1 WEBZINE ON CYBER LAWS

Contents
4 Cyber
News 16 Cyber
Literature

9 Watch to Know
More: YouTube
Videos 17 International Cyber
Law Legal Updates

10 Quiz
Column 19 We
Speak

12 Did You
Know? 21 Centre for Cyber
Laws Team

14 Safety
Tips
 Cyber News
Cyberattack on Red Cross exposes data of 515,000
vulnerable people
Malicious hackers have compromised personal data on more than
515,000 ‘highly vulnerable’ people. A sophisticated cyber security attack
against computer servers hosting information held by the International
Committee of the Red Cross (ICRC) was detected. “An attack on the
data of missing people makes the anguish and suffering for families
even more difficult to endure. We are all appalled and perplexed that
this humanitarian information would be targeted and compromised,”
said Robert Mardini, ICRC’s (The International Committee of the
Red Cross) director-general. “This cyber-attack puts vulnerable people,
those already in need of humanitarian services, at further risk.” The
data originated from at least 60 Red Cross and Red Crescent National
Societies worldwide. People whose data has been compromised are
‘highly vulnerable,’ including those separated from their families due
to conflict, migration, disaster, missing persons and their families,
and people in detention. ICRC has no immediate indications of who
carried out this cyber-attack, which targeted an external company in
Switzerland the ICRC contracts to store data.
Sources : https://www.theguardian.com/world/2022/jan/20/hacking-
attack-on-red-cross-exposes-data-of-515000-vulnerable-people
https://www.icrc.org/en/document/sophisticated-cyber-attack-
targets-red-cross-red-crescent-data-500000-people

4 WEBZINE ON CYBER LAWS

Belarusian group claims hack on railway system 2021, according to a report by the Data Security Council
to disrupt Russian troop of India (DSCI). The growth was largely fuelled by rapid
A group of pro-democracy hackers calling themselves digitalisation, increased regulatory attention on data and
“Cyber Partisans” said they had infiltrated the Belarusian privacy, as well as growing boardroom awareness around
rail network in an effort to “disrupt” the movement cyber threats, among other factors, said Rama Vedashree,
of Russian troops into the country as tensions over CEO of DSCI, a data protection industry body set up
a potential renewed invasion of Ukraine grew. The by the National Association of Software and Service
“hacktivists,” who announced the cyberattack in posts on Companies (Nasscom). At the same time, India’s cyber
Twitter and Telegram, said that they had encrypted some security workforce swelled from 110,000 employees
of the railroad’s “servers, databases and workstations” in 2019 to 218,000 in 2021 even as talent shortages
because it facilitates the movement of “occupying troops remain. But it is not just large suppliers that are driving
to enter our land.” The group said it would return the the industry’s growth momentum. India’s cyber security
network to “normal mode” if 50 political prisoners in startup and product industry also saw robust growth,
need of medical care were released and Russian military raking in revenues worth $1.37bn.
personnel were barred from Belarus. The Belarusian Sources : https://economictimes.indiatimes.com/tech/
Defense Ministry said Monday that Russian troops were technology/indian-cybersecurity-industry-reported-9-
already arriving in the Kremlin-aligned country, which 85-billion-revenue-in-2021/articleshow/88416062.cms
borders Ukraine and Russia, ahead of a February training
operation. That exercise has raised fears in the West that https://www.computerweekly.com/news/252512351/
it would place Russian troops and equipment along Indias-cyber-security-doubles-in-size-amid-pandemic
Ukraine’s northern border, near the capital, Kyiv, further https://www.financialexpress.com/industry/indias-
encircling the country. cybersecurity-services-and-product-industry-revenue-at-
Sources : https://www.reuters.com/article/ukraine- usd-9-85-billion-in-2021-report/2386104/
crisis-belarus-hack-idUSL8N2U455L
CCI orders probe against Google for alleged
https://www.washingtonpost.com/world/2022/01/25/ abuse of dominant position
belarus-railway-hacktivist-russia-ukraine-cyberattack/
Fair trade regulator CCI ordered a probe against Google
Indian cybersecurity industry reported $9.85 for its alleged abuse of dominant position. It stated that
billion revenue in 2021 the Commission is of prima facie view that Google has
India’s cyber security industry nearly doubled in size amid violated provisions of Section 4 of the Competition Act,
the pandemic, with revenues from cybersecurity products 2002 which pertains to abuse of dominant position. The
and services growing from $5.04bn in 2019 to $9.85bn in order came on a complaint filed by the Digital News

