Privacy, Cyber Security And Data Protection Issues For Smart Cities In India

Praveen-DalalWhenever we think about smart cities the picture of an information and communication technology (ICT) driven infrastructure comes to our mind. Any smart city essentially relies upon a mixture smart grids, Internet of Things (IoT), big data, cloud computing, regulatory framework, etc. While the technology infrastructure helps in automatic and instantaneous dealing between various smart elements of a smart city yet the regulatory framework ensures that everything happens as per the desired code of conduct. Deviances and irregularities are taken care of by laws specifically drafted for smart cities. However, civil liberties and cyber security aspects of smart cities are most important to inculcate a culture of trust and compliance among various smart cities stakeholders. Technology should not be used in such a manner that it becomes an instrument of e-surveillance and digital panopticon.

Managing law and order situation in a smart city is really tricky. By its very nature a smart city relies too much upon intrusive and disruptive technologies. For instance, CCTV cameras, geo location tracking, wi-fi driven services, cloud computing adoption, digital nature of services, etc acquire and store too much data, information and details of individuals and companies.  Sometimes this happens in an automatic manner and without any human intervention or involvement. While this happens at a grand and large scale yet privacy, data protection and cyber security issues are given very low priority. This in turn gives rise to a new genre of cyber criminals most of whom are located well beyond the reach and physical boundaries of a country like India.

Indian Government has enacted the Information Technology Act, 2000 (IT Act 2000) but it lacks precision, effectiveness and relevance for meeting the needs of contemporary times. Indian Government is already in the process of bringing suitable amendments in the IT Act, 2000 and we at Perry4Law Organisation (P4LO) welcome this move of Indian Government. Similarly, we also welcome the appointment of Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India. This would certainly help in establishing a robust and resilient Cyber Security Infrastructure of India as Dr. Gulshan Rai is well known for his cyber security capabilities and expertise. We are sure he would be instrumental in formulation of techno legal Critical Infrastructure Protection Policy of India (Pdf), Cyber Warfare Policy of India (Pdf), Encryption Policy of India (Pdf), etc. All of these policies and many more techno legal policies are essential for successful establishment and management of smart cities in India.

IoT Privacy, Data Protection and Cyber Security issues in India are still evolving. As far as Privacy is concerned, we have no dedicated Privacy Law in India. From the attitude of Indian Government it is clear that it is not at all interested in ensuring Privacy Rights of Indian Citizens. This is more so regarding smart cities which are totally “Police State” in the absence of adequate Privacy safeguards. While denying Privacy Rights to Indian Citizens before the Supreme Court of India, the Central Government argued that Privacy is not a “Fundamental Right” under the Indian Constitution. The Supreme Court was more than happy to accept this line of argument and this has unnecessary prevented codification of Privacy Rights in India. The Supreme Court was required to reject this argument at the very beginning but it seems the Supreme Court did not have the nerve to do so. The net result is that we have no Privacy Rights protection under the Indian Constitution as per the viewpoint of Indian Government. Obviously, Indian Government cannot assure Indian Citizens and International community that it “Respects and Protects” Privacy Rights in India and Indian Citizens and their data remain vulnerable to all sorts of misuses and violations. Those looking for Privacy protection under the smart cities projects are heading towards a big shock.

As far as data protection is concerned, again there is no dedicated law for data protection in India. This means that data of various stakeholders are at the mercy of those holding the same. In the absence of a data protection law in India, there is no deterrence against data theft and data violation activities. In many cases, data of Indian Citizens is found on servers located in foreign jurisdictions. The problem is more complicated in cases of use of cloud computing where the data centers are located in foreign jurisdictions. Indian Government’s love for cloud computing without adequate Privacy and data protection is going to create a big nightmare for it very soon.

However, the biggest hurdle before the smart cities is lack of adequate cyber security laws and cyber security capabilities in India. Just like Privacy and data protection, we have no dedicated cyber security laws in India. Even the outdated and defunct Cyber Security Policy of India 2013 has failed to protect Privacy Rights in India. The Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) has already recommended formulation of the Cyber Security Policy of India 2016 that has not been formulated by Indian Government so far. India is not at all capable of dealing with International Legal Issues of Cyber Security as on date and it would require a herculean task to develop the same within next decade. When India cannot protect the basic infrastructures and computers located in India, it would be very difficult for it to protect smart cities and critical ICT infrastructures supporting these smart cities. Even the Digital India project of India Government is suffering from inadequate cyber security and missing civil liberties protection.

