“We are continuing to observe cybercriminals successfully use ransomware to disrupt services and steal from Australians. Whether it is conducting attacks on critical infrastructure, taking from small businesses, or targeting the most vulnerable members of our community, cybercriminals use ransomware to do Australians real and long-lasting harm,” said Karen Andrews, MP Minister for Home Affairs.

Ransomware Action Plan

The Ransomware Action Plan is built on three objectives – Prepare and Prevent; Respond and Recover; Disrupt and Deter.

The authorities stated the ransomware action plan would ensure that Australia remains a challenging target for cybercriminals. Under the ransomware action plan, the Australian government will:

• Launch additional operational activity to target criminals seeking to disrupt and profit from Australian businesses and individuals
• Establishment of the multi-agency taskforce Operation Orcus as Australia’s strongest response to the surging ransomware threat, led by the Australian Federal Police
• Awareness raising and clear advice for critical infrastructure, large businesses and small to medium enterprises on ransomware payments
• Joint operations with international counterparts to strengthen shared capabilities to detect, investigate, disrupt, and prosecute malicious cyber actors when engaging in ransomware
• Introducing a specific mandatory ransomware incident reporting to the Australian Government
• Introducing a stand-alone offense for all forms of cyber extortion

Cybersecurity Initiatives by Australia 

The Australian government has initiated multiple cybersecurity measures to combat rising cyber and ransomware attacks. The government invested $1.67 billion in cybersecurity funding over ten years via its Cybersecurity Strategy 2020 to build new cybersecurity and law enforcement capabilities.

International Pact to Thwart Cyberattacks

Australia recently partnered with the U.K. and the U.S. to form a trilateral security partnership known as AUKUS. The security pact is committed to maintaining diplomatic, security, and defense cooperation in the Indo-Pacific region. The three nations announced their plans to boost cybersecurity, artificial intelligence, quantum computing, and other critical technologies.

The post Australia Unveils Ransomware Action Plan to Combat Cyberattacks appeared first on CISO MAG | Cyber Security Magazine.

“The bill introduces account takeover warrants to enable the AFP and ACIC to take over a person’s online account to gather evidence to further a criminal investigation; and make minor amendments to the controlled operations regime to ensure controlled operations can be conducted effectively in the online environment,” the Parliament of Australia stated.

Minister for Home Affairs, Karen Andrews, stated that the new legislation gives more authority to the law enforcement agencies in the country in identifying cybercriminal activities online. “Under our changes, the AFP will have more tools to pursue organized crime gangs to keep drugs off our street and out of our community, and those who commit the most heinous crimes against children,” Andrews said.

Legislation passed today will significantly boost the capacity of our law enforcement agencies to identify and disrupt serious criminal activity occurring online, and keep Australians safe. Read more: https://t.co/9o9GHN6qdP pic.twitter.com/2vr1q4ftUk

— Karen Andrews MP (@karenandrewsmp) August 25, 2021

The three warrants that give additional powers to the AFP and the ACIC include:

1. Network Activity Warrant – This warrant will enable the AFP and the ACIC to collect intelligence on the most harmful criminal networks operating online, including the dark web, and when using anonymizing technologies.

2. Data Disruption Warrant– This will enable the AFP and the ACIC to disrupt serious criminality online – authorizing the AFP and the ACIC to modify data belonging to individuals suspected of criminal activity to frustrate the commission of serious offenses such as the distribution of child exploitation material.

3. Account Takeover Warrant– This warrant powers the AFP and the ACIC to control a person’s online account to gather evidence about criminal activity, to be used in conjunction with other investigatory powers. Right now, law enforcement agencies rely on a person consenting to the takeover of their account.

All the three warrants will be supervised by the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security to ensure the agency uses them appropriately and reviewed by the Independent National Security Legislation Monitor and the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

The post Australia Passes Surveillance Legislation (Identify and Disrupt) Amendment Bill 2020 appeared first on CISO MAG | Cyber Security Magazine.

Robert Schukai, Executive Vice President, New Digital Infrastructure and Fintech at Mastercard

By Brian Pereira, Editor-in-Chief, CISO MAG

The New Digital Infrastructure Group at Mastercard is focused on developer outreach, engaging with the Fintech community and with its cryptocurrency work. It is also regarded as Mastercard’s open banking organization. The Group wants to bring about change in how digital identities are exchanged during financial transactions. And it has achieved some success with its digital identity service called “ID” in markets like the U.S., Europe, and Australia. This has also opened up new opportunities and exciting applications that were not possible earlier due to concerns about consumer data privacy.

