emails containing
malicious attachments. Once opened, these attachments delivered malware, granting the attackers initial access
to the company's network.
Lateral Movement and Data Encryption: The cybercriminals moved laterally within the network, identifying and
encrypting crucial manufacturing process data, rendering it inaccessible to the company.
Ransom Note and Threats: Following the successful encryption, ABC Manufacturing received a ransom note
demanding a significant sum in cryptocurrency. The note threatened to expose sensitive company information if
the ransom was not paid within a specified timeframe.
Detection and Response:
Abnormal Network Activity: Unusual patterns of data access and encryption triggered alerts in ABC
Manufacturing's security systems.
Incident Response: The company's cybersecurity team, in collaboration with external cybersecurity experts,
isolated affected systems, shut down network connections, and initiated an investigation into the extent of the
breach.
Impact:
Operational Disruption: The ransomware attack resulted in significant disruption to ABC Manufacturing's
production processes, leading to delays in fulfilling client orders and potential financial losses.
Intellectual Property Exposure: The threat of releasing proprietary manufacturing data could have severe
consequences for the company's competitive edge in the market.
Mitigation and Remediation:
Non-Payment Decision: ABC Manufacturing opted not to pay the ransom, prioritizing the restoration of systems
from secure backups.
Enhanced Security Measures: The company implemented advanced endpoint protection, network segmentation,
and regular penetration testing to identify and address vulnerabilities.
Employee Training: ABC Manufacturing conducted comprehensive training sessions for employees,
emphasizing the importance of cybersecurity awareness and the identification of phishing attempts.
Lessons Learned:
Comprehensive Security Audits: Regularly conducting thorough security audits can help identify and patch
vulnerabilities before they are exploited.
Backup and Recovery Planning: Maintaining secure and regularly updated backups ensures a quick recovery
from cyber extortion incidents without succumbing to ransom demands.
Crisis Communication Planning: Preparing for effective communication with stakeholders, including customers
and regulatory bodies, is crucial in managing the fallout from a cyber extortion attack.
Conclusion:
The cyber extortion incident at ABC Manufacturing highlighted the ever-present threat of ransomware and the
importance of proactive cybersecurity measures. By learning from this experience, the company is committed to
fortifying its defenses, safeguarding its intellectual property, and ensuring the resilience of its manufacturing
processes against future cyber threats.
Introduction:
Company Overview: XYZ Corporation is a multinational technology company specializing in software
development, cloud services, and data analytics.
Incident Overview: In [Month, Year], XYZ Corporation fell victim to a sophisticated corporate espionage
campaign involving the deployment of spyware. The attack aimed to gain unauthorized access to proprietary
software codes, research data, and confidential business strategies.
Background:
Attack Vector: The spyware was introduced into XYZ Corporation's network through targeted phishing emails
that exploited the trust and curiosity of employees.
Type of Spyware: The attackers utilized a custom-designed spyware variant capable of keylogging, screen
capturing, and exfiltrating sensitive data without raising suspicion.
Timeline of Events:
Phishing Emails: Employees in the research and development department received convincing phishing emails
containing seemingly relevant attachments, such as industry reports and software updates.
Spyware Activation: Once opened, the attachments deployed the spyware across targeted devices, allowing the
attackers to gain persistent access to XYZ Corporation's internal network.
Data Exfiltration: The spyware silently collected information over an extended period, exfiltrating proprietary
software codes, research findings, and business strategies to remote servers controlled by the attackers.
Detection and Response:
Anomalous Network Activity: XYZ Corporation's security systems detected unusual patterns of data access and
exfiltration.
Incident Response: The company's cybersecurity team swiftly initiated an incident response plan, isolating
affected devices, disconnecting compromised systems from the network, and launching an investigation into the
extent of the breach.
Impact:
Intellectual Property Compromise: The theft of proprietary software codes and research data jeopardized XYZ
Corporation's competitive advantage, potentially undermining its market position.
Reputation Damage: The incident led to concerns among clients and stakeholders about the security and
confidentiality of their data stored with XYZ Corporation.
• Cyber Criminals
• Cyber Terrorists
• Cyber Espionage
• Cyber Hacktivist
National Cyber Security Indian Government has come up with the National Cyber Security
Strategy 2020 Strategy 2020 entailing the provisions to secure cyberspace in India.
Cyber Surakshit Bharat MeitY in collaboration with National e-Governance Division (NeGD)
Initiative came up with this initiative in 2018 to build a cyber-resilient IT set up
The Indian Computer Emergency Response Team (CERT-In) serves as the national agency
for performing various functions in the area of cyber security in the country as per the
provisions of section 70B of the Information Technology Act, 2000.
CERT-In Functions
In the IT Amendment Act 2008, CERT-In has been designated to perform the following
functions in the area of cyber security –
In April 2022, CERT-In has issued directions relating to information security practices,
procedures, prevention, response and reporting of cyber incidents for a safe and trusted
internet.
The National Cyber Security Policy, which was first drafted in the wake of reports that the
US government was spying on India and there were no technical or legal safeguards against
it.
• Before 2013, India did not have a cybersecurity policy. The need for it was felt during
the NSA spying issue that surfaced in 2013.
• Information empowers people and there is a need to create a distinction between
information that can run freely between systems and those that need to be secured.
This could be personal information, banking and financial details, security
information which when passed onto the wrong hands can put the country’s safety
in jeopardy.
• This Policy has been drafted in consultation with all the stakeholders.
• In order to digitise the economy and promote more digital transactions, the
government must be able to generate trust in people in the Information and
Communications Technology systems that govern financial transactions.
• A strong integrated and coherent policy on cybersecurity is also needed to curb the
menace of cyber terrorism.
