Forgot Password?

-      Santulan Chaubey

Abstract

Managing passwords is a big challenge to the digital users. Generally, an average user manages 10-15 applications related to banking, office, social media, etc. on daily basis. If the password management policies are strictly followed, around 300 unique passwords per annum are to be created by a user and remembered. It is just impossible for a normal human being.
Security and privacy are the primary factors governing the design and architecture of digital systems. Digital solutions are designed with utmost care and diligence to ensure desired performance, user experience, safety, security, and integrity of user data. User-Password leaks are one of the major security threats.

 Generally, it is observed that users prefer serene access to the digital apps and therefore use easy to remember password giving equal ease to the hackers to access account. Using one password for all applications or having many easy passwords to remember are favorite to many users. It is generally believed that User Experience is reduced when a complicated password is forced to remember. Sometimes, in panic situation, users fail to remember the right combination of password. Users of digital applications must be aware of the risks involved in easy to guess passwords.

 

The best practice in managing passwords is to remember it. No trace of the password is to be left in any form by the user. A strong password should be a combination of 12-16 characters having at least one upper case, one special character (,:!@#$%^&*) and one number. In addition to this, a user should also preclude easy guessing of the password by the hacker. Therefore, a user should also avoid name, surname of spouse, date of birth, pet’s name, vehicle number, etc. The strongness of the password is measured by the time taken to break it. Following figure shows indicative time taken to crack the password.

Figure 1 - Data Source from HowSecureismyPassword.net

Despite of knowing risks of losing data, money, reputation, most of the users manage passwords in very casual way. Various studies made on behavioral patterns of the users on making password secure suggests that the users understand the risk, but ease of functions overweight the risk factors in most of the cases. Following table shows the popular methods of managing passwords.

Storage of Password	Using Passwords	Sharing Passwords
On a paper (Home)/ On a paper (Wallet)/ Password Manager (Local Computer)/ Password Manager (Cloud)/ File kept on Cloud Storage	One Password used for all accounts/ Little variation in same password/ Password is not changed until forced to change	Official Applications: Subordinates, Write on the white board, Office Colleagues, Close friends, Personal Financial: Spouse, Close Relatives Social Media: Not shared with any one 😉

It is concluded that behavior of the users is difficult to change in larger set of users. Fortunately, Multi Factor Authentication (MFA) is now implemented in most of the digital application. MFA does not necessarily remove the requirement of password, but it adds another layer of authentication giving cover to a possibly weak password.

Popular emailing service providers like Google, Microsoft, etc. does not provide MFA by default. However, user may upgrade the authentication level to MFA. Digital Application not providing MFA may be avoided by the users.

Single Sign On (SSO) is another technique used by many applications solution provider to access multiple applications through single authentication process. Combined with MFA, SSO is a proven solution which reduce the burden of user in remembering many complex passwords.

     Gartner’s Market Guide for User Authentication predicts that around 60% of the large and global enterprise will deploy MFA supported with Access Management tools by 2023. Lots of research work is underway to authenticate the user by analyzing its biometric, physiological, and behavioral attributes using Machine Learning Techniques for a flowless access system. Gartner further predicts that around 40% of large companies may offer such system by 2023. Therefore, digital users may be sanguine that in near future, the burden of remembering password may be reduced to a great extent.

     It needs high level awareness and discipline for the user in using cyber space. The thumb rule is – nothing is safe when you are online or dependent on cloud or external infrastructure. Prevention is better than cure.  Following best practices will save the users from a possible chance of getting password compromised.

• Avoid the digital application not supporting MFA and SSO.
• Authenticate yourself only when you are sure that https:// is the starting point for a web-address.
• After consulting with local expert, a password manager may be a good choice though not recommended for financial / banking operations.
• Add “,” Comma in some of your password combination. It is used rarely. But it is capable of disrupting hacking process for a long time.
• Don’t accept proposal of the browser to store the password.
• Use password generator to generate a good strong password. In case, you have access to development team get in-house password generator developed with a key only you know. It will further reduce the chances of compromise of password. In case, you want to experiment with in-house password generator, the author may be contacted.

Is Service Delivery Data Hungry?