“Today, we are at a critical juncture at how data is used. We see a real need for consumers to be in control of their data — for consumers to feel like they had a say in how it was used,” said Schukai. “At Mastercard, we took this seriously, and we established our data principles in 2019… these were principles that every single employee at Mastercard buys into today.”

Mastercard Data Principles

According to Schukai, Mastercard believes that four things should take place when it comes to treating personal data with “decency.”

1. You own the data. You produce data every day, so it belongs to you.
2. You control your data. You have the right to understand and control how your data is shared and used.
3. You as a consumer should benefit from the use of data.
4. Mastercard will protect that data. Your data will be kept secure and used responsibly.

“It is important to set up those data principles today because digital identity and open banking are highly complementary businesses,” said Schukai. “We believe users should only have to share the data that is absolutely necessary at the time of the transaction, and this is our focus for any company that we work with or any use case that is out there.”

Enabling Open Banking

Open Banking, which was introduced in January 2018, has been a topic of many conversations as it gives consumers and third-party financial institutions flexibility for financial transactions. According to Investopedia, open banking is a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions, through the use of application programming interfaces (APIs).

Mastercard already operates an open banking solution in Europe, and in 2019, it acquired Finicity, a leader in the open banking space in North America.

Open banking got a major boost after regulatory rules were established for it in the U.S., EU, and Australia. For instance, in Europe, it is known as PSD2 (Second Payment Services Directive), and it is forcing the biggest banks to open up and share their data. The is enabled by standardized API access to information in bank accounts. While open banking has been around since 2018, there are still some major creases to be ironed out before it really takes off. However, the opportunities and benefits have been a big draw for both consumers and financial services organizations.

“This gives you tremendous leverage and opportunity — to create services and offerings for new account opening, for lending or credit decisioning. That was one of the things we found most compelling from a Mastercard perspective,” said Schukai.

He alluded to certain applications like controlling credit scores, which are possible due to open banking.

“People could upload their data in a product like the Experian Boost to raise their credit score, so that they can then turn around and secure a mortgage to a company like Rocket Mortgage. This is powered by the Finicity open banking solution, and it lets you get a mortgage very quickly. That ability to move data and use your data for lending and credit decisioning all require a combination of knowing who the person is, to be able to ….to successfully unlock that data. To secure and use it responsibly.”

Enabling Technologies and Techniques

To enable these open banking applications, organizations need to adopt certain privacy-enhancing technologies. There are techniques such as differential privacy, trusted execution environment, secure multi-party computing, and homomorphic encryption. And each of these has its range of complexity, capability, and security requirements. Companies must do their due diligence when choosing a technology.

Schukai informed that Mastercard is invested in homomorphic encryption. It also introduced a program to engage with tech companies that specialize in payments and security.

“Personally, I think homomorphic encryption is a phenomenally exciting technology. We see great value in querying data where it lives. It’s about performing computation in the ciphertext space and returning results of those queries, all this without decrypting. For us at Mastercard homomorphic encryption is an ideal technology when you are dealing with sensitive data that you do not want to sling around but would prefer to leave in its location.”

Data is encrypted at rest and in transit. But it has to be decrypted for processing, and that presents security and privacy challenges. This is now solved by homomorphic encryption, which enables ciphertext data to be processed without the need to decrypt it.

Homomorphic encryption is already coming into the mainstream, though it makes huge demands on computing resources.

Read our stories on Homomorphic encryption

How Intel’s Homomorphic Encryption Can Process Ciphertext

“Until now, technology gave you no protection and confidentiality when you shared your data”

Episode #8: Intel Labs’ Breakthrough Research on Data Privacy and Encryption Technologies

Legislative Compliance Challenges

Schukai said Mastercard is also working to help companies cope with legislation challenges at the local, regional, and international level.

“When you layer data principles with legislative compliance, you see the problems that we face in using data and using data safely. We need to think about multiple layers of security including tokenization and encryption that protect information. We need to think about regulations like GDPR — and Mastercard has launched a My Data portal so that individuals everywhere can see and manage their personal information that Mastercard holds. It gives you the opportunity to remove that data if you do not want it to be stored there any longer,” he said.