Coronavirus Pandemic Microsoft has reported that cyber crooks are using Covid-19 situation in
Based Cyber Attack 2020 to defraud people through phishing and ransomware in India and
the world
Wannacry Ransomware In May 2017, various computer networks in India were locked down by
the ransom-seeking hackers.
Data Theft In May 2017, the food tech company Zomato faced the theft of information
of 17 million users.
Petya Ransomware Container handling functions at a terminal operated by the Danish firm
AP Moller-Maersk at Mumbai’s Jawaharlal Nehru Port Trust got affected
Mirai Botnet In September 2016, Mirai malware launched a DDoS attack on the website
of a well-known security expert.
Africa
South Africa
o Cybercrimes Act 2021 – South Africa (South Africa signed the
Budapest Convention in 2001)
o National Cybersecurity Policy Framework (‘NCPF’)
Tanzania – Cybercrimes Act, 2015
The Americas
Canada
Asia-Pacific
Australia
o Privacy Principles (‘APPs‘) under the Privacy Act 1988 contain
information security obligations.
o Criminal Code Act 1995 Australia
o Cybercrime Act 2001 Australia
Brunei Darussalam has the Computer Misuse Act, 2007
China has two main laws governing cybercrimes:
o the Cybersecurity Law 2016, and
o the Data Security Law of the People’s Republic of China which came
into effect in September2021
Europe
Cybercrime is a growing concern to countries at all levels of developments and affects both,
buyers and sellers.
While 156 countries (80 per cent) have enacted cybercrime legislation, the pattern varies by
region: Europe has the highest adoption rate (91 per cent) and Africa the lowest (72 per cent).
The evolving cybercrime landscape and resulting skills gaps are a significant challenge for
law enforcement agencies and prosecutors, especially for cross-border enforcement.
5% at Draft Legislation
INTRODUCTION
A global domain within the information environment consisting of
the interdependent network of information technology
infrastructures, including the Internet, telecommunications networks,
computer systems, and embedded processors and controllers has
been termed as cyberspace. Cyberterrorism is intended to undermine
electronic systems to cause panic or fear. Cybercrime includes single
actors or groups targeting systems for financial gain or to cause
disruption. To control computers or networks cyber attackers use
viruses, worms, spyware, Trojans, and ransomware. Viruses and
worms are usually self-replicating and damages files or systems,
while spyware and Trojans are often used for surreptitious data
collection. Ransomware waits for an opportunity to encrypt all the
user’s information and demands payment in return of access by the
user. Malicious code often spreads via an unsolicited email
attachment or a legitimate-looking download that actually carries
malware or other spywares.
After the world wars, the world realised that wars are no solution and
mutual cooperation is the essence of progress together. Thus to ensure
peace, global cooperation and concerns in mind, the United Nations
(UN) was born in 1945 which comprises almost all the countries in the
world. The United Nations serves as a common platform where
countries design framework and a time window to achieve the
decided goals. It just completed its Millennium development goals
(MDGs) in 2015 and it is now striving for Sustainable Development
Goals (SGDs) 2030, adopted in September 2015 which aspires to end
poverty in all its forms everywhere, end hunger, achieve food security
and improved nutrition and promote sustainable agriculture inclusive
of its 17 defined goals.
India is devoted to achieve the 17 SDGs and the 169 associated targets,
which comprehensively cover social, economic and environmental
dimensions of development and focus on ending poverty in all its
forms and dimensions.
At the Central Government level, NITI Aayog has been assigned the
role of overseeing the implementation of SDGs in the country. To
spread awareness about the Goals, bring together stakeholders and
build capacities for the realization of SDGs, NITI Aayog has
organized several national and regional level consultations.
India’s ranking
But in India, two out of three companies spend less than 5% of their IT
budget for beefing up their cyber security.
With this we could state that the economy also gets affected hugely
accounting for huge monetary loss accounting upto 20 billion dollars
per year.
CYBER LAWS
After the Internet was made public in the early 1990s , it was soon
realised that there is a need to protect the internet based system after
the major attack on US based bank, citi bank, leading to loss of billions
and billions of dollars to a hacker who never moved from his chair.
With this, every state started making certain norms to ensure
cybersecurity in this domain. There are laws in India which were
designed to tackle the problem of cybercrime which started in 2000 in
lieu of such cyberattacks.
With the global trade shifting towards electronic form a need was felt
to give legal recognition to the electronic records. Responding to this
global need the United Nations Commission on International Trade
Law (UNCITRAL) adopted the Model Law on e-commerce in 1996.
The General Assembly of United Nations passed a resolution in
January 1997 recommending all States in the UN considerations to the
said Model Law, which provides for recognition to electronic records
and according to it the same treatment like a paper communication
and record.
The main intent to pass the 2000’s Act was to provide legal
recognitions to transactions carried out by means of electronic data
interchange and other means of electronic communications,
commonly known as electronic commerce, which involved the use of
alternatives to paper based methods of communication and storage of
information and to facilitate the filing of documents of government
agencies.
Legal Applicability:
As per Section 1(4) of the Information Technology Act, 2000, the Act is
not applicable to the following documents:
Cyber crime was addressed by this Act but there was still need to
address the specific cyber crimes that were taking place along with
the technological advancement.
Thus with the growing cybercrime there was a greater need for a
more holistic need to deal with the changing nature of cybercrimes
and therefore Information Technology Amendment Act 2008 was
passed on 23rd December 2008.
The Act has been made technology neutral a new section has been
added to define Cyber Cafe i.e. any facility from where access to the
internet is accessed by any person in ordinary course of business to
the members of the public further Intermediaries have been defined in
this act. It also added a new section 10A which provided legal validity
to contracts concluded electronically even a new section to protect
sensitive data or information possessed, dealt or handled by a body in
computer resource which such a body owns, controls or operates. If
such a body is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causing wrongful
information loss or gain then such a body is liable to pay
compensation to the affected person. In section 66 new section 66A to
66F have been added prescribing punishment for offences like
cheating,cyber terrorism etc. Section 67 of the IT Act has been
amended to reduce the term of imprisonment for publishing or
transmitting obscene materials in electronic to three from five years
and the fine has been increased to rupees five lakh from one lakh.