 -Santulan Chaubey[1]

Recently, I noticed that mobile app of my bank pops up a message where it tried to make me understand that the bank intent to collect and monitor my financial transaction related SMS which includes name of transaction party, transaction description and amount for the purpose of performing credit risk analysis assessment. They also want to read my contacts to understand my profile better which helps them provide best loan offers, etc. The pop up has only one button “I understand”. It is a forceful intent to make me understand that if you want to avail the services of the bank then reveal financial transaction information. I never requested any loan from them.

 The Problem:

It is generally observed that organization try to obtain blanket consent from the user to read SMS, contact details, use Mic and Camera, etc. Especially in case of mobile app, User Interface (UI) is designed in such a way that one must first give consent, only then mobile allows them to access the application. The user is generally unaware of consequences of her consent. It leads to misuse of personal sensitive information.

 

Regardless, it is Government or Private/Public Sector, there is a general tendency to ask more information than required to provide service to a citizen. The service provider should not ask the information, not necessary to process immediate service request.

 

Available Instruments:

Mr. Clive Humby, a British Mathematician and Data Science Entrepreneur, in 2006,  stated that “Data is the new Oil” underlining its importance in terms of monetization power[1]. It establishes the importance of data in new digital economy. Indeed, there is need to flourish Digital Economy in India. But the owners of data, an individual, cannot be treated as oil fields. Therefore, necessary legal framework is to be kept in the place to ensure protection of personal data. To empower Indians, it is necessary to protect their personal data. Such legal framework will encourage innovation, development and progress of the country[2].

 

In absence of an enabling legal framework on Personal Data Protection, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are framed under Section 43A of the Information Technology Act, 2000 (21 of 2000) to address the privacy of personal data issues.[3]. As per the provisions of above-mentioned Rule under para (5)- Collection of Information, the consent to share the data is to be taken either in writing or through email or fax from the personal data owner. There is no mention of obtaining consent for the service not requested. The consent of personal data owner cannot be obtained to share the data in anticipation of the service demanded in the future.

 

To protect privacy of the Indians and to empower them, the committee of experts under the chairmanship of Justice BN Srikrishna has drafted a report on Data Protection Framework and a draft bill. The committee has submitted its report to Ministry of Electronics and Information Technology on July 27, 2018[4]. The report detailed insight on fiduciary relationship and obligations, definition of personal data, consent-based processing, etc. Once the Parliament accepts the bill, India will have its own Sensitive Personal Data (SPD) protection legal framework.

 

Business Process Reengineering (BPR) will help in minimizing the requirements of data / uploading of files by using existing enabling technologies like Web Services or linking with databases. The services provider in most of the case is not required to keep data after online/real time verification. Obligations of Data Fiduciaries have been well defined in the proposed bill. Even in the present Rules under Section 43(A), agencies collecting data are to adhere standards like ISO 27001.

 

Mobile/Web Application Development agencies are also to ensure that unnecessary demand for accessing information of the customer may be harmful in the coming data protection regime. For example, permission to read and send SMS “occasionally” is flexuous and out of context in most of the transactions.

 

Immediate Solution:

Considering Rules framed under IT ACT, there is a need to regulate the mobile/web apps to ensure they adhere to the provisions of the IT Act as such. This is like the websites certified for the Guidelines for Indian Government Websites (GIGW)[5]. All mobile/web app having requirements of collection of personal data should be certified for adhering best practices in data protection and privacy by an identified agency say RBI or MeitY before releasing to the public. The first screen of the app should promptly display the certificate with verification mechanism.

 

In existing grievance management systems like ombudsman, CPGRAM, etc, there is no specific category for data protection breach by various agencies, leading to either rejection or no addressal for the grievances. A separate category on data protection breach is also required to add in existing grievances management applications for a proper redressal of the grievance under the existing provisions.

There is a necessity to make public aware on the provisions of Rules framed under Section 43(A) of IT Act. It will help public in knowing right to privacy and being the owner of data consent process to share the data with others.

 

Bibliography:

[1]       A. Mavuduru, “Is Data Really the New Oil in the 21st Century?” https://towardsdatascience.com/is-data-really-the-new-oil-in-the-21st-century-17d014811b88 (accessed Sep. 08, 2021).