Schukai also feels the need for world-class anonymization solutions that protect data while enabling analytics under the GDPR. This will be exceptionally critical for data usage for consumers.

“As a company, we are embedding data responsibility principles into our product development process. We even provide controls over the use of data, including opt-outs for marketing data. We want to be able to unlock the power of data, but we need to unlock that data sensibly and responsibly. And for us at the highest level of security, when we are combining assets like user identity and banking information, we are very proud to be using technologies like homomorphic encryption as a way of leaving data where it sits, complying with national regulation, performing queries against data sets without moving the data and overturning the results of those queries in a safe, effective, and proper way, to unlock the types of solutions that consumers want.”

While Mastercard is doing its bit to secure consumer data, the Government of India thinks it should be more transparent by storing a copy of consumer transactional data on servers on Indian soil. On Wednesday, the  Reserve Bank of India banned Mastercard from issuing new credit and debit cards to consumers, and this is a major setback to the U.S. company.

In a notification, the RBI said Mastercard had not complied with data storage rules from 2018 that require foreign card networks to store Indian payments data “only in India” so the regulator can have “unfettered supervisory access”.

Digital Identity Service

Mastercard is taking its digital identity service (called “ID”) to other markets such as Australia. In November 2020, it did a beta launch for its reusable digital identity solution with Optus, a major Australian telecom company. This will provide Optus’ customers a simpler and more secure way to prove their identity online and in-store. To quote from a press release: In using ID, Optus will strengthen its identity verification and authentication process while retaining its “best-in-class, digital-first customer experience.”

About the Author

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post Mastercard’s New Digital Infrastructure Group Drives Digital Identity Service for Open Banking appeared first on CISO MAG | Cyber Security Magazine.

The 5 Key Rights of the Colorado Privacy Act

The privacy act will not apply to all businesses operating in Colorado but only to the ones that:

• Store or process personal data of more than 100,000 consumers annually, or
• Sell personal data and process or control the personal data of 25,000 or more Colorado resident consumers.

Besides, the Colorado Privacy Act has been drafted in a manner that grants the residents of the state five key rights:

1. Right to opt-out of the sale of their personal data.
2. Deny processing of personal data for targeted advertising purposes.
3. Opt-out of automated profiling that produces legal or similarly significant effects.
4. Right to access and correct their personal data for any inaccuracies held by the data controller.
5. Right to get their data in a portable and ready-to-use format and the privilege to erase this personal data from the data controller’s database whenever they wish to.

Apart from this, the data controllers have been asked to limit their data collection only to essential information that is required to render their services and not collect it indiscriminately. Additionally, the act makes it mandatory to keep the collected data secured at all points of time to prevent unauthorized or malicious access.

The Colorado Privacy Act has also taken into consideration the inclusivity and has asked data controllers to refrain from collecting and processing sensitized information like data on ethnic background, religious beliefs, mental or physical health, sexual orientation, citizenship, genetic/biometric data, and the personal data of minors, unless the consumers opt-in or provide consent for it.

Although this Privacy Act is similar to the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), it has some implications which are different from them and thus would be a challenge for businesses to comply with. So, we have to wait and watch what happens.

Related News:

Five Reasons Why Organizations Fail in Their GDPR and CCPA Compliance

California Voters Say “Yes” to Proposition 24 for Expansion of Data Privacy Law

The post Colorado Inches Closer to Becoming the Third State with a Comprehensive Privacy Act appeared first on CISO MAG | Cyber Security Magazine.

The PIPC Imposes Fines

The fines imposed cumulatively total $75,000, of which Microsoft will pay 16.4 million won (approximately $14,700). Microsoft has been penalized on the pretext of failing to put in place appropriate protective measures on administrative accounts that eventually leaked over 119,000 email accounts, of which 144 belonged to South Korean citizens. This, however, was not the only count for the hefty penalty. Microsoft apparently announced the leaks within 24 hours of the incident as per the PIPC’s data laws – but in English. It took 11 more days to publish the data leak in the Korean language, which the PPIC said is mandatory for all Korean users.

The others in the list included a blockchain subsidiary Ground X and a known software company, Innovation Academy. Both companies were handed 25 million won ($22,400) each in fines for general privacy shortcomings. But, like Microsoft, both the companies were additionally charged on one count each. As per PIPC’s investigation, Ground X was found to have not protected their passwords efficiently and Innovation Academy was found guilty of a data leak that resulted in an extra six million won (approximately $5,400) and three million won ($2,700) fine respectively.

