By Prateek Bhajanka, Senior Principal Analyst, Gartner, Inc.

GDPR was the first major legislation for consumer privacy. Still, others quickly followed it, including Brazil’s General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). The sheer scope of these laws suggests you’ll be managing multiple data protection legislation in various jurisdictions, and customers will want to know what kind of data you are collecting and how it is being used. It also means you will need to focus on automating your privacy management system. Standardize security operations using GDPR as a base and then adjust for individual jurisdictions.

By 2025, threat actors will have weaponized operational technology environments successfully enough to cause human casualties. 

Also Read: Data Privacy Week: The 3 Ps Vital to Enhancing Your Online Data Privacy

With India’s emphasis on increasing the GDP contribution from the manufacturing industry to 25%, the industry is expected to see advancements in the areas of technology, business models, and value creation. With multiple factors such as a significant percentage (12%) of the workforce employed in the industry; IT-OT convergence and malware spreading from IT to OT; an increase in the number of nation-state attacks – it shifts the discussion from business disruption to physical harm with the liability likely ending with the CEO. The security and safety of the workforce would also become a key responsibility for CISOs. Focus on asset-centric cyber-physical systems, and make sure there are teams in place to address proper management.

By 2024, 30% of enterprises will adopt cloud-delivered secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall as a service (FWaaS) capabilities from the same vendor. 

Indian organizations are rapidly becoming digital businesses to increase their value proposition, introduce new channels, reach new markets, find efficiencies in business models, etc. They adopt cloud technologies in various forms and embrace a hybrid architecture to become digital. Also, with the need for working from anywhere and anytime access, the security controls that existed in the corporate networks should be available irrespective of the source of the connection. On the other hand, organizations are leaning into optimization and consolidation. Security leaders often manage dozens of tools, but they plan to consolidate to fewer than 10. SaaS will become a preferred delivery method, and consolidation will impact adoption timeframes for hardware.

About the Author:

Prateek Bhajanka is a Senior Principal Analyst for the IT Leaders (ITL) constituency, focusing on Security and Risk Management for Gartner Research. His areas of research include Endpoint protection platforms/Endpoint detection and response (EPP/EDR), malware and ransomware prevention, etc. His key tasks encompass creating high-quality, actionable and consumable written research and give clients insights and advice on various security problems they face. Bhajanka also helps organizations save money on new contracts and renewals on endpoint protection platforms and endpoint detection and response.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post There Will Be More Focus on Data Privacy, IT-OT Security, and Vendor Consolidation appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

To shed light on the importance of data privacy and bring better cybersecurity awareness, CISO MAG has procured suggestions and recommendations from cybersecurity experts worldwide. Take a look:

Cyber situational awareness and hygiene will continue to play a key role as one of the pillars of data privacy.

“As we increasingly blur the line between our online and offline lives, Data Privacy Day is the little reminder we need at the start of each new year to ensure our personal information is protected.  Even though we live in a digital world, we are often not fully cognizant of data privacy until our data has been compromised.

In the age of the work-from-anywhere economy, business leaders should realign their security priorities to manage risks affecting sensitive information. To guarantee a seamless flow of data from endpoints to cloud-based services and data centers, it is becoming more important to protect the data in transit as well. India’s crucial business data can be protected through investment in the modernization of security infrastructure, using secured collaboration and information-sharing platforms, leveraging threat intelligence for proactive cyber defense, and using security orchestration and automation (SOAR) to streamline SecOps and performing periodic security and risk assessments.  Individuals must take control of their digital footprints and privacy as we continue to telecommute in 2022. Moving forward, cyber situational awareness and hygiene will continue to play a key role as one of the pillars of data privacy.”

Brands must go above and beyond to meet their users’ expectations towards data security

 “The AppDynamics App Attention Index 2021 showed that security is the number one component of a high performing ‘total application experience’ for consumers. And 90% say that their expectation of brands to keep their data secure has increased since 2020. It shows that brands must go above and beyond to meet their users’ expectations towards security. In this post-pandemic era, a strong security posture means organizations have the necessary processes to protect their applications and business from vulnerabilities and threats. In a world where sensitive data is constantly at risk of being compromised by malicious actors, they must be prepared and strengthen their security posture, enabling them to predict, prevent and respond to threats.”

“The DevSecOps methodology, a modern approach to software development, takes things a step further and incorporates security enhancements at the beginning of the application development lifecycle for a more proactive approach to reduce risks of threats to sensitive customer data. But for a DevSecOps approach to be fully effective, teams need to implement a full-stack observability solution. This approach will give them in-depth visibility into the entire IT stack, including traditional legacy systems through to new, native cloud environments and hybrid deployments. It is a vital step in the right direction.”