The real position regarding Smart Cities and Digital India is that we have no Privacy Rights, Data Protection and Cyber Security in India that can support Smart Cities or Digital India. This is the ground reality no matter how much publicity and social media engineering we do to give a positive image for the same. Perry4Law Organisation (P4LO) strongly recommends that Indian Government must ensure a Techno Legal Framework that can safeguard the interests of various stakeholders involved in smart cities and Digital India projects. Implementing smart cities and Digital India projects without Privacy Rights, Data Protection and Cyber Security is certainly a recipe for disaster that Indian Government must avoid at all costs.

Posted in Uncategorized | Comments Off on Privacy, Cyber Security And Data Protection Issues For Smart Cities In India

Privacy, Data Protection And Cyber Security Issues Of Internet Of Things (IoT) In India

Praveen-DalalInternet of Things (IoT) can make our lives much comfortable and easier. The mere fact that many of our daily lives activities can be performed in an automatic and instantaneous manner is itself sufficient to adopt IoT by most of us. However, there are some who may like to think beyond the factors of ease, automation and convenience. Some of us may give more priority to issues like civil liberties, data protection and cyber security arising out of the use of IoT by us. If we ignore these requirements we would be creating more troubles for us than solutions in the long run. This is the reason why we at Perry4Law Organisation (P4LO) have launched a dedicated Techno Legal Centre of Excellence (CoE) for Internet of Things (IoT) in India. The CoE would cover techno legal issues pertaining to IoT so that we can derive the best out of IoT infrastructure of India.

Making of policies is one thing but their actual implementation is an altogether different story. As far as India is concerned, we do not have even basic level policies and regulatory frameworks regarding IoT, smart cities, smart grids, critical infrastructure protection, civil liberties safeguards, etc. Even the cyber law of India has become outdated and an unnecessary mixture of self contradictory provisions. We are also at the loss of having a Judiciary and Parliament that do not understand technology related issues at all. Recently the Supreme Court of India has killed the cyber law due diligence and Internet intermediary liability law of India by pronouncing a decision that was not at all called for. If this was not enough the Indian Government failed to bring suitable amendments in the Information Technology Act, 2000. Perry4Law Organisation (P4LO) even provided its suggestions in this regard but till the month of July 2016 there is no sign of any such amendment on the part of Indian Government.

Another peculiar feature about Indian Government, whether Congress or BJP, is that they are not at all interested in ensuring civil liberties protection in cyberspace. On the contrary, Indian Government has further increased its e-surveillance activities to such an extent that India can safely be considered to be a Totalitarian Police State. For instance, surveillance and censorship under Digital India and Aadhaar projects of Indian Government has increased to the levels of being illegal and Unconstitutional. Indian Government has been clubbing Aadhaar with Digital India and other projects even against the express prohibitory orders of Supreme Court of India. Unfortunately, the only intention of Indian Government seems to be to exercise absolute “Social Control” over Indian population through the means of a “Digital Panopticon”.  In these circumstances, wide scale use of smart cities and IoT in India would only help the Indian Police State that is already violating Human Rights and Fundamental Rights of Indian Citizens through Unconstitutional projects like Aadhaar. This is the reason why Indian citizens must insist upon dedicated laws for Privacy, Data Protection and Cyber Security before adopting IoT in their daily lives.

Indian Citizens would never know how smart cities, Digital India, IoT and Aadhaar may hit them to the detriment of their statutory and Constitutional rights. Obviously, Indian Government is all interested in keeping them in dark and maintaining the status quo of missing privacy, data protection and cyber security laws in India. Every year promises are made and committees are set up but nothing concrete happens in these directions. Perry4Law Organisation (P4LO) has been pursuing these issues for the last five years but successive Indian Governments have failed to take any concrete action in this regard.

Too much reliance upon smart cities and IoT in India in these circumstances would only be counterproductive. For instance, cyber criminals and crackers have already started misusing CCTV cameras and IoT devices. The Lizard Squad group has been using compromised IoT devices, including CCTVs, to launch DDOS attacks against websites and take them down. This is in addition to misusing the compromised IoT devices themselves. This scenario can be as dangerous as the imagination of a cracker and cyber criminal can go. Critical infrastructures depending upon SCADA and IoT are at a greater risk. A driver less car can be hacked and accident can be caused. Similarly, a life saving device at a hospital can be tampered with remotely by cyber criminals and this may even result in death of the patient. Traffic lights and power grids can be compromised and sabotaged by cyber criminals creating chaos and damage.

