A few days after the Mumbai blasts, lawyers landed up on the doors of the victims who were injured and the doors of families of those deceased offering their services in following up the often complicated documentations to obtain compensations, for a cut.

Such a practice is very common in the US, where the lawyers are called Ambulance chasers. They are known to have informers in hospitals and neighbourhoods who inform them about people who have had accidents and approach them offering to sue for a cut!

What makes the Indian case different is that some of the lawyers when questioned said that they had obtained the data from the offices of the state government!

This just another example of the utter lack of data protection principles in our government agencies. While the threat may still be a little obscure, it will perhaps become more evident when offices land up leaking the information to thugs who could use it for intimidation and extortion.

Sriramkrishnan Srinivasan

Last month two important events played out. The Mumbai blasts that outlined the need for greater security for out cities and our people. Undoubtedly there is a need for greater security - there is a need for CCTV's in important and sensitive locations with guidelines on their monitoring, usage and backup. There is a need for an enlightened policy of checks and balances regarding luggage in our stations and airports. Many more things are needs, however what is not needed is arbitrary censorship and blanket bans like that unleashed by the CERT-IN almost simultaneously.

In its second wave of Internet censorship the CERT-IN banned 18 very arbitrarily chosen sites decided by some ad-hoc body of bureaucrats without any public consensus. The usual noises were made by the political mandarins about how the ban was important for the security of India and futile attempts were made to hoist the blasts as an example.

Thankfully this time around, the issue was not as silent as the first instance of the Yahoo Groups Ban. The media picked it up and bloggers co-ordinated a wave of online protests that lead to discussions on the net, TV and the newspapers. This led to the bans being silently withdrawn ( or perhaps implemented in a more correct fashion to cover just the 18 sites and not all of blog world)

While most of the blog world is now accessible, it is still unclear what the exact state or view of the establishment on the ban is. Sadly politicians and bureaucrats made calls for more censorship and for monitoring of online content on "all" blogs and online forums! It is very evident that those who made these noises have little if any knowledge of the nature of the medium. ( I personally feel that the feudal mentality of the establishment in this country is a major deterrent to the future of this country. However this is not a forum to discuss that )

I have been writing about this kind of short sightedness on the part of our political and bureaucratic establishment ( and to a large extent our people in general) time and again. It is unfortunate that where Information Security policies are needed acutely, the correct noises never seem to be made and concrete steps are never made.

These include but are not to limited to

• Protection of citizen's data in various government agencies ranging from passport offices to land record offices. As an example, we hear time and again of documents stolen from land records offices and manipulated.
• Protection of customer data by all companies providing services to customers and handling their data. Indian companies are routinely guilty of misusing customer data, by passing on data to sister concerns or selling them to third parties so that they can solicit business through unsolicited promotional calls.

It is frustrating to see that even the biggest organizations and banks like HSBC and Citibank that otherwise have comprehensive Data Protection and Fair Data Use statements in their other areas of operation like the UK and the US have no such statements in India for the benefit of their customers here and are among the biggest culprits when it comes to data misuse.

It is clear that self regulation as routinely advocated will never work. Strict laws and penalties are the only way to ensure that both government agencies and corporates handle data fairly because cultivating such a mindset is an expensive process.

Such processes can be made business enablers in a situation where customers take their business to companies that provide guarantees of data protection, privacy and fair use, but such a mindset does not exist among the Indian masses and must be cultivated simultaneously as well.

It is clear that there are many areas that need enlightened Information Security policies as I have highlighted. Among these the areas of Data Protection, Fair Use of Data and Protection of Customer's Privacy are the most prominent and also the most ignored.

The areas that are the most short sighted and counter-productive are Internet censorship and electronic monitoring of communication, without proper checks and balances that unfortunately are being given the most attention.

The former areas that are ignored, enforce our democratic principles while the latter that are being propagated weaken them greatly. Is this a sign of the mindset of our citizens and establishment? This is a question we must ask ourselves today, the 15th of August, India's Independence day. Do we want to be a country where we have enlightened policies that may of course be difficult to implement, but which enforce the rights of the people, or do we want to have short sighted policies that erode our fundamental rights and principles because they "seem" to be the easier way out? This is probably the most important question that India needs to answer today.

A recent Forrester study of Indian IT firms has reported that 80% of the surveyed firms, are focusing on Information Security as a priority.

Clearly Indian firms are keen to portray the country as a safe destination for international business.

Some recent high profile incidents involving a spectrum of Information Security related crime, from code theft to credit card theft, have provided fuel to the anti-outsourcing lobbies in the US and the rest of the western world. Indian IT firms however seem quick to respond to the challenge of making business secure not just from the purely technological perspective but also to ensure compliance with tougher and tougher privacy and data protection laws.

On the flip side, I am awaiting a study of how Indian businesses measure up when it comes to protecting the data of domestic customers. I doubt they would measure up at all. Indian businesses seem to have different yardsticks when it comes to data protection matters for citizens of the US and the EU, and those of India. Slack data protection for domestic customers is more a rule than an exception.

Of course, the reason for this is that the UK and the EU have strict data protection laws and individuals of these countries value their privacy highly. I am not aware of Indian laws addressing these issues at all. More importantly, Indians do not seem to be so concerned about their data and their privacy. I wonder if this due to lack of awareness or more a matter of culture. I would suspect its the latter. I will not dwell on this aspect though.

Data protection is required in India. It is time citizens understood that Information Security is not just firewalls and passwords. It is also about privacy and a whole gamut of other issues. If not for any other reason, Indian citizens need data protection to make sure they don't have people calling them at odd hours asking if they want to buy Himesh and crazy frog ring tones.

Self regulation as advocated by some who's who in Indian IT wont work. The only way this can be enforced is by legislation.

Information Security is still to come of age in India but the fact that it is definitely one of the priorities can be gauged from the fact that today's Chennai edition of "The Hindu" carried three different articles on the subject.

On the front page, a bonanza of cyber crime, phishing, credit card forgery, ATM fraud, passport forgery and the UK connection.

Credit card racket busted - A U.K. based gang behind the operations

In the Opposite-Editorial page,

How to foil the identity thieves

By Lisa Bachelor

"Buying a shredder isn't enough in the battle against laptop criminals"

Finally in Business Review,

Security aspects of IT infrastructure

"The requirement is a cyber space ecosystem that is conducive for deployment of IT in a variety of areas"

Here are some other stories of ATM fraud from the same newspaper.