Data privacy compliance has become a critical consideration driving critical business decisions as companies look to digitally transform

 “In recent years, data privacy compliance has become a critical consideration driving critical business decisions as companies look to digitally transform. Cybersecurity vulnerabilities continue to increase as companies grow their digital footprints due to the generated massive amounts of data. Due to the increasing complexity of data flows, enterprises need to evolve past securing data at rest to a posture of continuous governance where all data is protected. The Data Privacy Day comes as a reminder for organizations to assess their cyber risks and ensure strong data privacy protections are in place but in such a way that will not impede innovation within the digital economy.

Increasingly, we see enterprises place, manage and analyze data at the edge, closer to their users, services, and clouds. Meanwhile, concerns over the security and privacy of data in motion and the cloud have also increased. This situation is more critical in Asia-Pacific and has driven the need for better technology and infrastructure solutions that improve data accessibility, security , and control while meeting increasing data privacy requirements. It is a balancing act.”

Businesses of all sizes must take data privacy seriously and proactively protect personally identifiable information

 “While it is great that we are all more connected than ever before, the shift to remote work in response to the pandemic has presented inherent security issues. Recent large-scale data breaches have made data privacy a hot topic in the last two years. As of 2021, CERT-In had documented and reported more than 11.5 lakh incidents of cyberattacks. Data Privacy Day is an excellent opportunity for companies to commit to cyber security and implement robust data management solutions.

Today, data privacy is a matter of paramount importance. Businesses of all sizes must take data privacy seriously and proactively protect personally identifiable information. Cybercriminals can target any organization, no matter its size, location, or industry. So, if you want to safeguard your organization’s data, you need to build a cyber-secure and human-centric corporate culture.

Establishing a security-aware culture begins with an open discussion of data privacy. Employers are the source of the greatest privacy risks, and as such, they can play a vital role in minimizing these risks. Changing behavior is how leading organizations educate their employees about their risks. Employees will be less likely to share sensitive information online if they understand how websites and companies use their data. Data Privacy Day is the perfect occasion to kickstart an ongoing focus on security and privacy.”

Take the time to learn what privacy controls are available in all the apps and online services you use

“Take the time to learn what privacy controls are available in all the apps and online services you use. Unfortunately, every app and social network seems to do things differently, with privacy and security options often scattered liberally across numerous “Settings” pages. But don’t be afraid to dig through all the options, and don’t just rely on the default settings.  Start by turning off as many data sharing options as you can, and only turn them back on if you decide you want and need them.

Suppose a service demands you to share more than you are willing to hand over. In that case, your address, phone number, or birthday, for example – or asks for data that you don’t think is relevant for what you are getting in return, ask yourself, “Do I need to sign up for this, or should I find somewhere else that isn’t so nosy?”

Don’t let your friends talk you into airing and sharing more than you’re comfortable with – after all, it’s your digital life and your data, not theirs. Remember: if in doubt, don’t give it out. and be aware before you share.”

Organizations face an emboldened world demanding greater accountability and trustworthiness

“Data privacy reform has changed our global community forever. As we begin 2022, organizations face an emboldened world demanding greater accountability and trustworthiness. The recent steps taken by several countries to bolster their consumer privacy rights and processing activities (such as China’s Personal Information Protection Law) will have a far-reaching global impact on privacy rights and data protection practices.

People are more empowered than ever to exercise their rights, submit Subject Rights Requests (SRRs) and reclaim control of their information. They want to understand how their data is used and access, correct, delete and restrict use. To meet these data-intensive demands and overcome a scarcity of resources to support key business activities, organizations must embrace process automation for SRR response and apply case management tools that best track its performance and effectiveness. A well-executed program that delivers a strong experience will be critical to improving customer satisfaction and loyalty.”

This Data Privacy Day, we highlight how we can better protect the data they access from being exposed

 “It’s not just humans that are susceptible to clicking on the wrong link or are perhaps a little too cavalier about what they share about themselves. Software bots have sharing issues too, and this Data Privacy Day, we highlight how we can better protect the data they access from being exposed.

The privacy problem arises when you start to think about what these bots need to do what they do.  Much of the time, it’s access: If they gather together sensitive and personal medical data to help doctors make informed clinical predictions, they need access to it. If they need to process customer data stored on a public cloud server or a web portal, they need to get to it. If bots are configured and coded badly, they can access more data than needed. The output might leak that data to places where it shouldn’t be. We’ve seen the problems that can arise when humans get compromised, and the same can happen to bots – and at scale. Likewise, we hear about insider attacks and humans being compromised to get to sensitive data virtually every day.”