Besides, the World Math Fusion Olympiad Korea, the Korean Mountain Bike Federation, and the Korea Professional Football League were all slapped with a three million won ($2,700) fine for “data mismanagement.” In addition to the monetary fine, the football league was also asked to take corrective actions to fix the issues at the earliest.

Since the PIPC is an independent body established under the Personal Information Protection Act (PIPA), privacy rights and protection of personal data are a matter of utmost concern in the country. Hence, organizations in both the private and public sectors are required to comply with PIPA’s compliance and regulations.

Furthermore, South Korea’s Fait Trade Commission is also reportedly said to set up an investigation team to determine anti-competitive behavior and the amount of data collected by big tech.

Related News:

South Korea Penalizes TikTok for Mishandling Child Data

Lazarus Strikes Again, Attacks Supply Chain in South Korea

The post South Korea’s PIPC Imposes Fines on Microsoft and Five Others Over Data Compliance Issues appeared first on CISO MAG | Cyber Security Magazine.

In January 2019, the search engine giant was fined €50 million (around $57 million) by the French data regulator CNIL (National Data Protection Commission) for violating the GDPR norms. The fine was levied for Google’s limited information, lack of transparency, and valid consent from its users regarding ad personalization.

Now, more than two years later, Google has been fined again for misusing the online advertising space. According to a report, the French Competition Authority (FCA) fined Google €220 million (approximately $268 million) for abusing its dominant position in the advertising market and favoring its services at the expense of its competitors. The penalty comes after three media groups, News Corp, French daily Le Figaro, and Belgium’s Groupe Rossel, charged Google with an anti-trust lawsuit for misusing its position over ad sales for unfair digital advertising practices.

The regulator claimed that Google gave special treatment to its ad inventory marketplace AdX and the Doubleclick Ad Exchange, a platform that allows clients to choose and sell their ads.

“These very serious practices penalized competition in the emerging online advertising market and allowed Google not only to maintain but also to increase its dominant position. This sanction and these commitments will make it possible to re-establish a level playing field for all players, and the ability for publishers to make the most of their advertising space,” said Isabelle de Silva, president of France’s competition regulator.

No Objections from Google

Google didn’t dispute the allegations and settled the case by agreeing to pay the fine. The company also committed to bring more flexibility and transparency to its Ad Manager services with the third-party ad servers and advertising space sales platform solutions.

In addition to paying the fine, Google committed to introducing certain initiatives. These include:

• Allowing fair access to information on the auction process for third-party SSPs
• Preserving the full contractual freedom of third-party SSPs so that they can negotiate special conditions with publishers or make the wished buyers
• Ensuring that AdX no longer uses the price of its competitors to optimize its bids in a way that is not reproducible by third-party SSPs
• Offering guarantees of technical stability, both for third-party SSPs and for publishers
• Making necessary changes to existing configurations that allow publishers using third-party ad servers to access AdX on-demand in real-time

“While we believe we offer valuable services and compete on the merits, we are committed to working proactively with regulators everywhere to make improvements to our products. That’s why, as part of an overall resolution of the FCA’s investigation, we have agreed on a set of commitments to make it easier for publishers to make use of data and use our tools with other ad technologies. We will be testing and developing these changes over the coming months before rolling them out more broadly, including some globally,” Google said.

Since Google has agreed to comply, it will now become easier for its ecosystem partners to provide fair access to information, and yet comply with GDPR regulations.

This is a lesson that other big tech companies (such as Twitter) can learn. For instance, Twitter has just agreed to appoint key officials in India who will address customer grievances and comply with the new IT rules proposed by the Government of India.

The post French Regulator Fines Google €220 Mn for Unfair Advertising Practices appeared first on CISO MAG | Cyber Security Magazine.

The One Where It All Began

The tussle between the two Goliaths began with the unveiling of WhatsApp’s latest privacy policy changes for Indian users. The Indian government termed the privacy updates “Discriminatory” and wrote a letter to WhatsApp CEO, Will Cathcart for its immediate withdrawal. Since then, the two heavyweights have thrown punches at each other in the form of multiple affidavits and counter-affidavits filed with the Delhi High Court addressing different issues relative to users’ “Right to Privacy.”