5 WEBZINE ON CYBER LAWS

Publishers Association, which is a private company that up a staggering 521% on the previous year when just
promotes and secures interest of digital news publishers. €171 million of fines were issued by the European
It had filed complaints against Alphabet Inc, Google Union for mishandling data. In part, the increase can
LLC, Google India Private Ltd and Google Ireland Ltd. be attributed to the types of companies that were fined,
The association said that the majority of the traffic on and the reasons they were. Companies like Amazon and
news websites comes from online search engines and WhatsApp had to pay off the most significant penalties
Google is claimed to be the most dominant search engine. for violating GDPR laws, and their large user numbers
It said that more than 50 per cent of the total traffic on mean that they bumped up the total. Indeed, Amazon
the news websites is routed through Google and being Europe Core S.a.r.l was a contributor of nearly 75% of
the dominant player, Google, by way of its algorithms, the fine total for a single issue. In July 2021, it was fined
determines which news website gets discovered via search. €746 million. In September, WhatsApp Ireland Limited
Besides, Google is the major stakeholder in the digital was slapped with a €225 million fine.
advertising space and it unilaterally decides the amount
to be paid to the publishers for the content created by Source : https://www.cnbc.com/2022/01/18/fines-for-
them, as well as the terms on which the aforesaid amounts breaches-of-eu-gdpr-privacy-law-spike-sevenfold.html
have to be paid.\ https://cybernews.com/privacy/gdpr-fines-topped-1-
Source : https://www.business-standard.com/article/ billion-eur-last-year/
companies/cci-orders-google-inquiry-after-news-
publishers-complain-122010701346_1.html European Commission launches new open
source software bug bounty program
https://www.livemint.com/companies/news/cci-orders-
probe-against-google-for-abuse-of-dominance-in-news- The European Commission (EC) has launched a bug
aggregation-11641568796061.html bounty program for open source projects that underpin
its public services. Bug bounty hunters will be offered up
GDPR fines topped €1 billion last year to €5,000 ($5,600) for finding security vulnerabilities in
Throughout the last 12 months, more than 400 fines open source software used across the European Union
were issued by the European Union for breaches of (EU), including LibreOffice, LEOS, Mastodon, Odoo,
the GDPR, totaling more than €1 billion in all. That’s and CryptPad. The program, led by European bug