Data Privacy Day serves as a reminder that cyber asset management should be a top priority for every organization

“In the U.S. alone, there are several disparate federal and state laws, some of which only regulate specific types of data – like credit or health data, or specific populations – like children. Combining these regulations with the many different international laws that aim to ensure data privacy, such as GDPR, and compliance for companies with global operations becomes an extremely complex undertaking.

Data Privacy Day serves as a reminder that cyber asset management should be a top priority for every organization. Enterprises cannot ensure compliance and data security unless all assets are properly known, tagged, and mapped in the cloud. To avoid jeopardizing sensitive company or customer data, organizations must take the first step of cyber asset management to secure visibility of all cyber assets in their IT environment and understand connections between business services. This includes identifying misconfigurations and automatically prioritizing risks to improve overall security posture, allowing for real-time visibility and management of all sensitive data.”

With more data moving to the cloud every day, it is imperative to have a re-architecture of the cyber strategy

“Over the last 2 years, there has been a significant rise in cyberattacks all over the world. The pandemic has increased our dependency on mobile devices and remote access to core business functions. While remote working became the saviour, it also introduced a new set of security challenges by raising concerns regarding identity-based threats, privacy breaches and the loss of essential data from unprotected devices and systems. Despite the best efforts of security teams, attackers consistently took advantage of vulnerabilities, discovering new ways of infiltration and taking advantage of people’s curiosity as well as their fears around Covid-19, leveraging socially engineered lure files and tactics.

There is a huge digital shift that has been created by the pandemic where many industry sectors have witnessed an accelerated approach towards digital transformation and their erstwhile perimeter has moved beyond their enterprise firewalls to cloud; either a public cloud, hybrid cloud or a private cloud. This has added complexity to the IT architecture stack and also increased the potential attack surface for adversaries to exploit; and often under-resourced security teams to protect.

Today’s new perimeter needs to be buttoned up with operations and security collaborating to create a secure network. With more data moving to the cloud every day, it is imperative to have a re-architecture of the cyber strategy which should go around all three dimensions of security i.e. people, process and technology.”

Data security and privacy must work like hand in glove because data security is the technical implementation of what data privacy dictates

“In a time when trust in organizations is easily lost and hard to gain, companies must do everything they can to ensure their customers’ data is secure and adhere to high privacy standards. Data security and privacy must work like hand in glove because data security is the technical implementation of what data privacy dictates. As the economic value of data increases, so do the risks involved. Organizations need to ensure that data security forms an integral part of their overall privacy strategy. By leveraging technical controls and making data privacy a business priority, organizations can outline policies for data usage and access while ensuring transparency and reducing their overall cyber exposure.”

About the Author

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.

 

The post What the Cybersecurity Leaders Are Saying About Data Privacy appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

Targeted data breaches have surged exponentially after peddling stolen data on dark web forums became a lucrative revenue model for cybercriminals. Most users are unaware of how their sensitive data is collected, used, or shared in the current digital world. Not only companies, but it is also the responsibility of users to know where their sensitive data is going, and how to protect it against misuse.

Data Privacy Week

Data Privacy Day observes the first legally binding international treaty dealing with privacy and data protection, signed on January 28, 1981. The day is recognized every year on January 28 in the U.S., Canada, and Europe. In 2022, National Cybersecurity Alliance (NCA) has expanded the Data Privacy Day campaign into Data Privacy Week, which is observed from January 24 to 28. The Data Privacy Week helps spread data privacy awareness and alerts users on protecting their information online.

3 Ps to Enhance Your Data Privacy Online

1. Practice

One cannot become cyber-aware overnight, but practicing certain security measures will help prevent most security risks online.

Users’ sensitive information is like money for threat actors. Personal data like usernames, passwords, geolocation, purchase history, IP address, full names, birthdates, and banking details have a huge demand on darknet forums, where hackers often trade stolen data. Following cyber hygiene practices like keeping strong passwords to all your online accounts and limiting your personal data available online will eventually enhance your data privacy. Own your data privacy by securely deciding whether to share or not to share your data with all service providers online.

2. Protect

Threat actors often exploit/compromise targeted devices to steal sensitive information. Recently, security researchers from Doctor Web discovered a new Trojan that infected over 9.3 million Android devices. The Trojan, dubbed “Android.Cynos.7.origin,” is a new kind of malware that disguises itself as a legitimate app and steals information from a victim’s device, such as contact details, and displays unwanted ads.