In the latest round of allegations, the instant messaging giant challenged the government in court alleging that its new IT rules (Intermediary Guidelines and Digital Media Ethics Code Rules 2021) could become weapons of “mass surveillance” and undermine the users’ “right to privacy.” The government was not amused because the affidavit was filed on  May 25, a day before the new rules came into force. To clear the air, the government issued a statement saying,

Right to Privacy is a fundamental right and the government respects it. It has no intention to violate it.

But are these justifications enough? What are the new rules? What’s the opposition for? Will these rules help us in maintaining digital hygiene? Or are they simply what WhatsApp suggests – means of surveillance by the government? Questions are many, but answers are few. Here are some key points that may help you decide:

WhatsApp’s Latest Accusation Against GoI

The first accusation made by WhatsApp towards the government is based on a four-year-old verdict on Justice K S Puttaswamy vs Union of India. WhatsApp alleged that the new rules are unconstitutional and undermine an individual’s “Right to Privacy,” which the constitution itself has bestowed upon its citizens as per the 2017 verdict.

Impact: If the new rules come into force, they will make WhatsApp employees liable to criminal proceedings for non-compliance, which again bypasses a few other constitutional rights of its employees since they are citizens of India. Thus, WhatsApp wants the court to ensure that this clause in the amended rules does not come into force to safeguard both employee and its user interests.

The Trouble with Traceability and E2E

The biggest issue that WhatsApp has with the new rules is “Traceability.” In a blog post, WhatsApp explained how the concept of traceability breaks end-to-end encryption (E2E) that was implemented throughout the app’s ecosystem back in 2016. The E2E helps protect its users’ calls, messages, photos, videos, and voice data from being intercepted or adulterated. Data is encrypted the moment it leaves the sender’s device and decrypted only on the intended receiver’s device. Even WhatsApp is unaware of the data that is transmitted between two people and/or groups.

Moreover, WhatsApp also argues that the traceability clause is currently a flawed concept. For example, if a user forwards a message received from another source, that source can be tracked. However, if a user copy-pastes a message from another source and sends it to a recipient, the person who copied and sent the data becomes the originator of the message. This is technically wrong as the message could have been sent for fact-checking or simply out of concern towards the recipient.

Impact:  WhatsApp says that breaking E2E would mean the end of privacy and indirectly mandate mass surveillance. It will have to add a “fingerprint” to not just one or two but all user messages, which will not only keep their data vulnerable to interception and exploitation from potential threat actors but also undermine their users’ privacy round the clock.

Additionally, if traceability requirements are to be enforced, WhatsApp will have to create an India-only app as the E2E is a default feature and a long-standing benefit of its worldwide messaging platform. Records suggest that WhatsApp currently has 503 million users in India and thus it could be a cumbersome yet mandatory process.

Government’s Stance

In response to WhatsApp’s allegations, which were specifically aimed at Rule 4(2) of the Intermediary Guidelines, the government said, “The(se) rules have been framed after consultation with various stakeholders and social media intermediaries, including but not limited to WhatsApp. After October 2018, no specific objection has been made by WhatsApp to the Government of India in writing relating to the requirement to trace the first originator in relation to serious offenses. WhatsApp’s refusal to comply with the guidelines is a clear act of defiance.”

Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology and Communications, and Law and Justice of India, said,

The entire debate on whether encryption would be maintained or not is misplaced. Whether “Right to Privacy” is ensured through using encryption technology or some other technology is entirely the purview of the social media intermediary. It is WhatsApp’s responsibility to find a technical solution, whether through encryption or otherwise, that both happen.

Impact: According to the government, Under Rule 4(2) of the guidelines, tracing the first originator of the message, tweet, or post will only be done under select circumstances. It condemns WhatsApp’s accusations on GoI’s 24/7 vigilance on its users. The government said, “We do not wish to track all messages.” It added that the “special” circumstances for tracking can be invoked “only for prevention, investigation, punishment, etc. of inter alia an offence relating to sovereignty, integrity and security of India, public order incitement to an offence relating to rape, sexually explicit material or child sexual abuse material punishable with imprisonment for not less than five years.”

However, WhatsApp argues that this can lead to imprisonment of innocent people who might not have perpetrated or originated the message, but only propagated it – maybe mistakenly. This can cause chaos and is harmful to the democratic rights of people in the broader view.

What Other Social Media Intermediaries Think

The law applies not just to WhatsApp but all “significant social media intermediaries” – that is, the ones with more than 5 million users. This includes the likes of Google, Twitter, and even WhatsApp’s parent company Facebook.