6 WEBZINE ON CYBER LAWS

bounty platform Intigriti, will also offer a 20% bonus breach remain unclear.
if a code fix for the bugs is provided by researchers. Marszalek acknowledged the hack in an online interview
In a statement released on January 19, the EC said it with Bloomberg Wednesday, stating that around 400
is looking for reports of security vulnerabilities such customer accounts had been compromised. He also
as leaks of personal data, horizontal/vertical privilege told Bloomberg that he had not received any outreach
escalation, and SQL injection. The highest reward will from regulators since the attack was first disclosed
be paid out for “exceptional vulnerabilities”. but would share information if official inquiries were
Sources : https://ec.europa.eu/info/news/european- made. Previous statements from Marszalek and other
commissions-open-source-programme-office-starts-bug- communications from Crypto.com have been criticized
bounties-2022-jan-19_en for being vague and unclear. Official messaging from
the company referred to a security “incident,” and an
https://portswigger.net/daily-swig/european-
early Twitter post mentioned only that a small number
commission-launches-new-open-source-software-bug-
of users were “reporting suspicious activity on their
bounty-program
accounts.”
Reserve Bank of India (RBI) is adding new Sources: https://www.businessinsider.in/
restrictions on who can hold payment card data cryptocurrency/news/matt-damon-endorsed-crypto-
com-confirms-400-accounts-hacked-and-funds-stolen/
Authorities in India are set to clamp down on data breaches
articleshow/89010819.cms
and tighten rules for holding sensitive data, according
to local media reports. Organizations will be forced to https://www.indiatoday.in/technology/news/
disclose data breaches within 72 hours, bringing India story/crypto-com-breach-hundreds-of-accounts-
in line with territories such as the EU, which mandates compromised-eth-worth-15-million-reportedly-
breach disclosures under its General Data Protection stolen-1902428-2022-01-20
Regulation (GDPR). And Indian firms will no longer be https://www.theverge.com/2022/1/19/22891949/
able to store payment card information, with only card crypto-ceo-confirms-hundreds-accounts-hacked-
issuers and card networks – such as Visa or Mastercard bloomberg-ethereum
– permitted to do so. The Reserve Bank of India (RBI)
is adding new restrictions on who can hold payment card
data, starting from January 1, 2022. Under the new rules,
only the card issuer and card network can hold full card
details. Others, including retailers, can only hold limited
data for identification or “reconciliation purposes”. These
data include the last four digits of the card number and
the card issuer’s name. Any organization other than the
card issuer or network that holds full card data needs to
purge it.
Sources : https://rbi.org.in/Scripts/NotificationUser.
aspx?Id=12211&Mode=0
https://www.natlawreview.com/article/privacy-data-
protection-capsule-india-s-turn-world-stage
Crypto.com CEO reveals that the website was
targeted by hackers
The CEO of cryptocurrency exchange Crypto.com, Kris
Marszalek, has finally confirmed that hundreds of user
accounts were compromised by hackers and had funds
stolen as a result, though details of the exact method of
7 WEBZINE ON CYBER LAWS
Microsoft to buy Activision for $68.7 billion in Google hit with 150 million euro French fine
gaming push for cookie breaches
Microsoft is acquiring Activision, the troubled publisher
of Call of Duty, World of Warcraft, and Diablo. The
deal will value Activision at $68.7 billion, far in excess
of the $26 billion Microsoft paid to acquire LinkedIn
in 2016. It’s Microsoft’s biggest push into gaming, and
the company says it will be the “third-largest gaming
company by revenue, behind Tencent and Sony”
once the deal closes. Microsoft plans to add many of
Activision’s games to Xbox Game Pass once the deal
closes. With the acquisition of Activision, Microsoft
will soon publish franchises like Warcraft, Diablo,
Overwatch, Call of Duty, and Candy Crush. Xbox
Game Pass now has 25 million subscribers, as Microsoft
continues to acquire studios to boost the subscription
service. The deal announced by Microsoft on Tuesday, its
biggest-ever and set to be the largest all-cash acquisition
on record, will bolster its firepower in the booming video
gaming market where it takes on leaders Tencent (0700.
HK) and Sony (6758.T).
Sources: https://www.reuters.com/technology/
microsoft-buy-activision-blizzard-deal-687-
billion-2022-01-18/
https://www.hindustantimes.com/world-news/
microsoft-to-buy-gaming-giant-activision-blizzard-for-
69-bn-101642545896313.html
https://www.theverge.com/2022/1/18/22889258/
microsoft-activision-blizzard-xbox-acquisition-call-of-
duty-overwatch
8 WEBZINE ON CYBER LAWS
French regulators have hit Google and Facebook with
210 million euros ($237 million) in fines over their
use of “cookies”, the data used to track users online,
authorities said Thursday. US tech giants, including
the likes of Apple and Amazon, have come under
growing pressure over their business practices across
Europe, where they have faced massive fines and plans to
impose far-reaching EU rules on how they operate. The
150-million-euro fine imposed on Google was a record
by France’s National Commission for Information
Technology and Freedom (CNIL), beating a previous
cookie-related fine of 100 million euros against the
company in December 2020. Facebook was handed a
60-million-euro fine. “CNIL has determined that the
sites facebook.com, google.fr and (Google-owned)
youtube.com do not allow users to refuse the use of
cookies as simply as to accept them,” the regulatory body
said.
Sources: https://www.ndtv.com/world-news/france-
google-facebook-in-france-150-million-euro-fine-on-
google-60-on-facebook-in-france-over-cookies-2692275
https://cybernews.com/news/google-hit-with-150-
million-euro-french-fine-for-cookie-breaches/
 Watch to Know More:
YouTube Videos
TEDxSanAntonio - Brian Brushwood - Social Engineering - How to Scam Your Way
into Anything, | TEDx Talks, https://www.youtube.com/watch?v=yY-lMkeZVuY.

Red Cross falls victim to cyber attack, confidential data exposed | International News |
WION, https://www.youtube.com/watch?v=z4qiXemx0pQ.

Want to buy a drone? India’s new draft rules explained| Hindustan Times, https://www.
youtube.com/watch?v=A_KWwnUK77c.

Pegasus: the spyware technology that threatens democracy| The Guardian, https://
www.youtube.com/watch?v=G7H9uo3j5FQ.

Privacy Law Update: Analyzing Recent Development in U.S. and International Privacy
Law| Husch Blackwell, https://www.youtube.com/watch?v=YyzQy1r9wiU.