Device protection is imperative for users and organizations as hackers leverage various malicious or Trojanized applications to penetrate network systems and steal personal data. To protect your data and prevent unauthorized intrusions you should regularly update your devices and fix any unpatched vulnerabilities.

3. Prevent

Ignoring unwanted emails and texts from unknown sources will help prevent hacker intrusions. Several cybercriminal campaigns leverage different kinds of phishing lures and social engineering tactics to trick unwitting users into downloading malware.

As we head into Data Privacy Week, it’s the right time for users and organizations to evaluate their security measures and boost the overall cybersecurity posture.

What the Experts Say…

Commenting on the significance of Data Privacy Day with CISO MAG, Keith Neilson, Technical Evangelist at CloudSphere, said, “In the U.S. alone, there are several disparate federal and state laws, some of which only regulate specific types of data – like credit or health data, or specific populations – like children. Combining these regulations with the many different international laws that aim to ensure data privacy, such as GDPR, and compliance for companies with global operations becomes an extremely complex undertaking.

Data Privacy Day serves as a reminder that cyber asset management should be a top priority for every organization. Enterprises cannot ensure compliance and data security unless all assets are properly known, tagged, and mapped in the cloud. To avoid jeopardizing sensitive company or customer data, organizations must take the first step of cyber asset management to secure visibility of all cyber assets in their IT environment and understand connections between business services. This includes identifying misconfigurations and automatically prioritizing risks to improve overall security posture, allowing for real-time visibility and management of all sensitive data.”

About the Author

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.

 

The post Data Privacy Week: The 3 Ps Vital to Enhancing Your Online Data Privacy appeared first on CISO MAG | Cyber Security Magazine.

The Tagansky District Court judged that Google repetitively neglected to delete content banned by local law. Russia’s privacy watchdog Roskomnadzor, also known as the Federal Service for Supervision of Communications, Information Technology, and Mass Media, stated that Google and Meta had violated data privacy laws by distributing banned content promoting extremist ideology and insulting religious beliefs. The agency revealed that Facebook and Instagram have failed to remove 2,000 data items, and Google has failed to delete 2,600 such items.

Restrictions on internet usage and other online products are quite common in Russia. According to a report, the country banned the Tor web anonymity services and six virtual private networks (VPN) operators for allowing citizens access to illegal content.

Multiple Fines on Google

Google encountered multiple penalties this year. Recently, the Italian Antitrust Authority fined Google Ireland Ltd. and Apple Distribution International Ltd. €10 million ($11.26 million) each, citing aggressive data practices. The agency stated that both companies had violated the Consumer Code practices during customers’ data acquisition and commercial use.

Google has been fined again for misusing the online advertising space. According to a report, the French Competition Authority (FCA) fined Google €220 million (approximately $268 million) for abusing its dominant position in the advertising market and favoring its services at the expense of its competitors. The penalty comes after three media groups, News Corp, French daily Le Figaro, and Belgium’s Groupe Rossel charged Google with an anti-trust lawsuit for misusing its position over ad sales for unfair digital advertising practices.

The post Russian Court Slams Google And Meta with Hefty Fines appeared first on CISO MAG | Cyber Security Magazine.

Both companies leveraged consumers’ data for commercial purposes, promoting their various products and services. As per data privacy laws, organizations should not leverage users’ data for commercial/promotional purposes without their consent.

Reasons for Penalty

The privacy regulator mentioned multiple reasons for its penalty:

• Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes.
• Google, both in the account creation phase, which is essential for the use of all the services offered, and during the use of the services themselves, omits relevant information that the consumer needs to consciously decide to accept that the Company collects and uses their personal information for commercial purposes.
• Apple, both in the phase of creating the Apple ID and on the occasion of accessing the Apple Stores (App Store, iTunes Store, and Apple Books), does not immediately and explicitly provide the user with any indication on the collection and use of your data for commercial purposes, emphasizing only that data collection is necessary to improve the consumer experience and use of services.

Also Read: French Regulator Fines Google €220 Mn for Unfair Advertising Practices

“In the account creation phase, Google pre-sets the user’s acceptance of the transfer and/or use of their data for commercial purposes. This pre-activation allows the transfer and use of data by Google, once generated, without the need for other steps in which the user can confirm or change the choice pre-set by the agency from time to time. In the case of Apple, the promotional activity is based on acquiring consent to use user data for commercial purposes without providing the consumer with the possibility of a prior and express choice on sharing their data. This acquisition architecture, prepared by Apple, does not make it possible to exercise one’s will on the use of one’s data for commercial purposes. Therefore, the consumer is conditioned in the choice of consumption and undergoes the transfer of personal information, which Apple can dispose of for its own promotional purposes carried out in different ways,” the regulator said.