Section 69 has been amended giving power to the state to issue
direction for intercept and monitoring of decryption of any
information through any electronic medium. Section 79 of the act
which exempted intermediaries has been modified. A provision has
been added in sec 81 of the Act which states that the provision of the
Act shall have an overriding effect. The Act authorizes an Inspector to
investigate cyber offences (as against the DSP earlier).
Further with the ever changing dynamic of the cyber ecosystem there
is a need for certain amendments in the Information Technology
Amendment Act 2008 and with this in mind the Government of India
has asked for citizen participation for suggestion for the upcoming
amendment to the IT Act.
National Cybersecurity Policy, 2013
Since the 2013 NSA spying issue the need for cyber security was felt
in India as a response to which the National Cybersecurity Policy was
formulated in 2013.Information can be classified into two group one
which can be freely flowed and the other that needs to be
guarded.The cyber security policy 2013 is formulated keeping in mind
both these aspects of the information.
With the change in ICT ecosystem there was felt a need for amending
the existing Cyber Security Polity and therefore the government is in
process of coming up with a new cyber security policy in 2020.
SUGGESTION
Considering the benefits and risks associated the use Information and
Communication Technology we authors have tried to throw light on
critical assessment and possible recommendations in lieu of need for
improvisation in this so called 5th domain ,”Cybersecurity”.
India is one of the few countries to have a cyber security law it even
ranks 47 in GCI 2018 index which shows that India is doing
remarkable in this front but as the NCRB 2017 data shows that cyber
crimes in India jumped by 77% in 2017, many new crime heads such
as cyber blackmailing, cyber stalking and dissemination of fake news
were introduced. Cybercriminal are ahead of Police in technological
advancement. The Investigating officer is generally found lacking in
many cases but projects like Cyberdome project in Kerala are showing
the way by involving Public private partnership in investigating cyber
cases.
Initially introduced in 2019, the Digital Personal Data Protection Act holds considerable importance as a legislative measure
aimed at safeguarding individuals’ privacy rights. Its primary focus lies in regulating the collection, storage, processing, and
transfer of personal data in the digital landscape. The DPDP Bill underwent 81 amendments after its initial introduction,
resulting in a comprehensive overhaul to its present form.
By prioritizing privacy and security, the DPDP Act strives to create a robust framework that addresses the challenges posed
by data handling in the digital age. Key provisions of the DPDP Act, 2023 are as follows:
Definitions: Although many concepts in the DPDP Act closely resemble those found in the EU’s General Data
Protection Regulation (GDPR), framework, there are differences in how terminology is used.
a) Data fiduciary: This refers to the entity that, either independently or in collaboration with others, establishes
both the purpose and the methods for processing personal data (similar to a data controller). The government can
classify any data fiduciary or a specific group of data fiduciaries as ‘significant data fiduciaries’ (SDFs). The
criteria for this classification as an SDF includes he nature of processing activities (such as the volume and
sensitivity of personal data involved and the potential impact on data principals’ rights) to broader societal and
national concerns (such as the potential effects on India’s sovereignty and integrity, electoral democracy, state
security, and public order). The designation of SDF comes with heightened compliance obligations as explained
below.
b) Data processor: This is an entity responsible for processing digital personal data on behalf of a data fiduciary.
c) Data principal: These are individuals whose personal data is gathered and processed (equivalent to a data
subject).
d) Consent manager: A person registered with the Data Protection Board, who acts as a single point of contact to
enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent, and
interoperable platform.
Applicability: The DPDP Act applies to all data, whether originally online or offline and later digitized, in India.
Additionally, the Act applies to the processing of digital personal data beyond India’s borders, particularly when it
encompasses the provision of goods or services to individuals within the Indian territory.
Age verification mechanisms will be necessary for all companies in India (telcos, banks, e-commerce, etc.) under the new
DPDP law, per reporting from The Economic Times. The compliance requirement is not just limited to social media
platforms. This is essential to record the verifiable consent of users per legal experts.
Personal data breach: This means any unauthorized processing of personal data or accidental disclosure,
acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the
confidentiality, integrity, or availability of personal data.
Individual consent to use data and data principal rights: Under the new legislation, personal data will be
included and processed only with explicit consent from the individual, unless specific circumstances pertaining to
national security, law, and order require otherwise.
Under data principal rights, individuals also have the right to information, right to correction and erasure, right to
grievance redressal, and right to nominate any other person to exercise these rights in the event of the individual’s
death or incapacity. Currently, there is no specified timeline for the implementation of grievance redressal and data
principal rights.
Additional obligations of SDFs: Depending on the quantity and sensitivity of the data they manage—data
fiduciaries deemed as SDF are subject to additional obligations under the DPDP Act. Every significant data
fiduciary is required to appoint a Data Protection Officer (DPO) responsible for addressing the inquiries and
concerns of data principals—those individuals whose data is collected and processed. Regarding international data
transfers, the DPDP Act permits data fiduciaries to transfer personal data for processing to any country or territory
outside India. However, the central government can impose restrictions through notifications. These restrictions
will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure the
maintenance of data protection standards during international processing.
Establishment of a Data Protection Board: The Data Protection Board will function as an impartial adjudicatory
body responsible for resolving privacy-related grievances and disputes between relevant parties. As an independent
regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s provisions and
impose penalties accordingly. The appointment of the chief executive and board members of the Data Protection
Board will be carried out by the central government, ensuring a fair and transparent selection process. To provide
an avenue for customers to challenge decisions made by the Data Protection Board, the government will establish
an appellate body. This appellate body may be assigned to the Telecom Disputes Settlement and Appellate
Tribunal (TDSAT), which will be responsible for adjudicating disputes related to data protection and hearing
appeals against the decisions made by the Data Protection Board.