9 WEBZINE ON CYBER LAWS

 Quiz Column
1. Which of these is NOT a best practice when trying to protect your privacy online?
A. Using two-factor authentication to access accounts and devices
B. Storing your passwords in the notes section of your smartphone
C. Using a different user name and password for each account
D. Updating your operating system promptly when an update becomes available

2. What personal information do websites and apps have the ability to collect about
you?
A. Your language preferences
B. Your location
C. The kind of device you’re using
D. All of the above

3. Your “personal information” consists of:

A. Your education and employment history
B. Your name, birth date and SIN
C. Your income, purchases and spending habits
D. All of the above
10 WEBZINE ON CYBER LAWS
 4. How can you limit the information that is collected and stored about you when using the Internet?
A. Use a search engine that does not collect/share your web searches or log your personal
information, like DuckDuckGo
B. Turn on Incognito or Private Mode in your browser
C. Use a VPN to encrypt your Internet activity
D. All of the above

5. The largest privacy and data breach affected how many people:
A. 100 People
B. 3 billion
C. 20,000
D. 500 million

6. What is the maximum data breach penalty under the GDPR compliance directives?
A. 20,000,000 euros or up to 4% of annual turnover, whichever is greater.
B. 10,000,000 euros or up to 1% of annual turnover, whichever is greater.
C. 5,000,000 euros, job suspension, and imprisonment for up to 5 years.
D. There is no maximum fine.

7. GDPR applies to which types of individuals or organizations:

A. Any organization that processes personal data
B. All data controllers and processors established in the EU and organizations that target EU resident
C. Data controllers operating in the EU
D. All of the above

8. Within what period of time is an organization required to notify a supervising authority

about a data breach within the realm of GDPR?
A. Within 48 hours
B. Within 12 hours
C. Within 24 hours
D. Within 72 hours

9. Which one of the following would be classified as sensitive personal data?

A. Address
B. CCTV Video
C. Name
D. Religion
10. How many principles of the Data Protection Act are there? (According to GDPR)
A. 5
B. 6
C. 7
D. 8
11
 Did You Know?
What is social engineering in crypto?
Crypto is a very vulnerable asset and little negligence can cause irreparable
harm, despite various efforts digital assets like cryptocurrencies remain
the desired target for scammers and hackers. The diverse methods
of scamming, hacking, lack of regulations and shortage of concrete
knowledge makes crypto a more vulnerable asset and hence, concerned
users always need to stay alert.

Social engineering is one of the oldest methods of hacking known in

the domain of cybersecurity. If we look in the broader picture, social
engineering is a kind of manipulation linked to behavioral psychology,
the term social engineering is often associated with a variety of contexts
in the fields of social sciences, psychology, and marketing.
When it comes to the field of cybersecurity, social engineering is a
scamming or hacking attempt made with malicious intentions to
achieve ulterior motives, it is an attempt made to manipulate people into
making bad moves such as giving their personal information which can
be used against them. Identity fraud (gathering personal information)
is common in these type attacks; sometimes it also leads to financial
losses. Social engineering till now is one of the most popular methods
of hacking. It is because these types of attacks don’t require the deep
knowledge of technology and the attackers do not need to dive more in
technological details of targeted victims. It is enough for the attackers
to understand how the targeted victim thinks and acts in crypto space.