Organizations need to be vigilant and practice robust cybersecurity measures while handling users’ classified information.

The post Italy’s Antitrust Regulator Fines Google and Apple for Poor Data Practices appeared first on CISO MAG | Cyber Security Magazine.

The 5 Key Rights of the Colorado Privacy Act

The privacy act will not apply to all businesses operating in Colorado but only to the ones that:

• Store or process personal data of more than 100,000 consumers annually, or
• Sell personal data and process or control the personal data of 25,000 or more Colorado resident consumers.

Besides, the Colorado Privacy Act has been drafted in a manner that grants the residents of the state five key rights:

1. Right to opt-out of the sale of their personal data.
2. Deny processing of personal data for targeted advertising purposes.
3. Opt-out of automated profiling that produces legal or similarly significant effects.
4. Right to access and correct their personal data for any inaccuracies held by the data controller.
5. Right to get their data in a portable and ready-to-use format and the privilege to erase this personal data from the data controller’s database whenever they wish to.

Apart from this, the data controllers have been asked to limit their data collection only to essential information that is required to render their services and not collect it indiscriminately. Additionally, the act makes it mandatory to keep the collected data secured at all points of time to prevent unauthorized or malicious access.

The Colorado Privacy Act has also taken into consideration the inclusivity and has asked data controllers to refrain from collecting and processing sensitized information like data on ethnic background, religious beliefs, mental or physical health, sexual orientation, citizenship, genetic/biometric data, and the personal data of minors, unless the consumers opt-in or provide consent for it.

Although this Privacy Act is similar to the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), it has some implications which are different from them and thus would be a challenge for businesses to comply with. So, we have to wait and watch what happens.

Related News:

Five Reasons Why Organizations Fail in Their GDPR and CCPA Compliance

California Voters Say “Yes” to Proposition 24 for Expansion of Data Privacy Law

The post Colorado Inches Closer to Becoming the Third State with a Comprehensive Privacy Act appeared first on CISO MAG | Cyber Security Magazine.

The One Where It All Began

The tussle between the two Goliaths began with the unveiling of WhatsApp’s latest privacy policy changes for Indian users. The Indian government termed the privacy updates “Discriminatory” and wrote a letter to WhatsApp CEO, Will Cathcart for its immediate withdrawal. Since then, the two heavyweights have thrown punches at each other in the form of multiple affidavits and counter-affidavits filed with the Delhi High Court addressing different issues relative to users’ “Right to Privacy.”

In the latest round of allegations, the instant messaging giant challenged the government in court alleging that its new IT rules (Intermediary Guidelines and Digital Media Ethics Code Rules 2021) could become weapons of “mass surveillance” and undermine the users’ “right to privacy.” The government was not amused because the affidavit was filed on  May 25, a day before the new rules came into force. To clear the air, the government issued a statement saying,

Right to Privacy is a fundamental right and the government respects it. It has no intention to violate it.

But are these justifications enough? What are the new rules? What’s the opposition for? Will these rules help us in maintaining digital hygiene? Or are they simply what WhatsApp suggests – means of surveillance by the government? Questions are many, but answers are few. Here are some key points that may help you decide:

WhatsApp’s Latest Accusation Against GoI

The first accusation made by WhatsApp towards the government is based on a four-year-old verdict on Justice K S Puttaswamy vs Union of India. WhatsApp alleged that the new rules are unconstitutional and undermine an individual’s “Right to Privacy,” which the constitution itself has bestowed upon its citizens as per the 2017 verdict.

Impact: If the new rules come into force, they will make WhatsApp employees liable to criminal proceedings for non-compliance, which again bypasses a few other constitutional rights of its employees since they are citizens of India. Thus, WhatsApp wants the court to ensure that this clause in the amended rules does not come into force to safeguard both employee and its user interests.

The Trouble with Traceability and E2E

The biggest issue that WhatsApp has with the new rules is “Traceability.” In a blog post, WhatsApp explained how the concept of traceability breaks end-to-end encryption (E2E) that was implemented throughout the app’s ecosystem back in 2016. The E2E helps protect its users’ calls, messages, photos, videos, and voice data from being intercepted or adulterated. Data is encrypted the moment it leaves the sender’s device and decrypted only on the intended receiver’s device. Even WhatsApp is unaware of the data that is transmitted between two people and/or groups.