Contemporary malware are beyond the reach of security products and services and they cannot be detected for long. Recently, it has been revealed that a previously disclosed serious vulnerability in D-Link IoT devices including baby monitors could affect more than 120 products around the world. India has not prescribed any rules or regulatory framework for IoT devices, the video streaming conducted by them, encryption related issues of IoT, cyber security of IoT, privacy , data security and data protection requirements for IoT, etc. In short, IoT usage in India is as blind as it can be with no accountability for the IoT vendors, products and service providers. White labeling services provided for IoT related services have their own set of problems and legal issues in the absence of any regulatory framework.

The objective of this article is not to discourage adoption and use of IoT in India. My sole concern is that IoT must be introduced in India only when we are ready for the same. We cannot be ready for IoT and smart cities for another decade with the present speed of reforms and inadequate and outdated laws. It seems Indian Government lacks either the will power or the necessary techno legal expertise to ensure a robust and resilient IoT infrastructure in India and this would jeopardise the Digital India and e-governance projects of India in the long run.

Posted in Uncategorized | 1 Comment

Techno Legal Center Of Excellence For Internet Of Things (TLCOEIOT) In India

Praveen-DalalUse of Internet of Things (IoT) would significantly increase in the near future. As more and more things are now dependent upon IoT, there is an urgent need to ensure that its misuses can be minimised. As countries around the world are still experimenting with IoT there are very few norms and regulations governing IoT world over. As far as India is concerned, we have no dedicated Internet of Things (IoT) Law in India as on date. Of course, Indian government has issued the draft IOT Policy of India (pdf) and Revised Draft IOT Policy of India (pdf) but they are not sufficient to cover the areas and operations of a very innovative technology like IoT.

By its very nature, smart technology and smart equipments are dependent upon IoT for their automatic and instantaneous functioning. Whether it is smart cities or e-health gadgets, everything is dependent upon IoT these days. However, we have no laws for smart cities, e-health, IoT, cyber security, cyber forensics, privacy protection, data protection (pdf), etc. Even the Information Technology Act, 2000 (IT Act 2000) is grossly deficient in managing contemporary techno legal issues.

There are even more pressing requirements for Indian government regarding IoT. For instance, cyber security of Internet of Things (IoT) in India is one such requirement. The cyber security infrastructure of India is grossly deficient in many aspects and it is certainly not capable of managing IoT cyber threats. The cyber security trends in India 2016 by Perry4Law Organisation (P4LO) have clearly proved this point. Similarly, Indian government must take care of civil liberties issues in cyberspace to make its projects constitutional and legal.

Privacy Rights in the Information age (pdf) have to be addressed by Indian government for new technologies and concepts including smart cities and IoT. For instance, the surveillance and censorship under Digital India and Aadhaar projects need to be curbed through constitutional mechanisms and constitutionally sound laws. Similarly, there is an urgent need to ensure a constitutional and lawful interception and phone tapping law of India. Keeping recent developments in mind, the Indian cyber law and telegraph Act must be immediately repealed and re-enacted by Indian Parliament.

Another crucial aspect pertains to the Internet intermediary liability law of India that requires a complete reformulation. This is more so when the Supreme Court of India has literally killed the cyber law due diligence (pdf) requirements in India and has made Indian cyberspace a perfect place of chaos. Indian government needs to clarify the position of Internet intermediaries in India as they are going to play a major role in the lawful deployment and use of IoT in India.

Finally, international legal issues of cyber security must be managed by India for successful and peaceful use of IoT in India. India is facing severe malware and cyber attacks and India is not well prepared to deal with the same. We need a cyber espionage policy of India, cyber warfare policy of India (pdf), critical infrastructure protection in India (pdf), cyber attacks crisis management plan of India for cyber attacks and cyber terrorism, encryption policy of India (pdf), etc. This is more so when the US Supreme Court has allowed US judges to issue warrants for computer access in any part of the world.  This means that law enforcement agencies of US have now long arm jurisdiction to target and hack even computers located in India. Clearly, this would violate cyber law and civil liberties protections of many countries including India and push other countries towards cyber warfare and cyber espionage race. As India has very limited means to establish authorship attribution, we cannot ascertain the person/institution/country responsible for attacking our critical infrastructures including IoT infrastructure.

The Techno Legal Center of Excellence for Internet of Things (TLCOEIOT) in India is the only techno legal institution in the world that has been managing these issues for long. With a dedicated CoE for IoT in India, we would help in safeguarding and strengthening of Indian cyberspace in general and Digital India and Indian e-governance in particular. Perry4Law Organisation (P4LO) hopes that this initiative of P4LO would be beneficial to all national and international IoT stakeholders.

Posted in Uncategorized | 1 Comment