Voluntary undertaking: Under this provision, the Data Protection Board has the authority to accept a voluntary
commitment related to compliance with the DPDP Act’s provisions from any data fiduciary at any stage of
complaint proceedings. This voluntary undertaking may entail specific actions to be taken or refrained from by the
concerned party. Furthermore, the terms of the voluntary undertaking can be modified by the Board if necessary.
The voluntary undertaking serves as a legal barrier to proceedings concerning the subject matter of the
commitment, unless the data fiduciary fails to adhere to its terms. In the event of non-compliance, such a breach is
considered a violation of the DPDP Act, and the Board is authorized to impose penalties for this infringement.
Additionally, the Board has the discretion to require the undertaking to be made public.
Alternate disclosure mechanism: This mechanism will allow two parties to settle their complaints with the help
of a mediator.
Offence and penalties: Data fiduciaries can face penalties of up to INR 2.5 billion for failing to comply with the
provisions. These include: penalties of up to INR 10,000 for breach of the duty towards data principals; penalty up
to INR 2.5 billion for failing to take reasonable security safeguards to prevent breach of personal data; fines up to
INR 2 billion for failure to notify the Data Protection Board and affected data principals in case of a personal data
breach; penalties of up to INR 2 billion for violation of additional obligations related to children’s data; penalty of
INR 1.5 billion for failure to comply with additional obligations of significant data fiduciary; penalty of INR 500
million for breach of any other provision of the DPDP Act, 2023 and rules made thereunder.
Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other
law currently in effect. However, in case of any conflict between a provision of this Act and a provision of any
other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict.
For notified agencies, in the interest of security, sovereignty, public order, etc.
For research, archiving, or statistical purposes.
For start-ups or other notified categories of data fiduciaries.
To enforce legal rights and claims.
To perform judicial or regulatory functions.
To prevent, detect, investigate, or prosecute offences.
To process in India personal data of non-residents under foreign contract.
For approved merger, demerger, etc.
To locate defaulters and their financial assets etc.
How can companies prepare for compliance under the Digital Personal Data Protection Act
By following the below steps, companies can prepare for compliance with India’s DPDP Act and protect personal data in
line with regulatory guidelines.
The Convention and its Explanatory Report was adopted by the Committee of Ministers of the
Council of Europe at its 109th Session on 8 November 2001. It was opened for signature
in Budapest, on 23 November 2001 and it entered into force on 1 July 2004.
As of October 2022, 67 states have ratified the convention, while a further two states
(Ireland and South Africa) have signed the convention but not ratified it.
Since it entered into force, important countries like Brazil and India have declined to adopt the
Convention on the grounds that they did not participate in its drafting. Russia opposes the
Convention, stating that adoption would violate Russian sovereignty, and has usually refused to
cooperate in law enforcement investigations relating to cybercrime. It is the first multilateral
legally binding instrument to regulate cybercrime.[5] Since 2018, India has been reconsidering its
stand on the Convention after a surge in cybercrime, though concerns about sharing data with
foreign agencies remain.[6]
The United Nations is developing an alternative treaty on cybercrime.[8]
Objectives
The Convention is the first international treaty on crimes committed via the Internet and other
computer networks, dealing particularly with infringements of copyright, computer-related
fraud, child pornography, hate crimes, and violations of network security.[9] It also contains a
series of powers and procedures such as the search of computer networks and lawful
interception.
Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the
protection of society against cybercrime, especially by adopting appropriate legislation and
fostering.
The Convention aims principally at:
The Convention was signed by Canada, Japan, the United States, and South Africa on 23
November 2001, in Budapest. As of October 2022, the non–Council of Europe states that have
ratified the treaty are Argentina, Australia, Cabo Verde, Canada, Chile, Colombia, Costa
Rica, Dominican Republic, Ghana, Israel,
Japan, Mauritius, Morocco, Nigeria, Panama, Paraguay, Peru, the Philippines, Senegal, Sri
Lanka, Tonga and the United States.
Although Egypt has not signed off on the Convention, Egyptian President el-Sisi's government
in 2018 has legislated two major computer-crime related laws. Targeting social networking
service such as Facebook and Twitter, the legislation criminalizes fake news and terrorism,
setting a flag on accounts which carry more than 5,000 subscribers or followers. The early
legislation had been criticized by Amnesty International, thus websites can appeal to the courts
within 7 days of blacklisting.
In fact India too "was reconsidering its position on becoming a member of the Budapest
Convention because of the surge in cybercrime, especially after a push for digital India.
Intellectual property (IP) refers to creations of the mind, such as inventions, literary and artistic
works, designs, symbols, names, and images used in commerce. It is a category of property that
includes intangible creations and the legal rights associated with them. Intellectual property is
protected by law through patents, copyrights, trademarks, and trade secrets, enabling creators or
owners to control the use of their creations or inventions.
Intellectual property is a broad categorical description for the set of intangible assets owned and
legally protected by a company or individual from outside use or implementation without consent.
An intangible asset is a non-physical asset that a company or person owns.
The concept of intellectual property relates to the fact that certain products of human intellect should
be afforded the same protective rights that apply to physical property, which are called tangible
assets. Most developed economies have legal measures in place to protect both forms of property.
KEY TAKEAWAYS
Intellectual property is an umbrella term for a set of intangible assets or assets that are not
physical in nature.
Intellectual property is owned and legally protected by a person or company from outside
use or implementation without consent.
Intellectual property can consist of many types of assets, including trademarks, patents, and
copyrights.