Moreover, WhatsApp also argues that the traceability clause is currently a flawed concept. For example, if a user forwards a message received from another source, that source can be tracked. However, if a user copy-pastes a message from another source and sends it to a recipient, the person who copied and sent the data becomes the originator of the message. This is technically wrong as the message could have been sent for fact-checking or simply out of concern towards the recipient.

Impact:  WhatsApp says that breaking E2E would mean the end of privacy and indirectly mandate mass surveillance. It will have to add a “fingerprint” to not just one or two but all user messages, which will not only keep their data vulnerable to interception and exploitation from potential threat actors but also undermine their users’ privacy round the clock.

Additionally, if traceability requirements are to be enforced, WhatsApp will have to create an India-only app as the E2E is a default feature and a long-standing benefit of its worldwide messaging platform. Records suggest that WhatsApp currently has 503 million users in India and thus it could be a cumbersome yet mandatory process.

Government’s Stance

In response to WhatsApp’s allegations, which were specifically aimed at Rule 4(2) of the Intermediary Guidelines, the government said, “The(se) rules have been framed after consultation with various stakeholders and social media intermediaries, including but not limited to WhatsApp. After October 2018, no specific objection has been made by WhatsApp to the Government of India in writing relating to the requirement to trace the first originator in relation to serious offenses. WhatsApp’s refusal to comply with the guidelines is a clear act of defiance.”

Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology and Communications, and Law and Justice of India, said,

The entire debate on whether encryption would be maintained or not is misplaced. Whether “Right to Privacy” is ensured through using encryption technology or some other technology is entirely the purview of the social media intermediary. It is WhatsApp’s responsibility to find a technical solution, whether through encryption or otherwise, that both happen.

Impact: According to the government, Under Rule 4(2) of the guidelines, tracing the first originator of the message, tweet, or post will only be done under select circumstances. It condemns WhatsApp’s accusations on GoI’s 24/7 vigilance on its users. The government said, “We do not wish to track all messages.” It added that the “special” circumstances for tracking can be invoked “only for prevention, investigation, punishment, etc. of inter alia an offence relating to sovereignty, integrity and security of India, public order incitement to an offence relating to rape, sexually explicit material or child sexual abuse material punishable with imprisonment for not less than five years.”

However, WhatsApp argues that this can lead to imprisonment of innocent people who might not have perpetrated or originated the message, but only propagated it – maybe mistakenly. This can cause chaos and is harmful to the democratic rights of people in the broader view.

What Other Social Media Intermediaries Think

The law applies not just to WhatsApp but all “significant social media intermediaries” – that is, the ones with more than 5 million users. This includes the likes of Google, Twitter, and even WhatsApp’s parent company Facebook.

The first to offer a statement about the new intermediary laws was Google’s CEO, Sundar Pichai, who hails from India. Although he retracted from choosing which side he was on, Pichai, however, did say, “Google is committed to complying with local laws and engages constructively with governments as they scrutinize and adapt regulatory frameworks to keep pace with the fast-evolving technology landscape.” He added, “Be it Europe with the copyright directive or India with information regulation, etc., we see it as a natural part of societies figuring out how to govern and adapt themselves in this technology-intensive world.”

On the other hand, Twitter has asked for a three-month extension to comply with the new rules which the government claimed was “rhetorical” to say the least. The Indian government had introduced these rules in February this year and had already given a three-month timeframe to comply with the changes. Thus, asking for additional time does not make any sense. Moreover, Twitter said it had concerns over two things: the possible impact of these curbs on its users’ “freedom of expression” and the criminal liability of their compliance officer for content posted on their platform.

Impact: Although there is little choice for intermediaries for compliance, this can lead to intimidation from the law enforcement authorities as was seen in the incident where the Special Cell of the Delhi Police visited offices of Twitter India in Delhi and Gurgaon with regards to its probe into the Congress toolkit conspiracy.

Expert Opinion

The Internet Society, a non-profit organization, has reiterated its concerns shared by cybersecurity experts, that to comply with these traceability requirements, platforms may be forced to undermine end-to-end encryption. In an open letter to the MeitY, cryptographic and security experts warned that pursuing message traceability would undermine digital security.

In a statement given to CISO MAG, the Internet Society said, “WhatsApp’s lawsuit is the first by a major social media company against India’s revised Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code), Rules 2021 which were announced in February this year. The revised Guidelines include a traceability requirement, or the ability to track down the first originator of a particular piece of content or message.