The first to offer a statement about the new intermediary laws was Google’s CEO, Sundar Pichai, who hails from India. Although he retracted from choosing which side he was on, Pichai, however, did say, “Google is committed to complying with local laws and engages constructively with governments as they scrutinize and adapt regulatory frameworks to keep pace with the fast-evolving technology landscape.” He added, “Be it Europe with the copyright directive or India with information regulation, etc., we see it as a natural part of societies figuring out how to govern and adapt themselves in this technology-intensive world.”

On the other hand, Twitter has asked for a three-month extension to comply with the new rules which the government claimed was “rhetorical” to say the least. The Indian government had introduced these rules in February this year and had already given a three-month timeframe to comply with the changes. Thus, asking for additional time does not make any sense. Moreover, Twitter said it had concerns over two things: the possible impact of these curbs on its users’ “freedom of expression” and the criminal liability of their compliance officer for content posted on their platform.

Impact: Although there is little choice for intermediaries for compliance, this can lead to intimidation from the law enforcement authorities as was seen in the incident where the Special Cell of the Delhi Police visited offices of Twitter India in Delhi and Gurgaon with regards to its probe into the Congress toolkit conspiracy.

Expert Opinion

The Internet Society, a non-profit organization, has reiterated its concerns shared by cybersecurity experts, that to comply with these traceability requirements, platforms may be forced to undermine end-to-end encryption. In an open letter to the MeitY, cryptographic and security experts warned that pursuing message traceability would undermine digital security.

In a statement given to CISO MAG, the Internet Society said, “WhatsApp’s lawsuit is the first by a major social media company against India’s revised Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code), Rules 2021 which were announced in February this year. The revised Guidelines include a traceability requirement, or the ability to track down the first originator of a particular piece of content or message.

While the Ministry of Electronics and Information Technology (MeitY) has emphasized that encryption is not a target in these new Guidelines, cybersecurity experts both in India and abroad have pointed out that it is simply not possible for companies such as WhatsApp to try to comply with the new guidelines without suppressing at least some features that are integral for strong encryption to work properly.

In fact, a 2020 report from these experts warned that “to comply with traceability requirements, platforms may be forced to enable access to the contents of their users’ communications, breaking end-to-end encryption and considerably weakening the security and privacy of their product.

With the traceability requirement, the government appears to be compelling popular online platforms to weaken encryption without explicitly telling them to do so. The likely outcome will be for those platforms to stop offering end-to-end encrypted services altogether. End-to-end encryption is the gold standard for keeping Internet users and systems secure and an essential aspect of digital privacy which is imperative to the hundreds of millions of people in India who use Whatsapp.”

Conclusion

This is not the first time that WhatsApp has faced governmental pressure for tracing requirements. Earlier, Brazil had also asked the messaging giant to do the same, to which it replied, “It erodes privacy.” Whether the intermediaries relent to the pressure of compliance or the GoI eases down on them is something that only time can tell. However, users across India are curious about the “suggested” ban on WhatsApp and other social media giants. The government has not mentioned whether it will completely ban these platforms but has hinted about taking away the safe harbor given to them under the IT Act.

About the Author

Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.

 

The post The Curious Case of WhatsApp and Government of India Highlights the Broader Traceability Concerns appeared first on CISO MAG | Cyber Security Magazine.

WhatsApp India Privacy Policy Row

WhatsApp has been previously asked to reconsider its privacy policy changes by the Indian government. In January this year, the Indian government deemed the new privacy policy changes as “discriminatory” because the same policy in the European Union (EU), was made optional to its users owing to the GDPR regulations. Since India still does not have a formal data privacy law in the country (it is currently in the works and will be introduced in the parliament’s coming session), MeitY had requested WhatsApp to withdraw the policy and respect the “right to privacy” and consent of Indian users. However, WhatsApp did not completely dissolve the enforcement of the new privacy policy which was supposed to come into effect on February 8, 2021; instead, it just deferred it by three months to May 15.

In April, the MeitY filed an affidavit in the Delhi high court stating WhatsApp’s privacy policy violated the Information Technology Rules of 2011 on five counts. They were:

1. It fails to specify the types of sensitive user data being collected.
2. It fails to notify users of such collection.
3. It does not let them review or amend the information.
4. It does not allow the withdrawal of consent later.
5. It fails to provide any guarantee against non-disclosure to third parties.