12 WEBZINE ON CYBER LAWS

Social engineering techniques in crypto space mostly
depend on the patterns of victim’s psychology and
behaviour. The victim’s behavioral psychological
weakness is the attacker’s greatest advantage and the
victim’s emotions is their key to enter the victim’s crypto
space. They take advantage of the victim’s emotions to
manipulate and trick them. In these types of attacks
victims’ emotions like fear, curiosity, greed and even their
generosity are used against them by applying various
methods. Although there are various methods to perform
social engineering, most common Phishing, scareware
and baiting is common in social engineering attacks in
the crypto sector.
In phishing a mimic emails or messages from a legitimate
crypto exchange or crypto bank is sent to targeted victims,
giving any offer which might trigger victim greed or asking
for updating their private keys or to give their private keys
or information of crypto wallet in order to avoid any loss
which trigger victims fear by any means the target of the
attacker is to achieve the required personal informations
of victim by these type manipulations of emotions.
In scareware attack a scareware which is a type of
malware designed to shock and scare the victim, in this
type of attacks a mimic of legitimate software sometime
a bug software is designed and by using behavioural
psychological techniques installed in victim’s device
and make their device compromised and hence lead to
compromising their crypto wallets and also targeted
crypto exchange in which victim asset is lying. One of
the ex. of these type of attacks is some time you install
crypto mining app which initially looks legitimate and
subsequently in background compromise your device and
steals your information, or a pop up will appear saying
your device is infected or heated click here to clean it and
as soon as you click your device will be compromised.
In baiting, the emotions like curiosity and greed come
into picture, and these emotions are used as key to access
your crypto wallet. In these types of attacks a fake website
is created and offers free cryptos or free videos or books. It
is human psychology that we like free things. But in order
to access these victims are required to put their personal
information like email, contact no. and many personal
13 WEBZINE ON CYBER LAWS
information and after gathering personal information it
will be used against the victim. Nowadays many websites
don’t ask for personal information because the files of
the website (free files) which are downloaded contain
malware in it which will penetrate the victim’s computer
system and collect their sensitive data related to cryptos.
Sometimes the attacker intentionally leaves the USB
drives or external hard drives in public places and as soon
as you out of curiosity put it in your device to check the
content it will end up infecting your personal computer.
How to prevent the social engineering attacks in your
crypto assets
1- To avoid social engineering attacks in your crypto
assets, educate yourself this industry is new and involves
technological nuances hence, a concrete knowledge base
related to cryptocurrencies is a key to safety.
2- Install trustworthy antivirus software in your devices or
enable 2-factor authentication in your crypto exchanges
account and your crypto wallets.
3- The excitement that cryptocurrencies generate
especially in bull markets will certainly give rise to your
emotions, but in the moment of heat of emotions just be
careful and watch if there is anything suspicious because
in social engineering attacks your emotions are their key.
So, always be careful, cautious and responsive.
Closing thoughts
Nothing is free in crypto space, and if something is
free then you are the product. Control your emotions,
especially greed and fear. A greedy and reckless mentality
is very dangerous when you are dealing with cryptos.
Curiosity is good, but not always good if you are in digital
space especially in crypto space. As mentioned earlier, in
social engineering attacks, your emotions are their key to
entering into your digital space. Be cautious and stay alert
to avoid falling for social engineering traps.
Sources: https://www.gemini.com/cryptopedia/social-
engineering-definition-attack-examples
https://academy.binance.com/en/articles/what-is-
social-engineering
 Safety Tips
For this month’s safety tips, we have gathered useful tips on how you can protect
yourself from cyber-attacks-

1. Check if your device has ever been a part of a Data Breach

Visit haveibeenpwned.com and change those passwords for any accounts that it
suggests may have been compromised.

2. Choose strong passwords

Test the strength of your passwords at howsecureismypassword.net (use something
similar to your original password to test its strength).
When choosing a password, remember: the longer it is, the stronger it is. A strong
password is at least 12 characters long and hard to guess.

The following passwords are considered the most common and easiest to crack –
so if you’ve got any of these or similar variations, you should seriously considering
changing them. For example,
• 123456 (or any chronologically-ordered numbers)
• 987654321
• 123123
• QWERTY
• 111111
• Password

14 WEBZINE ON CYBER LAWS

3. Avoid clicking on irrelevant emails • leaving Bluetooth hidden when not in use and
Always be on the watch for phishing emails and disabling automatic connection to networks
hacked websites. Interacting with them puts your • enabling remote locking and/or wiping
data at risk and can lead to the download of malware. functions, if your device supports them.
Remember to: 5. Keep your software and systems fully up to date
• don’t open emails from unfamiliar senders; Often cyber-attacks happen because your systems or
• delete attachments in unexpected emails; and software aren’t fully up to date, leaving weaknesses.
• avoid unsafe clicks by typing the address into your Hackers exploit these weaknesses so cybercriminals
browser instead. exploit these weaknesses to gain access to your
network. Once they are in – it’s often too late to take
4. Secure Your Device
preventative action.
If your mobile device is left unattended, misplaced,
6. Ensure Endpoint Protection
or stolen, it could be used to gain access to your
personal information, money, or identity, as well as Endpoint protection protects networks that are
irreplaceable material such as images or texts. Protect remotely bridged to devices. Mobile devices, tablets
your gadgets by following these steps: and laptops that are connected to corporate networks
give access paths to security threats. These paths need
• installing anti-virus software
protected with specific endpoint protection software.
• setting a password, gesture or fingerprint that
Sources : https://www.vu.edu.au/about-vu/news-
must be entered to unlock
events/study-space/5-easy-ways-to-protect-yourself-
• setting the device to require a password before from-cyber-attacks
applications are installed
https://leaf-it.com/10-ways-prevent-cyber-attacks/