While the Ministry of Electronics and Information Technology (MeitY) has emphasized that encryption is not a target in these new Guidelines, cybersecurity experts both in India and abroad have pointed out that it is simply not possible for companies such as WhatsApp to try to comply with the new guidelines without suppressing at least some features that are integral for strong encryption to work properly.

In fact, a 2020 report from these experts warned that “to comply with traceability requirements, platforms may be forced to enable access to the contents of their users’ communications, breaking end-to-end encryption and considerably weakening the security and privacy of their product.

With the traceability requirement, the government appears to be compelling popular online platforms to weaken encryption without explicitly telling them to do so. The likely outcome will be for those platforms to stop offering end-to-end encrypted services altogether. End-to-end encryption is the gold standard for keeping Internet users and systems secure and an essential aspect of digital privacy which is imperative to the hundreds of millions of people in India who use Whatsapp.”

Conclusion

This is not the first time that WhatsApp has faced governmental pressure for tracing requirements. Earlier, Brazil had also asked the messaging giant to do the same, to which it replied, “It erodes privacy.” Whether the intermediaries relent to the pressure of compliance or the GoI eases down on them is something that only time can tell. However, users across India are curious about the “suggested” ban on WhatsApp and other social media giants. The government has not mentioned whether it will completely ban these platforms but has hinted about taking away the safe harbor given to them under the IT Act.

About the Author

Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.

 

The post The Curious Case of WhatsApp and Government of India Highlights the Broader Traceability Concerns appeared first on CISO MAG | Cyber Security Magazine.

WhatsApp India Privacy Policy Row

WhatsApp has been previously asked to reconsider its privacy policy changes by the Indian government. In January this year, the Indian government deemed the new privacy policy changes as “discriminatory” because the same policy in the European Union (EU), was made optional to its users owing to the GDPR regulations. Since India still does not have a formal data privacy law in the country (it is currently in the works and will be introduced in the parliament’s coming session), MeitY had requested WhatsApp to withdraw the policy and respect the “right to privacy” and consent of Indian users. However, WhatsApp did not completely dissolve the enforcement of the new privacy policy which was supposed to come into effect on February 8, 2021; instead, it just deferred it by three months to May 15.

In April, the MeitY filed an affidavit in the Delhi high court stating WhatsApp’s privacy policy violated the Information Technology Rules of 2011 on five counts. They were:

1. It fails to specify the types of sensitive user data being collected.
2. It fails to notify users of such collection.
3. It does not let them review or amend the information.
4. It does not allow the withdrawal of consent later.
5. It fails to provide any guarantee against non-disclosure to third parties.

In response to the Affidavit, WhatsApp told the Delhi high court that it was conforming with the current Indian IT laws and rules in place and respected users’ privacy for which it has already taken steps such as end-to-end chat data encryption. Additionally, to make its point clearer, it presented another affidavit which names other popular applications in the country like Zomato, Ola, BigBasket, Truecaller, and the government’s own COVID tracking app, Aarogya Setu, which have similar privacy policies.

In response to the petition, Justice Sanjeev Sachdeva had earlier told MeitY that, “It is a private app. Don’t join it. It is a voluntary thing, don’t accept it. Use some other app.” Pointing at other apps like Google Maps, Justice Sachdeva added that even others do it and “you would be surprised as to what all you are consenting to.”

Going by this philosophy of “If you want it, you use it,” a few days back, the company again informed the Delhi high court that it has rolled out the policy on May 15 as decided but it was “not forcing users to accept the new updates in the privacy policy.” It clearly stated that it would not delete the accounts of users who have refrained from accepting the changes for now. However, this does not seem to be enough and the ministry has finally given a countdown of seven days before it initiates legal action as deemed appropriate. There is widespread speculation (on social media and in WhatsApp message forwards) that users who do not accept the new privacy policy may not be able to access all the features of WhatsApp. But this is yet to be confirmed.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

---

Indian Government Asks WhatsApp to Withdraw its “Discriminatory” Policy

The post Indian Government Gives 7-days to WhatsApp for Privacy Policy Roll Back appeared first on CISO MAG | Cyber Security Magazine.

KYC (Know Your Customer) is a verification process that allows an institution to confirm and thereby verify the authenticity of their customer. Certain identity details such as PAN number, Aadhaar number, addresses, email addresses, bank account numbers, and phone numbers are recorded to verify the identity and the address of the customer. KYC is a mandatory process for financial institutions in India, for onboarding new customers.