Intellectual property infringement occurs when a third party engages in the unauthorized
use of the asset.
Legal protections for most intellectual property expire after some time; however, for some
(e.g., trademarks), they last forever.
Intellectual Property
Companies are diligent when it comes to identifying and protecting intellectual property because it
holds such high value in today's increasingly knowledge-based economy. Also, producing value
intellectual property requires heavy investments in brainpower and time of skilled labor. This
translates into heavy investments by organizations and individuals that should not be accessed with
no rights by others.
Extracting value from intellectual property and preventing others from deriving value from it is an
important responsibility for any company. Intellectual property can take many forms. Although it's
an intangible asset, intellectual property can be far more valuable than a company's physical assets.
Intellectual property can represent a competitive advantage and as a result, is fiercely guarded and
protected by the companies that own the property.
Patents
A patent is a property right for an investor that's typically granted by a government agency, such as
the U.S. Patent and Trademark Office. The patent allows the inventor exclusive rights to the
invention, which could be a design, process, an improvement, or physical invention such as a
machine. Technology and software companies often have patents for their designs. For example, the
patent for the personal computer was filed in 1980 by Steve Jobs and three other colleagues at Apple
Inc.2
Copyrights
Copyrights provide authors and creators of original material the exclusive right to use, copy, or
duplicate their material. Authors of books have their works copyrighted as do musical artists. A
copyright also states that the original creators can grant anyone authorization through a licensing
agreement to use the work.
Trademarks
A trademark is a symbol, phrase, or insignia that is recognizable and represents a product that legally
separates it from other products. A trademark is exclusively assigned to a company, meaning the
company owns the trademark so that no others may use or copy it. A trademark is often associated
with a company's brand. For example, the logo and brand name of "Coca-Cola," is owned by the Coca-
Cola Company.
Franchises
The franchisee is typically a small business owner or entrepreneur who operates the store or
franchise. The license allows the franchisee to sell a product or provide a service under the company's
name. In return, the franchisor is paid a start-up fee and ongoing licensing fees by the franchisee.
Examples of companies that use the franchise business model include United Parcel Service (UPS)
and McDonald's Corporation (MCD).
Trade Secrets
A trade secret is a company's process or practice that is not public information, which provides an
economic benefit or advantage to the company or holder of the trade secret. Trade secrets must be
actively protected by the company and are typically the result of a company's research and
development (which is why some employers require the signing of non-disclosure agreements, or
NDAs).
Examples of trade secrets could be a design, pattern, recipe, formula, or proprietary process. Trade
secrets are used to create a business model that differentiates the company's offerings to its customers
by providing a competitive advantage.
Digital Assets
Digital assets are also increasingly recognized as IP. These would include proprietary software code
or algorithms, and online digital content.
Type of IP
Attached to intellectual property are certain rights, known as Intellectual Property Rights (IPR), that
cannot be infringed upon by those without authorization to use them.
IPRs give owners the ability to bar others from recreating, mimicking, and exploiting their work.
Patents infringement occurs when a legally-protected patent is used by another person or Company
without permission. Patents filed before June 8, 1995, are valid for 17 years, whereas patents filed
after this date are valid for 20 years.7 After the expiration date, the details of the patent are made
public.
Copyright violations occur when an unauthorized party recreates all or a portion of an original work,
such as a work of art, music, or a novel. The duplicated content need not be an exact replica of the
original to qualify as an infringement.
Similarly, trademark infringement occurs when an unauthorized party uses a licensed trademark or a
mark resembling the licensed trademark. For example, a competitor might use a mark similar to its
rival's to disrupt business and attract their customer base. Also, businesses in unrelated industries
may use identical or similar marks in an effort to capitalize on other companies' strong brand images.
Trade secrets are often protected by non-disclosure agreements (NDA). When a party to the
agreement discloses all or parts of a trade secret to uninterested parties, they have violated the
agreement and infringed upon the trade secret. It is possible to be guilty of trade secret infringement
when an NDA is not present.
INTRODUCTION
In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act,
2023.1 The new law is the first cross-sectoral law on personal data protection in India and has been enacted after
more than half a decade of deliberations.2 The key question this paper discusses is whether this seemingly
interminable period of deliberations resulted in a “good” law—whether the law protects personal data
adequately, and in addition, whether it properly balances, as the preamble to the law states, “the right of
individuals to protect their personal data” on one hand and “the need to process such personal data for lawful
Details the key features of the law and compares it to earlier versions, especially the previous official bill
introduced by the government in Parliament in 2019.3 The second part of the paper then examines the DPDP Act
from two perspectives. First, it highlights certain potentially problematic features of this law to understand its
consequences for consumers and businesses as well as the Indian state. Second, it places the act in context of the
developments and deliberations that have taken place over the last five years or so. The third part speculates on
the key factors that will influence the development of data protection regulation in India in the next few years.
The 2023 act is the second version of the bill introduced in Parliament, and fourth overall. An initial version was
prepared by a committee of experts and circulated for public feedback in 2018.4 This was followed by the
government’s version of the bill that was introduced in Parliament in 2019—the Personal Data Protection Bill,
2019. This version was studied by a parliamentary committee that published its report in December 2021. 5 The
government, however, withdrew this bill, and in November 2022, published a fresh draft for public
consultations—the draft Digital Personal Data Protection Bill, 2022. 6 This draft was quite different compared to
the previous versions. The 2023 law is based, in significant part, on this draft. However, it has some new
provisions that are consequential for the questions this paper seeks to answer.
These four drafts were preceded by a landmark 2017 judgment by India’s Supreme Court in Justice K.S.