15 WEBZINE ON CYBER LAWS

 Cyber Literature
Here are some useful readings on Privacy and Encryption-
• James Lewis, et al, The effect of encryption on lawful access to
communications and data. Centre for Strategic and International Studies,
2017 available at
https://csis-website-prod.s3.amazonaws.com/s3fs-public/
publication/170221_Lewis_EncryptionsEffect_Web.
pdf ?HQT76OwM4itFrLEIok6kZajkd5a.r.rE

• Harold Abelson, Keys Under Doormats: Mandating insecurity by requiring

government access to all data and communications, MIT, 2015 available at
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-
TR-2015-026.pdf

• Carnegie Institute, Moving the Encryption Policy Conversation Forward,

2019, https://carnegieendowment.org/2019/09/10/moving-encryption-
policy-conversation-forward-pub-79573

• James Comey, Going dark: Are technology, privacy, and public safety on
a collision course? FBI, 2014, https://www.fbi.gov/news/speeches/going-
dark-are-technology-privacy-and-public-safety-on-a-collision-course

• Leander Kahney, The FBI wanted a backdoor to the iPhone. Tim Cook said
no, Wired, 2019, https://www.wired.com/story/the-time-tim-cook-stood-
his-ground-against-fbi/

• UN Special Rapporteur Report (2015) on encryption, https://undocs.

org/A/HRC/29/32
16 WEBZINE ON CYBER LAWS
 International Cyber
Law Legal Updates
Patent granted to Google: Transfer of data within a network without
using cookies- 3 January 2022
The United States Patent and Trademark Office granted a patent to Google
allowing it to control the authorization of data transmissions within a network
and attribute a click without using cookies. The system can reduce the number of
transmissions that do not result in content for the client device- saving bandwidth
and computational resources for the client device. The technology would support
the advertising industry’s shift to cookies ad targeting. The data stored can be purged
and indefinite.

Source: The International Association of Privacy Professionals https://www.

mediapost.com/publications/article/369847/google-patent-describes-how-its-
technology-authori.html

VPN service dismantled by the law enforcement authorities from

around the world- 18 January 2022
A Virtual Private Network (VPN) service that’s claimed to have been a favorite
among ransomware operators and other cybercriminals has been disrupted,
rendering it no longer available. According to Europol, law enforcement authorities
took interest in the provider after multiple investigations uncovered criminals using
the VPNLab.net service to facilitate illicit activities such as malware distribution.
Other cases depicted that the service was used to set up infrastructure and

17 WEBZINE ON CYBER LAWS

communication behind ransomware campaigns. The executed while providing the supply chain with an
action carried out under this investigation clearly states
accountability stream. This global approach to privacy
that criminals are running out of ways to hide their protected media transactions will include a Canadian-
tracks online, however, with the effective cooperationspecific Transparency and Consent string which provides
of international enforcement agencies, it has become consent management platforms. IAB Canada, further,
possible to shut down a global network and destroy such
has curated a collection of resources to help inform the
brands. industry of the work happening. This will set forth the
Source: The Daily Swig https://portswigger.net/daily- legal inputs necessary for the future iteration of the
swig/vpnlab-takedown-authorities-dismantle-secure- global privacy string which will address the challenge of
communication-tool-favored-by-cybercriminals demonstrating compliance with a multitude of disparate
notice and choice requirements across the globe.
Red Cross suffers cyber-attack: A data breach Source: The International Association of Privacy
exposed information belonging to over half a Professionals https://www.iabcanada.com/global-
million highly vulnerable people- 20 January privacy-project-to-be-released-for-public-commentary-
2022 in-q1-2022/
The International Committee of the Red Cross (ICRC)
Breach of crypto currency website: Hundreds
revealed that a sophisticated attack was launched against
of users affected- 21 January 2022
an external company in Switzerland contracted by the
Red Cross to collect/store information. Over 515,000 Crypto currency has been hit by a major data breach. The
individuals have been impacted with many belonging to recent data breach resulted in funds being taken from
highly vulnerable groups- including those separated from
roughly 400 accounts. The block chain data platform
families due to war or disasters and individuals held in
shows the amount of funds linked to crypto currency
detention. As of now, those stolen records have not been
related crime rose by almost 80% last year. Illicit addresses
leaked or shared online. received $14 billion worth of crypto currency over the
Source: The Daily Swig https://portswigger.net/daily- course of 2021, up from $ 7.8 billion the year before.
swig/red-cross-suffers-cyber-attack-data-of-515-000- These crypto fraud revolve around “rugpulls”, which
highly-vulnerable-people-exposed happens when the project developers siphon out of all
liquidity leave investors with virtually zero value in their
Global Privacy Project to be released in 2022 investments.
for Public Commentary- 20 January 2022 Source : The International Association of Privacy
The IABs and their stakeholders are working hard to Professionals https://www.techradar.com/news/
create the Global Privacy Project, with the aim of ensuring hundreds-of-cryptocom-accounts-hacked-after-it-was-
consumers make choices online that can be technically hit-by-major-data-breach