 Key Highlights 

• The data leak was first reported by an independent security researcher Rajshekhar Rajaharia in February 2021.
• As per Rajaharia’s series of tweets, 11 crore Indian card holders’ data was leaked from a company server in India, and the initial leak contained 6 TB of KYC data and 350 GB of compressed MySQL dump.
• The findings were then updated and re-confirmed by another researcher going by the Twitter handle name “Elliot Anderson,” who shared the credit with another Twitter handle named “UnderTheBreach”.
• MobiKwik has however denied all such data breach claims and found no security lapses on their part.

MobiKwik Data Breach the Largest KYC Data Leak?

Rajaharia first raised the flag about this data breach on February 26, 2021. In a series of tweets, he presented details of when and what set of information was leaked.

Again!! 11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k

— Rajshekhar Rajaharia (@rajaharia) February 26, 2021

However, MobiKwik thwarted his claims stating, “We thoroughly investigated his allegations and did not find any security lapses.”

A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n

— MobiKwik (@MobiKwik) March 4, 2021

But against the run of play, another user going by the name “Elliot Anderson,” on March 29, 2021, tweeted that MobiKwik’s data was indeed breached and the threat actor had subsequently created a forum on the dark web for its sale.

As per the forum image shared by Anderson, it is the “Biggest KYC data leak ever.” The threat actor has also given an option to the interested buyers to search phone numbers or any string as a proof-of-concept. The database though seems to be larger than what Rajaharia had noted. It is 8.2 TB in size and contains 36,099,759 files along with 99,224,559 users’ critical PII details, which include phone numbers, emails, hashed passwords, addresses, bank account, and card details, PAN and Aadhar Card numbers, etc.

As Rajaharia previously suggested in his tweet, we would like to reiterate the same, “Companies should take responsibility for users’ data strongly. There should be a data leak disclosure policy in place too.” Because hiding breaches only keep the customers vulnerable out in the open.

It would now be interesting to see MobiKwik’s stance on these findings. The ball is now in its court. Was it really a breach? Or was it just a data dump from some other breach? We will keep you informed.

MobiKwik Data Breach Update – March 31, 2021:

In view of the serious allegations placed upon them by their users and other security researchers, MobiKwik has confirmed that “it will get a third party to conduct a forensic data security audit.”

MobiKwik assured that “the company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure the security of its platform.”

It reiterated that all of the customer data was safe and that no MobiKwik user accounts and/or wallets were affected due to the alleged incident.

Related News:

• Another Accellion Hack! Flagstar Bank’s Customer Data Breached
• India Becomes the Second Most Cyberattacked Country in APAC in 2020
• Multiple Indian Banks Encounter Phishing Attacks

The post Security Researchers Call Out MobiKwik for KYC Data Leak appeared first on CISO MAG | Cyber Security Magazine.

Surprisingly, TikTok, which has been banned by India and came under severe criticism of the former U.S. President Donald Trump, shares only 36% of data with third parties and ranks 12^th on the list.

 Key Highlights 

• 52% of all the apps share your data with third parties.
• Instagram shares 79% of your data including browsing history and personal information with others online.
• When it comes to collecting your data, social media platforms are the worst offenders. On average 80% of apps use your data to market their products in their respective apps.
• Netflix, Signal, Microsoft Teams, Skype, and Clubhouse top the list of safest to use apps.

Instagram: The Most Invasive App?

Did all these numbers break your heart? Well, if not, then be prepared for one more strike of lightning. A study by cloud storage platform, pCloud, has dubbed Instagram as the most invasive app. Instagram shares this title with its parent company Facebook since both use 86% of its users’ data to sell more of their products and serve relevant ads to them on behalf of their clients.

Also, when it comes to the percentage of data shared with third parties and used to target users for marketing purposes, Instagram again takes the first spot here with 62%.

Mirror-Mirror on the Wall, Who is the Safest of them All?

pCloud’s study was mainly based on the new Apple privacy labels that are featured in the App Store and aimed at finding how and where users’ private data is being gathered and used. In doing so, the company also found the safest apps which collect the least data from users and/or share or use it for marketing purposes.

Statistics revealed that privacy-centric messaging apps like Signal and Telegram, video conferencing and calling platforms like Zoom, Skype, and Microsoft Teams as well as streaming giant Netflix top the list of the safest to use apps. Clubhouse, Google Classroom, Shazam, Etsy, BooHoo, Amtrak, Shop, and IRS2Go are the list of other apps that do not share any data with third parties.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

Data Scraped from Instagram, TikTok and YouTube Exposes 235 Mn Social Media Profiles

The post Wait! Read This Before You Post a Story on Instagram appeared first on CISO MAG | Cyber Security Magazine.