In response to the Affidavit, WhatsApp told the Delhi high court that it was conforming with the current Indian IT laws and rules in place and respected users’ privacy for which it has already taken steps such as end-to-end chat data encryption. Additionally, to make its point clearer, it presented another affidavit which names other popular applications in the country like Zomato, Ola, BigBasket, Truecaller, and the government’s own COVID tracking app, Aarogya Setu, which have similar privacy policies.

In response to the petition, Justice Sanjeev Sachdeva had earlier told MeitY that, “It is a private app. Don’t join it. It is a voluntary thing, don’t accept it. Use some other app.” Pointing at other apps like Google Maps, Justice Sachdeva added that even others do it and “you would be surprised as to what all you are consenting to.”

Going by this philosophy of “If you want it, you use it,” a few days back, the company again informed the Delhi high court that it has rolled out the policy on May 15 as decided but it was “not forcing users to accept the new updates in the privacy policy.” It clearly stated that it would not delete the accounts of users who have refrained from accepting the changes for now. However, this does not seem to be enough and the ministry has finally given a countdown of seven days before it initiates legal action as deemed appropriate. There is widespread speculation (on social media and in WhatsApp message forwards) that users who do not accept the new privacy policy may not be able to access all the features of WhatsApp. But this is yet to be confirmed.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

---

Indian Government Asks WhatsApp to Withdraw its “Discriminatory” Policy

The post Indian Government Gives 7-days to WhatsApp for Privacy Policy Roll Back appeared first on CISO MAG | Cyber Security Magazine.

However, it is to be noted that the U.K. “retained EU law,” which includes Regulation (EU) 2016/679 in its entirety (including its recitals). All the provisions and governance, which are applicable in EU’s laws for personal data protection are adopted by the U.K. as it is. Thus, considering this, the European Commission has initiated a process for transfers of personal data to the U.K. from other EU countries under two adequacy decisions: the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED).

Related News:

“Invalidation of the EU-U.S. Privacy Shield was a long time coming”

Draft for Personal Data Transfer to U.K.

The publication of the draft decisions on behalf of the European Commission is a step towards their adoption. The draft will be opinionated by the European Data Protection Board (EDPB) and shall require a go-ahead from a committee that includes representatives from the EU Member States. The European Commission has already found the U.K.’s law and practice on personal data protection fit and equivalent to the one guaranteed under the GDPR and, for the first time, under the LED.

Didier Reynders, Commissioner for Justice, said, “A flow of secure data between the EU and the U.K. is crucial to maintain close trade ties and cooperate effectively in the fight against crime. Today we launch the process to achieve that. We have thoroughly checked the privacy system that applies in the U.K. after it has left the EU. Now European Data Protection Authorities will thoroughly examine the draft texts. EU citizens’ fundamental right to data protection must never be compromised when personal data travels across the Channel. The adequacy decisions, once adopted, would ensure just that.”

Citing that adequacy findings may require modifications in the future and that the U.K. will no longer be bound by EU privacy rules, the commission will adopt the two adequacy drafts for the first period of four years. Post this, it would be reviewed and renewed if the level of personal data protection in the U.K. continues to be adequate.

In the Meanwhile

Until the comitology procedure, which involves consent from the EU Member States, is completed, data flow between the European Economic Area and the U.K. will continue and remain safe under the conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement. This interim period will expire on June 30, 2021.

The draft adequacy decisions presented to the EDPB talks about the flow of data from the EU to the U.K. However, data flows in the other direction – from the U.K. to the EU – are regulated by the U.K. legislation, which is in effect since January 1, 2021. The U.K. unanimously decided that the EU’s measures provide adequate protection and therefore data can flow freely from the U.K. to the EU uninterrupted.

Related News:

EU-U.S. Privacy Shield Regarded Invalid by ECJ

The post European Commission Initiates Process to Allow Personal Data Flow to U.K. appeared first on CISO MAG | Cyber Security Magazine.

Dissecting the Personal Information Protection Law

The PIPL’s draft version consists of eight chapters and 70 articles, covering topics that include personal information processing, cross-border data transfer, rights of individuals for data processing, etc.