Puttaswamy and Anr. v. Union of India and Ors.7 The judgment declared that the right to privacy is part of the
fundamental right to life in India and that the right to informational privacy is part of this right. The judgment,
however, did not describe the specific contours of the right to informational privacy, and it also did not lay down
Following this, the first government version of the law, the Personal Data Protection Bill, 2019, was introduced
in Parliament in December 2019. This version was expansive in scope and proposed cross-sectoral, economy-
wide data protection regulation to be overseen by an all-powerful data protection regulator—the Data Protection
Authority (DPA). The 2019 bill provided for a preventive framework.8 It imposed a number of obligations on
entities collecting personal data—to provide notice and take consent from individuals, to store accurate data in a
secure manner, and to use it only for purposes listed in the notice. Businesses were also required to delete data
once the purpose was satisfied and to provide consumers rights to access, erase, and port their data. Businesses
were required to maintain security safeguards and transparency requirements, implement “privacy by design”
requirements, and create grievance redress systems. Finally, this bill introduced an entity known as “consent
managers,” who were intermediaries for collecting and providing consent to businesses on behalf of
individuals.9
The bill grouped personal data into different categories and required elevated levels of protection for “sensitive”
and “critical” personal data. Certain businesses were also to be categorized as “significant data fiduciaries,” and
additional obligations were proposed for them—registration in India, data audits, and data impact assessments.
In addition, the bill-imposed localization restrictions on the cross-border flows of certain categories of data. The
DPA was empowered to impose penalties on businesses for violating these requirements. The bill also proposed
The 2019 bill exempted certain entities and businesses from notice and consent requirements under certain
circumstances—for lawful state functions, medical and health services during emergencies or epidemics,
breakdown of public order, employment-related data processing, the prevention and detection of unlawful
The 2019 bill also had a provision to empower the government to regulate nonpersonal data. It allowed the
government to require private entities to hand over specific nonpersonal data that the government asked for as
per conditions it prescribed. In short, the 2019 bill proposed a comprehensive, cross-sectoral framework based
on preventive requirements for businesses (defined as “data fiduciaries”) and rights for individuals or consumers
(“data principals”).
This regulatory structure was based mostly on the 2018 draft bill proposed by the Srikrishna Committee—the
committee, chaired by Justice B.N. Srikrishna, a retired Supreme Court judge, was set up by the Ministry of
Electronics & Information Technology in July 2017 to help frame data protection norms. The recommendations
of this committee, in turn, were based on major regulatory developments that were popular while the work of
the committee was proceeding. Primary among these was the European Union’s (EU’s) General Data Protection
Regulation (GDPR).10 While the general preventive framework of the 2019 bill was welcome, its expansive
scope was problematic. It created a number of significant compliance requirements that would have affected
both big and small firms in the economy. It also proposed the creation of a DPA that had significant regulation-
making and supervisory powers. These regulations would have further detailed the already significant
compliance requirements in the bill. The novelty of the law and the lack of prior experience in implementing a
data protection law of this nature would have created serious risks of overregulation or under-regulation. 11
The DPDP Act is based on the draft proposed by the government in November 2022, which adopted a radically
different approach to data protection regulation.12 The next section details the key provisions of the act.
Compared to the 2019 version of the bill, the DPDP Act, 2023 is more modest—it has reduced obligations for
businesses and protections for consumers. On the one hand, the regulatory structure is simpler, but on the other,
it vests the central government with unguided discretionary powers in some cases.
Applicability to Non-residents
The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents. Interestingly, it
also applies to non-citizens living in India whose data processing “in connection with any activity related to
offering of goods or services” happens outside India.13 This has implications for, say, a U.S. citizen residing in
India being provided digital goods or services within India by a provider based outside India.
The 2023 act allows personal data to be processed for any lawful purpose.14 The entity processing data can do so
either by taking the concerned individual’s consent or for “legitimate uses,” a term that has been explained in
the law.
Consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and
for a specific purpose. The data collected has to be limited to that necessary for the specified purpose. A clear
notice containing these details has to be provided to consumers, including the rights of the concerned individual
and the grievance redress mechanism. Individuals have the right to withdraw consent if consent is the ground on
specified purpose; (b) the provisioning of any subsidy, benefit, service, license, certificate, or permit by any
agency or department of the Indian state, if the individual has previously consented to receiving any other such
service from the state (this is a potential issue since it enables different government agencies providing these
services to access personal data stored with other agencies of the government);15 (c) sovereignty or security; (d)
fulfilling a legal obligation to disclose information to the state; (e) compliance with judgments, decrees, or
orders; (f) medical emergency or threat to life or epidemics or threat to public health; and (g) disaster or
The DPDP Act also creates rights and obligations for individuals.17 These include the right to get a summary of
all the collected data and to know the identities of all other data fiduciaries and data processors with whom the
personal data has been shared, along with a description of the data shared. Individuals also have the right to
correction, completion, updating, and erasure of their data. Besides, they have a right to obtain redress for their
grievances and a right to nominate persons who will receive their data.
Entities responsible for collecting, storing, and processing digital personal data are defined as data fiduciaries
and have defined obligations. These include: (a) maintaining security safeguards; (b) ensuring completeness,
accuracy, and consistency of personal data; (c) intimation of data breach in a prescribed manner to the Data
Protection Board of India (DPB); (d) data erasure on consent withdrawal or on the expiry of the specified
purpose; (e) the data fiduciary having to appoint a data protection officer and set up grievance redress
mechanisms; and (f) the consent of the parent/guardian being mandatory in the case of children/minors (those
under eighteen years of age). The DPDP Act also states that any processing that is likely to have a detrimental
effect on a child is not permitted. The law prohibits tracking, behavioral monitoring, and targeted advertising
directed at children.18 The government can prescribe exemptions from these requirements for specified purposes.
This is potentially a problem since the powers to exempt are broad and without any guidelines.
