Category Archives: Internet Security

Encryption and the extent of privacy

Ed. Note.: This post, by Benjamin Vanlalvena, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

A background of the issue

On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing. The FBI announced on February 9, 2016 that it was unable to unlock the iPhone used by one of the shooters, Farook. The FBI initially asked the NSA to break into the iPhone but their issue was not resolved, and therefore asked Apple to create a version of the phone’s operating system to disable the security features on that phone.

Apple however refused which led to the Department of Justice applying to a United States Magistrate judge who issued a court order requiring Apple to create and provide the requested software and was given until 26th February, 2016 to respond to the order. Apple however announced their intention to oppose the order. The Department of Justice in response filed a new application to compel Apple to comply with the order. It was revealed that they had discussed methods to access the data in January however, a mistake by the investigating agencies ruled out that method. On March 28, the FBI announced that they had unlocked the phone and withdrew the suit.

The dilemma

Privacy is a recognised fundamental right under Article 17 of the International Covenant for Civil and Political Rights and Article 12 of the Universal Declaration of Human Rights.

Encryption is a process through which one encodes or secures a message or data to make the content readable only by an authorized party or by someone who has the decryption key. Apple claims that it does not perform data extractions as the ‘files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.’ This, according to the FBI Director, James Comey, is a cause for concern as it means that even with a court order, the contents inside the device of all kinds of criminals would not be accessible. Having a backdoor or ‘golden key’, though slightly different [though not totally] from mass surveillance, as agencies herein would be having the capability to access data stored in the devices as compared to a constant monitoring of data. It’s no longer a matter of constant surveillance but the potentiality of other non-governmental persons gaining access through some illegitimate means. The major contention is that there is an assumption either that those who have access to the key are ‘good people’, who have our interests in mind or that the backdoor would only be accessible by the government. The Washington Post reported that the FBI had (after failing to get Apple to comply) paid professional hackers to assist them in cracking the San Bernardino terrorist’s phone. This itself is a cause of concern as it is proof of vulnerabilities existing in our phones which are seemingly secure.

A data that is encrypted cannot be considered to be totally secure if there is some party which has a means to bypass said encryption. The FBI’s request is therefore problematic as it gives it a backdoor to the data which would be a vulnerability which effects all users. One should bear in mind that the trade of such ‘zero-day vulnerabilities’ is not something unheard of and the NSA or FBI having such tools which keep our data secure is problematic as such tools could be end up in the hands of hackers or leaked. One of the most hard hitting points raised is the issue of national interest, that terrorists or paedophiles use encryption and that it is a “safe space” for them. However, a creation of a backdoor according to the former NSA chief, Michael Hayden, would  be futile as terrorists would be making their own apps based on open-source software, the presence of a backdoor would simply make innocent persons less secure and vulnerable to people who would be taking advantage of such backdoors.

While the intention of the agencies might be good or in the interests of the public, one should keep in mind that once a backdoor is provided, not only is this a dangerous precedent but the dangers of such an encryption leaking an effecting the lives of common persons is huge.

For more information, visit:

https://tcf.org/content/commentary/weve-apple-encryption-debate-nothing-new/

https://www.aclu.org/feature/community-control-over-police-surveillance

https://www.ctc.usma.edu/posts/how-terrorists-use-encryption

https://www.youtube.com/watch?v=peAkiNu8mHY

https://www.youtube.com/watch?v=DZz86r-AGjI

Advertisements

RELIANCE JIO: REGULATORY AND PRIVACY IMPLICATIONS

Ed. Note.: This post, by Sayan Bhattacharya, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

In the world of technology dominated by a power struggle in terms of presence and absence in data circles, Reliance Jio has probably made the biggest tech news of the year with its revolutionary schemes. By adopting a loss-leader strategy of immediate loss and ultimate dominance, Reliance Jio has promised its subscribers stellar features like free voice calls, extremely cheap data packages, abolition of national roaming  charges and striking down extra rates on national holidays on shifting to its network. This is set to significantly affect competition by taking India’s data scenario from a data scarcity to data abundance mode.

Tech companies were hesitant to hand over consumers too much data till this point since they believed the same would act contrary to their business interests. So intra tech-company competition existed within set boundaries till now.

A long standing argument has been in terms of data inequality, wherein people living in rural areas are greatly disadvantaged due to absence of accessibility to data, presence of high tariffs and lack of initiative. This marked shift is significantly going to  affect this particular section of society. The arrival of data-abundance schemes of Reliance Jio might trigger of the kind of competition needed to make internet more accessible and solve the divide existing in status quo.

The second shift which is less talked about in the classy launch statements is the treatment of these immense amount of data which will be at their disposal, post such a move.  The markets in United States and Europe have been relatively normalised to the idea of data abundance for tech companies in comparison to Indian markets. There also exists a subsequent system of checks and balances placed in the judiciary of these markets to control ethics of data collection like specific privacy laws, special courts, media and NGO sensitisation of existing problems with data collection. Such specific laws and structure is almost non-existent or minimally present in the India which makes such problems harder to deal with.