Various types of information recorded in electrical or other formats related to identified and identifiable individuals are referred to as personal information in PIPL. Some of the key provisions of the draft PIPL are mentioned below:

Departments Exercising Personal Information Protection

As per the Draft PIPL, the Cyberspace Administration of China (CAC), the Department of the State Council, and the relevant department of local government at the level of the county or above are all responsible for personal information protection.

Scope of Application

The Draft PIPL provisions say this law can be applicable outside of China to the extent necessary for protecting the interests of Chinese citizens. The Draft PIPL also comes into effect where the purpose of data processing outside of China is to provide products or services to individuals in China or to analyze their behavior in China.

The Seven Pillars of Data Processing

The Draft PIPL is based on seven data protection principles, including the legality, explicit purpose, minimum necessity, transparency, accuracy, accountability, and data security. Let’s take a closer look at them.

1. Consent and Exceptions for Consent

Under the PIPL, a data processor may process personal data based on:

1. Consent of the individual.
2. The necessity of executing or performing a contract.
3. The necessity of performing a legal obligation or legal duty.
4. A response to an emergency public health event or the necessity of protecting the safety of an individual’s life and property.
5. The publication of news and the supervision by public opinion for the public interest within a reasonable scope.

2. Joint Data Processing and Data Processing by Entrustment

In the event of data processors processing personal information together, the co-processors shall also bear joint liability in cases of infringement of personal interests.

Where a data processor entrusts a third-party to process personal information, both parties shall execute an agreement that includes the purpose of data processing, the processing mode, the types of personal information processed, protection measures and both parties’ rights and liabilities.

3. Provision of Personal Information to a Third-Party

When providing personal information to a third-party, a data processor is bound to inform the data subject of the identity and contact information of the third-party, the purpose of data processing, the processing mode and the type of personal information covered, as well as obtain separate consent from the data subject.

4. Sensitive Personal Information

The Draft PIPL stipulates more restrictions on the processing of sensitive personal information. Sensitive personal information is defined as information that once leaked or abused may cause damage to personal reputation or seriously endanger personal and property safety, and includes race, nationality, religion, biometric information, health, financial account, personal whereabouts and other information. Only if the personal data processor has a specific purpose and sufficient necessity, and obtains separate consent or written consent from the data subjects, is processing sensitive personal information allowed.

The data processor shall also inform the data subject of the necessity of processing sensitive personal sensitive information and the impact on the data subject.

5. Personal Image Collected by the Equipment Installed in Public

A personal image and personally identifiable information collected by image acquisition and personal identification device installed in public may only be used for the purpose of maintaining public security and may not be disclosed or provided to others unless consent is obtained from the individual or otherwise provided by relevant laws and regulations.

6. Cross-Border Transfer of Personal Information

The Draft PIPL provides three methods for cross-border transfers of personal information. In general, cross-border transfers of personal information shall be certified by recognized institutions, or the data processor shall execute a cross-border transfer agreement with the recipient located outside of China and ensure that the processing meets the protection standard provided under the Draft PIPL. Where the data processor is categorized as a critical information infrastructure (“CII”) operator or the volume of data processed by the data processor exceeds the level stipulated by the CAC, the cross-border transfer of personal information must pass a security assessment conducted by the CAC.

In cases of cross-border transfer of personal information, the data processor shall inform the data subjects of the identity and contact information of the overseas receiving party, the purpose of data processing, the processing mode, the type of personal information to be processed, and the way data subjects can exercise their rights provided under the Draft PIPL, as well as obtain separate consent from the data subjects.

7. Rights of the Individuals with Respect to Data Processing

Individuals have the right to know, the right to decide on, and the right to limit or object to the processing of their personal information by others. They also have the right to access and copy their personal information from data processors and the right to request that data processors correct or complete their personal information. Under certain circumstances, individuals have the right to request deletion of their personal information, the right to withdraw consent, and the right to request that the data processor explains the processing rules.

The data processor shall establish the mechanism for the data subject to exercise his or her rights.

Legal Liabilities

The Draft PIPL amplifies the range of penalties beyond those provided in China’s Cybersecurity Law. In addition to rectification, confiscation of illegal gains, warnings, penalties under 1 million RMB, business suspensions, business halts for rectification, and the revocation of relevant permits or business licenses under Cybersecurity Law, the draft version of the PIPL also stipulates that in serious cases, data processors also are subject to fines under 50 million RMB or under 5% of the previous year’s revenue.

The post China Readies the First Draft of Personal Information Protection Law appeared first on CISO MAG | Cyber Security Magazine.