While the 2023 act retains the broad categories of obligations for the most part, the key difference from the 2019
bill is the absence of the scope for the regulator, the DPA, to make detailed regulations on these obligations. In
addition, the substantive requirements under each of these categories have been reduced.
There is an additional category of data fiduciaries known as significant data fiduciaries (SDFs). The government
will designate data fiduciaries as SDFs based on certain criteria—volume and sensitivity of data and risks to
data protection rights, sovereignty and integrity, electoral democracy, security, and public order. 19
SDFs will have additional obligations that include: (a) appointing a data protection officer based in India who
will be answerable to the board of directors or the governing body of the SDF and will also serve as the point of
contact for grievance redressal; and (b) conducting data protection impact assessments and audits and taking
other measures as prescribed by the government. The 2019 bill required that SDFs register in India. This
The 2023 law reverses course on the issue of data localization. While the 2019 bill restricted certain data flows,
the 2023 law only states that the government may restrict flows to certain countries by notification. While this is
not explicit, the power to restrict data flows seems to be to provide the government necessary legal powers for
national security purposes. The law also states that this will not impact measures taken by sector-specific
agencies that have or may impose localization requirements. For example, the Reserve Bank of India’s
The law provides exemptions from consent and notice requirements as well as most obligations of data
fiduciaries and related requirements in certain cases: (a) where processing is necessary for enforcing any legal
right or claim; (b) personal data has to be processed by courts or tribunals, or for the prevention, detection,
investigation, or prosecution of any offenses; (c) where the personal data of non-Indian residents is being
In addition, the law exempts certain purposes and entities completely from its purview. 21 These include:
1. Processing in the interests of the sovereignty and integrity of India, security of the state, friendly
relations with foreign states, maintenance of public order, or preventing incitement to any
cognizable offense. This will allow investigative and security agencies to remain outside the
2. Data processing necessary for research, archiving, or statistical purposes if the personal data is not to
3. The government can exempt certain classes of data fiduciaries, including startups, from some
4. One problematic provision allows the government to, “before expiry of five years from the date of
commencement of this Act,” declare that any provision of this law shall not apply to such data
fiduciary or classes of data fiduciaries for such period as may be specified in the notification. This is
a significant and wide discretionary power and is not circumscribed by any guidance on the basis for
such exemption, the categories that may be exempted, and the time period for which such
The 2023 law completely changes the proposed regulatory institutional design. The 2019 bill proposed an
independent regulatory agency. The DPA was proposed on the lines of similar government agencies in many
EU countries that function independently of government and implement the GDPR. The proposed Indian DPA
was arguably more powerful since it was proposed to have much more extensive regulation-making powers than
DPAs under the GDPR. In addition to framing regulations, the DPA would have been responsible for framing
codes of conduct for businesses, investigating cases of noncompliance, collecting supervisory information, and
In contrast, the 2023 law establishes the DPB.22 The board is not a regulatory entity and is very different from
the DPA. Compared to the latter, the board has a limited mandate to oversee the prevention of data breaches and
direct remedial action and to conduct inquiries and issue penalties for noncompliance with the law. 23 The board
does not have any powers to frame regulations or codes of conduct or to call for information to supervise the
The members of the board will be appointed by the government, and the terms and conditions of their service
will be prescribed in rules made by the government.24 The law states that these terms and conditions cannot be
The law allows the board to impose monetary penalties of up to 250 crore rupees (approximately $30.5
million).25 Appeals from the board’s orders will go to an existing tribunal— the Telecom Disputes Settlement
and Appellate Tribunal (TDSAT). In addition to monetary penalties, the bill allows data fiduciaries to provide
voluntary undertakings to the board as a form of settlement of any complaints against them. 26 Therefore, the
Finally, the 2023 law contains a novel provision not included or discussed in any previous version. This is
Section 37, which allows the government, based on a reference from the board, to block the public’s access to
any information that enables a data fiduciary to provide goods or services in India. This has to be based on two
criteria: (a) the board has imposed penalties against such data fiduciaries on two or more prior occasions, and (b)
the board has recommended a blockage. The government has to provide the data fiduciary an opportunity to be
This section analyzes the 2023 act from two perspectives. First, it explains the broad structure of the law and
highlights its key features and issues. Second, it contextualizes the law in the background of the different drafts
proposed before this and elaborates upon the deliberations that have led to it.
The 2023 act creates, for the first time, a data privacy law in India. It requires consent to be taken before
personal data is processed and provides a limited number of exceptions that are clearly enumerated in the law. It
provides consumers the right to access, correct, update, and erase their data, in addition to a right to nomination.
It creates additional safeguards for the processing of children’s data. For businesses, it creates purpose
limitations and obligations to provide notice of data collection and processing and mandates security safeguards.
The law requires the creation of grievance redress mechanisms by businesses. The DPB will also handle
complaints and grievances and is empowered to issue penalties for noncompliance with the law.
For the first time, therefore, India has a statutory framework for data protection. The presence of the law will
gradually lead to the development of minimal standards of behavior and compliance among businesses that
collect data. In this regard, the approach of the government toward implementing and enforcing the law will be
the critical variable—for example, whether implementation will be focused on data-heavy businesses or across
However, other than open questions related to implementation, there are some concerns with different
provisions of the law and their potential for undermining the protections seemingly accorded in it.