18 WEBZINE ON CYBER LAWS

 We Speak
Review of Drone Rules 2021
Drone Rules, 2021 (hereinafter The Rules) was enacted by the Ministry
of Civil Aviation, Government of India on 25th August 2021. These have
been notified with a view of revamping the regulatory regime for the usage
of drones. These Rules apply to five categories of drones, which have been
classified on the basis of their all-up-weight. Although the Rules are very
comprehensive, they still lag in protecting the interests of the stakeholders
in multiple domains. For instance, it fails to acknowledge the privacy or
safety concerns of individuals, etc. This piece attempts to highlight issues
arising out of The Rules. For this, the article would follow the cull out similar
laws of other jurisdictions and by doing such comparative analysis, it will lay
threadbare the lacunae present in the framework at hand.

Safety Concerns
Because of the novelty in civilian usage of drone technology, and very
miniscule commercial exploitation, there are few laws enacted across the
world for the regulation or promotion of drones. However, Australia, the
United Kingdom, or some states of the U.S. do have laws on such aspects.

Civil Aviation Safety Regulation (CASR) Part 101 of Australia requires a

person to fly only one drone at a time, and that Drones must be kept at least
30 meters away from other people. No requirement as such is mentioned
here. Similarly, No law regarding keeping drones in visual line of sight, i.e.,
person shall continually see and navigate the drone meet separation and
collision avoidance responsibilities. Such rules are formulated in the laws of
aforementioned countries

19 WEBZINE ON CYBER LAWS

No rule exists to stop the Drones flying at night, or rules
mandating visual indicators on drones during night (such as
existence of Light) [It is pertinent to note that Australia has
banned usage of drone during nights, or through clouds/fog].
Additionally, the Rules provide for yellow or Red areas, which
inter alia, is based on the vicinity of operational airports. But
it leaves aside Helipads/Helicopter Landing Sites which are
found both in remote and populated areas.
Also, if a drone crashes due to some technical fault, and harms
any person or property, then whose liability will it be? Though
it would be the job of a court, Rules could have put pecuniary
or penal liability on such mishaps. Similarly, the rules do not
talk of insurance for Nano drones. Lastly, there are security
concerns which the rules does not address, such as infiltration
of drone from other countries (in the light of last year’s events
in J&K)
No existence of rules restricting any
infringement of privacy of individuals.
Further, most of the Drones come fitted with cameras. Hence,
when flown, they can cause substantial amount of privacy
infringement if the drones starts peeking into residential
areas, or areas where people have a semblance of privacy. Also,
Public spaces where huge population is present may not always
welcome their recordings through drones. The Rules could
have come up with a law where consent should be sought or
camera recording through drone is intimated to the public
before by the operator.
Other Seminal Issues
Also, no regulation is there for flying of Drones around Bird
Sanctuaries, etc. Drones can cause problems for aerial animals
in the form of physical harm, noise and special disturbances,
etc., all of which can lead them to migrate or change their
natural course of life.
Similarly, there are instances where some event, such as cricket
20 WEBZINE ON CYBER LAWS
matches, is being conducted, and a person starts recording the
same through his drone, without any authorization. There is
nothing to restrict the person in such a scenario (even though
there can be infringement of other laws, such as IPC or
Copyright, etc.)
Rule 24(6) states that no pilot licence is required for micro
drones (for non-commercial use), Nano drones and for R&D
organisations. Thus, it suggests that for commercial usage,
pilot licensing would be required. It is argued here that this is
arbitrary as pilot license requirement is for safeguarding the
general public, and has no relevance with its commercial usage.
Flying a micro drone requires a certain level of training, and if
the same drone can be operated by a person for non-commercial
use, then it can be operated for a commercial use too.
Additionally, the Rules require that a person must have passed
class tenth or its equivalent examination from a recognised
Board. This is arbitrary as no reasonable nexus can be found
between education of a person and flying of drones. It also
undermines the fundamental objective of the Rules, which
was to create opportunities of employment. For instance,
drones are seen as an alternative for food and goods delivery
services, which will eventually generate employment for the
drone operators. It is important to understand India has a huge
population of those who are not even class tenth pass, and are in
a dire need of employment. Such law would exclude prospects
for them to seek a job opportunity here. Hence, there is a need
to have a relook on this aspect of pilot licensing.
Aditendra Singh
(Member, Centre for Cyber Laws)
Sources: https://remoteaviation.com.au/casa-drone-laws/
https://www.nottinghamshire.police.uk/advice/drone-law-
uk#:~:text=Drones%20must%20have%20a%20take,all%20
times%20during%20the%20flight
 Centre for
Cyber Laws Team
Centre Director: Dr. Aparajita Bhatt
Dr. Aparajita Bhatt, Assistant Professor, Faculty of Law at National
Law University, Delhi specializes in Business Laws. She teaches
Cyber Laws, Corporate Laws and Mergers & Acquisitions at NLUD.
She is the Director of the Centre for Cyber Laws. She has also been
a course coordinator of UGC Swayam MOOCs and UGC e-pg
Pathshala course on Information and Communication Technology.