[2]       C. of E. under the C. of J. B. N. Srikrishna, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians - Committee of Experts under the Chairmanship of Justice B.N. Srikrishna,” Minist. Electron. Inf. Technol., pp. 1–213, 2018.

[3]       MeitY, “Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011,” 2011.

[4]       B. Srikrishna, “A Free and Fair Digital Economy.” https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy.

[5]       NIC, “Government of India Guidelines for the Websites (GIGW).” https://guidelines.india.gov.in/ (accessed Sep. 09, 2021).

 

---

[1] The views of the author are personal.

Disrupting Technologies Transforming Health Care

-Santulan Chaubey[1]

Imagine, you get an alert message on your mobile regarding increased sugar level and blood pressure of your old age father in India while you are on official tour to USA. Before you could take any action, the doctor calls you not to worry, as the necessary action has already been taken. Yes. The patient care is transforming with the help of various emerging technologies. In a life saving process, the availability of vital health parameters at the right time are decisive.

The emerging technologies are now playing a major role in transforming patient care. The word emerging technology some time confuses the decision makers whether to use the emerging technologies or to stick to the proven ones to mitigate the risk of failure. The emerging technologies include advances in edge computing, computer vision, data mining and analysis, statistical machine learning techniques; all driven by general advances in computational power.  All these technologies are now mature enough to use. These technologies have already been deployed by various TOP500 companies for their general business needs. These technologies, therefore, have become proven technologies. We should not keep referring to them as “emerging”. Let us pave the way to other upcoming technologies to take over as emerging technologies.

Any transformation in the society is a journey with bag and baggage’s. Generally, transformation comes with change management. It takes time to adopt the changes. The digital transformation is no different. However, in last two years, Corona pandemic has radically changed the overall dynamics of dealing with data and decision making. Decision maker struggled with quality of data. Most of the data capturing points were not only manual but also quality of the data was in question.

 

Automation in seeding the primary data is the starting point for building a platform for the decision support system. Purity of data is the most critical requirement in building a useful /effective decision support system. Generally, data capturing starts with manual entry of primary data. It always has high probability of erroneous data. Manual data entry highly depends on skills and efficiency of the person keying the data. Internet of Things (IoT) based on sensors is the going to be the most happening thing in Digital Transformation in coming decade especially in health sector. The manual data entry must be avoided as much as possible. Wherever, it is not possible to avoid the manual data entry, enough checks and balances be kept in place into the software developed for this purpose to ensure near error free data.

The journey of brining impact in decision making also starts with data. Following are the stopovers in the journey of data transforming into an Application of Wisdom.

 

Therefore, the next radical change will be in way the data is extracted and inferred using advances in sensor technology. Smart watches laden with aforementioned sensors also hit the market and attracted a lot of users, interpolating useful information like oxygen level, SPO2, heartbeats per minute measurements, etc.  The sensor-interpolated data is sent to the cloud servers of the smart watch company and is further analyzed. The insight of data is provided to the customer helping him to take informed decisions. At present, such facilities are available to very limited segment of individuals.

Privacy of personal sensitive data is a major concern especially in health sector. The thumb rule for data privacy is to protect data but to share the insight and wisdom extracted out of data. The application of wisdom will be visible to the stakeholders automatically. A mechanism is to be evolved so that the overall access control of personal data remains with the patient only. Hospitals, Clinics, Labs and Doctors should be able to access the relevant information with the consent of the patient. In absence of enabling legal provisions, a lot of these technologies are open for misuse and a potential of distrust from the user.

There is a need to take this transformation to the last mile of patient care. Enterprise Patient Care Architecture, factoring in the capabilities of edge computing and data analytics automation, will bring a complete transformation in health care sector. Following are the key enablers in the transformation of patient care using enabling technologies.

·       Umbrella Open Standard Enterprise Architecture embedding Electronic Health Records (EHR).

·       Open APIs to share data

·       Data retention policy to manage voluminous data at various levels

·       Legal framework for the protection of sensitive personal data.

This framework will be completely interoperable and provide freedom to the services providers to use any IT systems capable of plugin with Open Standard Enterprise Architecture and open APIs.

---

[1] The views of the author are his personal. This paper is also published in ET Government on 16th August 2021 https://government.economictimes.indiatimes.com/news/governance/opinion-emerging-technologies-transforming-healthcare/85370169