First, the exceptions carved out for consent empower the state significantly and place state imperatives on a
different pedestal compared to private entities. While this may be truly legitimate in some circumstances, like
disasters or emergencies, the law enlarges the scope of such circumstances. For example, Section 7(b) of the law
enables the government to sidestep consent requirements where a government service beneficiary has previously
consented to receiving any other benefit from the state. While this may allow easier access to personal data of
beneficiaries for receiving government services, it also creates a potential for the government to aggregate
databases. This is because making true use of the potential of this provision would mean that government
agencies would have to be exempted from purpose limitations that require personal data to be deleted after the
Another example of this is the set of exemptions to the state for investigative, prosecutorial, and national
security purposes. In Section 17(1)(c), the law exempts the requirements of notice and consent, among others,
for the purposes of processing for “prevention, detection, investigation or prosecution of any offence or
contravention of any law.”27 While this is understandable, Section 17(2)(a) subsequently provides a blanket
exemption from the whole law to any government agency that the government may notify, in the interests of
sovereignty, security, integrity, public order, and preventing incitement. Given the fact that Section 17(1)(c)
already exists, Section 17(2)(a) only indicates the desire of Parliament to ensure a complete non-application of
Provisions like these create a separate category of activity that is beyond the purview of data privacy
requirements. It is problematic that the Indian state is not subject to many of the constraints that private entities
are, especially in cases where there is no pressing requirement for such an exception.
Second, the discretionary rule-making powers that the government has under the law could, in some cases,
undermine the protections provided in the law. For example, under Section 17(5), the government has the power
to declare that any provisions of this law will not apply to any business or class of businesses within five years
of the commencement of the law. There is no time frame for the operation of this exemption or any guidance on
how this provision is to be used. An optimistic interpretation of this provision would suggest that this could be
used to allow sunrise industries or startups some time to comply with the law. However, provision for this has
already been made in Section 17(3), which provides limited exemptions to startups and other industries the
government may notify. Therefore, Section 17(5) could potentially be used in a manner that defeats the purpose
of the law. It is worth reiterating that the law only limits the government’s power to give these exemptions for
an initial period of five years. It does not provide any limit on how long these exemptions can last for.
Similarly, the government has some unguided rule-making powers for exempting businesses from certain
requirements regarding the processing of children’s data. Sections 9(1) to 9(3) specify certain requirements for
the same—they require parental consent and prohibit profiling, among others. Section 9(4) allows the
government to exempt any business or class of businesses from Sections 9(1) to 9(3) “subject to such
conditions, as may be prescribed.” This provision, again, fails to indicate on what grounds this exemption will
be given, how the conditions are to be determined, and so on. Since there is a lack of sufficient guidance, this
While there are other provisions where the government has powers to prescribe conditions and make substantive
rules, the examples highlighted above provide almost no guidance. This is also problematic when judged against
the tenets of Indian administrative law, which requires that laws should not confer unguided and excessive
discretion on the implementing authority.28 If improperly used, such legal provisions are potentially in violation
the government will create mechanisms for the selection and appointment of its members. While the law sets out
qualifications for members, it does not state how many members shall be on the board and requires only one of
them to be a legal expert. This last provision is a problem since one of the board’s main functions is to issue
In addition, the chairperson of the DPB is empowered to authorize any board member to perform “any of the
functions of the board and conduct any of its proceedings.” It is possible that the chairperson may not authorize
the legal member of the board to conduct the proceedings leading up to the issuance of a penalty. This design
also fails to maintain an internal separation of functions between the members conducting inquiries and the
chairperson. Since the chairperson appoints members to conduct inquiries, they may potentially not discharge
Therefore, while the DPDP Act creates data privacy protections in law for the first time, certain provisions in
the law can effectively undermine its benefits if the government does not act under them in the most scrupulous
manner possible.
UNCITRAL Model Law
The United Nations Commission on International Trade Law (UNCITRAL) facilitates international commerce
through the modernization of trade rules and the harmonization of commercial laws, primarily through the
drafting of treaties, model laws, and explanatory texts. The
United Nations Commission on
International Trade Law (UNCITRAL) was established by the General Assembly in
1966 (Resolution 2205(XXI) of 17 December 1966
These documents are prepared by ad hoc committees of subject specialists known as working groups.
Since its inception, UNCITRAL’s Working Group on Electronic Commerce has produced one treaty, three
Treaty
Model Laws
Explanatory Texts
UNCITRAL’s Working Group on Online Dispute Resolution met from 2010 to 2016. Although it did not
produce any treaties or model laws, the Working Group did publish its Technical Notes on Online Dispute
Resolution.
UNCITRAL has prepared a suite of legislative texts to enable and facilitate the use of electronic means to engage in
commercial activities, which have been adopted in over 100 States.
The most widely enacted text is the UNCITRAL Model Law on Electronic Commerce (1996), which establishes rules for
the equal treatment of electronic and paper-based information, as well as the legal recognition of electronic transactions
and processes, based on the fundamental principles of non-discrimination against the use of electronic means, functional
equivalence and technology neutrality. The UNCITRAL Model Law on Electronic Signatures (2001) provides additional
rules on the use of electronic signatures.
The United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005)
builds on pre-existing UNCITRAL texts to offer the first treaty that provides legal certainty for electronic contracting in
international trade.
Most recently, the UNCITRAL Model Law on Electronic Transferable Records (2017) applies the same principles to
enable and facilitate the use in electronic form of transferable documents and instruments, such as bills of lading, bills of
exchange, cheques, promissory notes and warehouse receipts.
In 2019, UNCITRAL approved the publication of Notes on the Main Issues of Cloud Computing Contracts, while
continuing work towards a new instrument on the use and cross border recognition of electronic identity management
services (IdM services) and authentication services (trust services).
Significant work in cooperation with other organizations has also been conducted in the field of legal aspects of single
windows and paperless trade facilitation. The results of joint work with United Nations ESCAP in that field include the
online Readiness Assessment Guide for Cross-Border Paperless Trade.
Recent advances in information and communications technology and the emergence of new technologies in digital trade
pose new legal questions. Accordingly, UNCITRAL continues its efforts to legally enable emerging technologies such as
artificial intelligence, data transactions, digital platforms and digital assets, including in connection with other areas of
work such as dispute resolution, security interests, insolvency and the international transport of goods, as well as, more
generally, digital trade.