Student Team:

Abhishek Jain is a 5th year student at National Law University, Delhi.

He is deeply interested in researching on emerging areas of law and
policy. He is also engaged in certain projects to better understand the
interplay between cyber laws and space laws.

Anshul is a 5th year student at National Law University, Delhi. He is

interested in issues relating to cyber security, social media surveillance
and privacy. He aims to create more awareness around cyber offenses
such as cyberstalking and hacking. In his free time, he enjoys playing
sports and watching movies.

21 WEBZINE ON CYBER LAWS

 Drishti Kaushik is a 5th year student at National Law University,
Delhi. She has a keen interest in learning more about how and where
law and technology intersect and aims to create awareness about one’s
rights in the virtual world. In her personal time, she enjoys cooking
and trying out new cuisines.

Kunika Champawat is a fifth year student at National Law University,

Delhi. She is interested in the intersection of technology with law
and human rights and is engaged in various research projects related
to data protection, privacy and surveillance.

Nidhi Pratap Singh is a 5th year student at National Law University,

Delhi. She is interested in data privacy, artificial intelligence and
digital rights and seeks to learn more about issues around surveillance.
Outside of work, she enjoys running and playing sports.

Saksham Sabarwal is a 5th year student at National Law University,

Delhi. He is interested in issues relating to internet governance,
jurisdictional conflicts in cyber space and data protection. In his free
time, he enjoys travelling and reading books.

22 WEBZINE ON CYBER LAWS

 Smriti Phuyal is a 4th year student at National Law University, Delhi.
She is deeply interested in data sovereignty and internet governance.
She seeks to create a strong user privacy centric model for social
media companies and aims to spread awareness about digital privacy.
In her free time, she enjoys travelling and reading books.

Arvind Kumar Tiwari is a 4th year student at National Law

University, Delhi. He has a keen interest in Data Protection Laws,
Artificial Intelligence and Blockchain and aims to learn more about
the interplay between Technology Law and Human Rights. His
hobbies include cycling, playing basketball and running.

Aditendra Singh is a 4th year student at National Law University,

Delhi. He has deep interest in the interplay of law and technology.
He wishes to contribute to the discourse around evolution and
applicability of data principles in India and around the world. In his
free time, he likes to read on topics of history and astronomy.

Niraj Jha is a 4th year student at National Law University, Delhi. He

has a deep interest in Blockchain technology, FinTech and Crypto
world and the related legal strings attached with it. He aims to create
awareness about Blockchain technology and Crypto world, and
also to create awareness about the Regulations, Safety and security
Related to it. He enjoys Trading and Reading.

23 WEBZINE ON CYBER LAWS

 Answer Key to the Quiz Coloumn:

1. B

2. D

3. D

4. D

5. B

6. A

7. A

8. A

9. D

10. C

24 WEBZINE ON CYBER LAWS