India's BlackBerry dispute sparks privacy concerns
Experts have said the recent controversy involving India and RIM's BlackBerry services signals the need to evolve an international agreement on data security. Citing security concerns over the use of BlackBerry by militants, as email messages sent using the mobile device cannot be traced or intercepted, the Indian government has been putting pressure on RIM to provide security agencies with a way around its encryption.
Local government officials had asked RIM to either share the data-encryption code used in BlackBerry devices, or set up servers in India so that the systems can be monitored by Indian security agencies.
After months of high-level meetings between RIM executives and India's Department of Telecommunications and Ministry of Home Affairs on the issue, the government last week said BlackBerry devices do not pose any security threat.
The controversy, however, has raised concerns over data security.
India must meet global data-security standards
Local industry observers said India must ensure its efforts in ensuring data security are comparable to global standards.
"The issue of data security is an issue that involves all countries alike," Ameet Nivsarkar, vice president of Nasscom, told ZDNet Asia. Nasscom is the trade body and chamber of commerce of India's IT-business-process-outsourcing industry.
"Today, millions of bytes of data are crossing global boundaries at any given point of time," Nivsarkar explained. "Data security in India isn't, and can't afford to be, inferior to data security in any other country."
Sivarama Krishnan, executive director and partner of performance improvement at PricewaterhouseCoopers, said: "It's less to do with data security, and more to do with privacy compliance."
In fact, security measures taken by telecoms operators, business-process outsourcers and other Indian companies are on par with global standards, Krishnan said in a phone interview.
Navita Srikant, national leader of fraud investigations and dispute services at Ernst & Young India, noted: "The biggest threat to telecoms companies is the insider threat, rather than external threats. The most sensitive information in a telecoms company, like customer data, strategy, mergers, acquisitions and so on, is stored on IP addressable machines."
"Therefore, this information is directly accessible to bot [attacks] and employees," Srikant told ZDNet Asia.
Bots are software applications that run automated tasks over the internet, and can be used to launch malicious attacks on networked computers.
"Approximately 200,000 machines get infected by bots every day, and are being used for corporate espionage and stealth activities," Srikant added.
According to Krishnan, privacy compliance in India "is fairly low" compared to other countries. She noted that, in reporting sensational criminal cases, the Indian media has proven to be successful in laying its hands on phone-call records of victims and prime suspects.
Nivsarkar said: "Privacy is more a societal issue. We tend to be intrusive. It's quite normal for people in India to discuss each other's salaries, personal lives and other details."
"However, as long as it does not impact business, I don't think it is an issue," he said. "There have been very few instances of frauds and security breaches in the Indian [IT-enabled-services] industry, and the police have moved to solve the cases in record time."
Srikant said: "India needs to address both data-security [and] privacy-compliance issues".
As of today, India does not have any law or ordinance on data privacy, she said. The Data Protection Bill 2006, which has yet to be passed by the Indian Parliament, will address issues pertaining to privacy compliance and provide confidence to companies looking to do business in India.
"The Indian legislative process takes a long time to pass regulations, but data privacy and security are not issues we can afford to ignore," Srikant added. The Data Protection Bill seeks to provide protection of personal data and individuals' information, allowing them to claim compensation or damages if their privacy has been breached.
According to Nivsarkar, there is need for an "international agreement on data security" in today's globalised environment.
"Such an agreement can look into matters such as service providers working alongside governments and security agencies to address security concerns over having servers in different geographies," he explained.
Srikant concurred: "With time, it will become imminent for countries to have such a global agreement on international data security."
Nivsarkar added that India is making considerable headway on increasing data security.
For instance, Nasscom recently set up the Data Security Council of India, a self-regulatory initiative in data security and privacy protection. The council is envisaged as a credible and committed body for upholding data privacy and security standards. It will adopt global best practices — drawing upon US laws; EU directives and the Safe Harbor Framework; Organisation for Economic Co-operation and Development (OECD) guidelines; and the Asia-Pacific Economic Cooperation Privacy Framework — in designing the code of conduct for the Indian industry.
Reproduced from an article published by ZDNet.co.uk
© ZDNet.co.uk
The original article can be viewed here:
http://news.zdnet.co.uk/security/0,1000000189,39443783,00.htm
Permalink Bookmark Digg this story
