India's BlackBerry case raises privacy concerns
INDIA--Experts say the recent controversy involving India and Canada-based Research In Motion's (RIM) Blackberry services signals the need to evolve an international agreement on data security.
Citing security concerns over the use of BlackBerry by militants, as e-mail messages sent using the mobile device cannot be traced or intercepted, the Indian government has been putting pressure on RIM to provide security agencies with a way around its encryption.
Local government officials had asked RIM to either share the data encryption code used in BlackBerry devices, or set up servers in India so that the systems can be monitored by Indian security agencies.
After months of high-level meeting between RIM executives and India's Department of Telecommunications (DoT) and Ministry of Home Affairs on the issue, the government this week said BlackBerry devices do not pose any security threat.
The controversy, however, has raised concerns over data security.
India must match up
Local industry observers say India must ensure its efforts in ensuring data security are comparable to global standards.
"The issue of data security is an issue that involves all countries alike," Ameet Nivsarkar, vice president of Nasscom, told ZDNet Asia in a phone interview. Nasscom is the trade body and chamber of commerce of India's IT-BPO (IT-business process outsourcing) industry.
"Today, millions of bytes of data are crossing global boundaries at any given point of time," Nivsarkar explained. "Data security in India isn't, and can't afford to be inferior to data security in any other country."
Sivarama Krishnan, executive director and partner of performance improvement PricewaterhouseCoopers, said: "It's less to do with data security, and more to do with privacy compliance."
In fact, security measures taken by telecom operators, BPOs and other Indian companies are at par with global standards, Krishnan said in a phone interview.
Navita Srikant, national leader of fraud investigations and dispute services, Ernst & Young India, noted: "The biggest threat to telecom companies is insider threat, rather than external threats. The most sensitive information in a telecom company, like customer data, strategy, mergers, acquisitions and so on, are stored on IP addressable machines.
"Therefore, this information is directly accessible to bot [attacks] and employees," Navita told ZDNet Asia in a phone interview.
Bots are software applications that run automated tasks over the Internet, and can be used to launch malicious attacks on networked computers.
"Approximately 200,000 machines get infected by bots every day, and are being used for corporate espionage and stealth activities," Srikant added.
According to Krishnan, privacy compliance in India "is fairly low" compared to other countries. She noted that, in reporting sensational criminal cases, the Indian media has proven to be successful in laying their hands on phone call records of victims and prime suspects.
Nivsarkar said: "Privacy is more a societal issue. We tend to be intrusive. It's quite normal for people in India to discuss each other's salaries, personal lives and other details.
"However, as long as it does not impact business, I don't think it is an issue," he said. "There have been very few instances of frauds and security breaches in the Indian IT/ITES (IT-enabled services) industry, and the police had moved to solve the cases in record time."
Srikant said: "India needs to address both data security as well as privacy compliance issues".
As of today, India does not have any law or ordinance on data privacy, she said. The Data Protection Bill 2006, which has yet to be passed by the Indian Parliament, will address issues pertaining to privacy compliance and provide confidence to companies looking to do business in India.
"The Indian legislative process takes a long time to pass regulations, but data privacy and security are not issues we can afford to ignore," Srikant added. The data protection bill seeks to provide protection of personal data and information of individuals, allowing them to claim compensation or damages if their privacy has been breached without consent.
According to Nivsarkar, there is need for an "international agreement on data security" in today's globalized environment.
"Such an agreement can look into matters, such as service providers working alongside governments and security agencies, to address security concerns over having servers in different geographies," he explained.
Concurred Srikant: "With time, it will become imminent for countries to have such a global agreement on international data security."
Nivsarkar added that India is making considerable headway on increasing data security.
For instance, Nasscom recently set up the Data Security Council of India (DSCI), a self-regulatory initiative in data security and privacy protection. The council is envisaged as a credible and committed body to uphold data privacy and security standards. It will adopt global best practices, drawing upon American laws, the European Union Directive and Safe Harbor Framework, OECD guidelines, and Asia-Pacific Economic Cooperation Framework in designing the code of conduct for the Indian industry.
Swati Prasad is a freelance IT writer based in India.