This article seeks to answer the implications of such a move in terms of privacy of consumer data, regulatory mechanisms and its subsequent impact on the market.

The  major transition when a user shifts from a conventional network to that of a Reliance Jio is in the shift from conventional calling facilities to data calling, wherein Reliance Jio uses a technology called VoLTE to make data calls. This technology is being introduced for the first time here but is already prevalent in European and US markets . These features are different from those available on social media platforms like WhatsApp which have exclusive privacy policies including checks and balances preventing breach of privacy like end-to-end encryptions.

Consequently huge amount of data will now be floating in terms of data calls and  concern is over a third party monitoring private calls. In the world of data, the flow of data is monitored using a technique known as Deep Packet Inspection, which is a form of computer network packet filtering that examines the data part in terms of a packet as it passes an inspection point, searching for protocol non-compliance,viruses, spam, intrusions, Apart from the legitimate inspections, its critique comes in the form of a third party inspection of data which can be grossly misused in terms of:-

  1. Data Snooping and Eavesdropping

  1. Data Mining – The ethics of digging up history of searches in order to use data for unfair advantage of parent companies. The problem with this kind of data history existing is surrounding the fact that algorithms instead of predicting future searches tends to show same results in order to orient users to preferential data. This becomes extremely problematic when it comes to Reliance Jio which aims at achieving a closed ecosystem through its applications thus exploiting net neutrality laws. This was debated extensively in the application of Free Basics of Facebook in which Reliance Jio was a stakeholder.

  1. Internet Censorship – Government intervention to control the flow of data is another concern. In this regard we are essentially concerned with silent monitoring of data to serve government propaganda in order to define what is viewable and what is not.

Further, Reliance Jio tries to incorporate an app ecosystem which comes as a part and parcel with the package which includes JioTV app, a JioCinema app, a JioMusic app, a personal digital wallet,  JioMags and a Newspaper application. The extensive push for a relatively close ecosystem might lead to exploitation of loopholes in Indian net neutrality laws, thus working to a disadvantage for third party. Data Mining techniques might even be used in this regard to identify customer patterns to suit needs of parent company in absence of a strict system of checks and balances as present in countries which have adopted this technology.

Reliance Jio network has worked relatively well insofar as Reliance to Reliance calls are concerned. But when it comes to calls to another operator there have been significantly high cases of call drops reported. Thus promising features intended to incentivise a switch to Reliance Jio network suffers a major roadblock in terms of implementation.

In light of the arguments presented, the shift that has been triggered by Reliance Jio needs an effective system of checks and balances in terms of regulatory measures to ensure the following:-

  • Maintenance of principles of net-neutrality
  • Protection of private consumer data
  • Prevention of privacy breaches
  • Consumer protection in terms of reducing call drops to other operators
  • Prevention of unfair trade practices in terms of data mining to suit needs of parent company

A Wolf in Sheep’s Clothing: The Trans-Pacific Partnership

[Image Source: http://flic.kr/p/osRzan]

After the scrapping of the ‘Stop Online Piracy Act’ (SOPA) and the ‘Protect IP Act’ (PIPA) in the U.S., one could have been under the impression that the Internet would be free from unadulterated interference by the government. SOPA and PIPA basically gave the government unprecedented powers to shut down any website/blog at will. Be that as it may, few know about the presence of an equally perilous agreement called the ‘Trans-Pacific Partnership’. U.S. is a key member of this partnership bolstered by corporate lobbyists and this will ultimately be pushed down on all countries around the world by means of trade deals. WikiLeaks in recent times has released some draft chapters of the TPP. In this blog post, I will try to analyze some contentious provisions of the TPP from the viewpoint of an Indian internet user.

Continue reading A Wolf in Sheep’s Clothing: The Trans-Pacific Partnership

The Mirage of Internet Security: A Response to the Bash Bug

(Image Source: https://flic.kr/p/mjhubJ)

Recently in our class on the Law of Evidence, the discussion turned to the security of email accounts, specifically Gmail. Our teacher asked a general question, about how easy it would be for a person to hack a Gmail account, on a scale of 0 (extremely difficult) to 5(extremely easy). There was a smattering of response, ranging between 0 to 1.5.

But I would argue that the answer, always, is 5. Even if you disagree with that, at the very least, I would argue that is the presumption we should always work with. The Internet is awash with bugs and errors, and any security that is set up on it can be broken – the only question is how determined the hacker in question is to get your information, and how determined you are to protect it. And that is even before you get started on the devices connecting the average user to the Internet. Continue reading The Mirage of Internet Security: A Response to the Bash Bug