random thoughts

8:30AM - Reputation Management for Police

Recently, a young IPS officer went to meet a well-known social worker, who advised him to focus on 'reputation management' of police. This is a new, interesting thought. Increasingly, organisations, especially those which are in the service sector, are realising that their intangible assets, such as the human capital, the intellectual property, the information resources they possess and most importantly, the trust of their customers, are more important than their physical assets. So much so, that the Basel-II norms (http://en.wikipedia.org/wiki/Basel_II_Accord) of capital management of banks contain reputation risk management as a separate risk to contain.

It would be good to get the IPS leadership thinking about reputation management - to build, protect and maintain the image of police as slayers of evil and defenders of the righteous. This can be done without feeling manipulative, by keeping in mind what Abraham Lincoln said about reputation: “Character is like a tree and reputation like a shadow. The shadow is what we think of it; the tree is the real thing.”

3:53PM - De-duping of the UID database

There have been several suggestions to the newly set up Unique ID Authority of India (UIDAI) about how to achieve quick results. One of these relates to using the mobile phone as the surrogate for identification of the users (http://blog.taragana.com/n/mobile-phone-to-authenticate-your-identity-nilekani-179579/).

With my limited knowledge of the mobile phone technology involved, it appears that the device ID (IMEI number) and the SIM ID (IMSI number) combination, which will be stable in bulk of the population, is likely to be used. However, the process for issuing mobile connection is not consistent across the operators/circles and the integrity of the database may not be up to the mark, as can be seen from a recent news item in ToI (http://infotech.indiatimes.com/articleshow/msid-4989944,prtpage-1.cms).

The enrollment process for this route of populating the UID database needs to be designed well and sound anti-fraud measures (systems and processes) need to be baked in at the beginning. Banks do a lot this kind of stuff in identifying dodgy applicants and the learnings would be relevant. The user behaviour profiling would also be an important input for eliminating identity frauds. Question is: "Do the mobile phone companies capture and store the additional data beyond billing requirements?"

4:02PM - TopCops and Teachable Moments

A couple of high profile stories: FBI director almost got phished (http://www.computerworld.com/s/article/9139106/Citing_cybercrime_FBI_director_doesn_t_bank_online?source=rss_security) and the wife of the future chief of MI6 posts sensitive family details on Facebook (http://www.guardian.co.uk/politics/2009/jul/05/mi6-facebook-sawers-wife-miliband).

Interestingly, the FBI Director's speech (http://www.fbi.gov/pressrel/speeches/mueller100709.htm) mentions that he got to know the seriousness of the cyber threats, when he read the book 'The Cuckoo's Egg', something I have been planning to do for a long time, but haven't found time to do yet! It also shows no chinks in his thinking, despite his candid admission that he almost got phished. Indeed, there are interesting insights into the FBI's approach to cyber crime and cyber security.

8:32AM - What's different about this India?

These days I don't follow cricket with the religiosity of olden days. Still, when I got up yesterday to the sounds of the unmistakable shouts of cricket buffs in the building, I realised that the India-New Zealand match was on and hurried to settle down before the TV. It was a wise decision as the Sachin-Yuvaraj partnership was just beginning to take off and I was treated to some extraordinary exhibition of batting. Obviously, the morning plans got rearranged and I managed to watch the match till the end. The true bonus was the century from Sachin (who being from our generation - kind of - is still the primary idol).

Two moments stuck in my mind after the euphoria had ebbed and replaced by a happy glow. The first one was the end point of the easy nonchalance of Yuvaraj's innings. He was going great guns, overshadowing Sachin and nothing seemed impossible. Then he got out caught behind, and walked without as much as a single glance towards anyone. The wicket keeper was standing up and the umpire could have had his doubts. But such was the flow of Yuvaraj that he had no hesitation in doing the right thing. That is the essence of a man in 'the zone.' Reminded me of the Kipling poem, 'If''.

The second moment came when Dhoni was batting. His energy, enthusiasm and the busy manner immediately changed the mood of batting from languid grace to frenetic urgency. At one point, he played a great shot where the ball went sailing over the mid-wicket in to the stands. It's my guess that the coaches in cricket stress the importance of a proper follow through (as we were taught while learning firearms handling and marksmanship in our basic police training). However, here was a picture of Dhoni frozen, looking at the place where the bat had met the ball and happy at the flawless process than looking up at the ball's trajectory and worrying about the result.

To me, these two moments are what is so special about today's Indian team and the young India as well. We can look forward to great things if we enhance and maintain our process focus.

On another note on the new India, Vir Sanghvi's article in the Hindustan Times, titled 'The Same People? Surely Not' was a refreshing perspective on the divergent paths taken by India and Pakistan after 1947. The older people are always prone to the secret hope of returning to 'the good old days'. It never happens and is a dangerous pitfall in the thought process. The past can be a good guide to understand the changes around us, but not as a model for shaping the future.

8:57AM - Credit Card Fraud and an Unusual New Year Gift

Recently, I received a new year greeting mail from Hemant Rath. With my memory being what it is, the name failed to ring a bell and I had to search through my mail archives to find out more. I also clicked on the links in the mail and landed up at Hemant's blog. The latest entry in the blog 'Credit Card Fraud and an Unusual New Year Gift' explained a lot.

So, I promptly decided to copy the title of his blog post for mine. It is gratifying when whatever good deeds you do come back to visit you in an unexpected fashion. Thanks for the joy, Hemant.

However, Hemant's experience with the police (as narrated by him) is not very enthusing and that's where the need for police reforms (a theme I keep harping on) comes in. After the recent Mumbai terror attacks, there is a greater interest and awareness about police working among citizens. This is a very welcome sign and if sustained, will lead to the pressure of public expectation on the vested interests in government and police to be open for the much-needed change.

9:49PM - SIM Card Cloning and Cops in India

Bruce Schneier blogs about the discovery of cloned SIM cards in Assam and attributes the surprise and the lack of expertise on the part of the police to his favourite theme of the 'Ill Effects of Banning Security Research.' Apparently, an expert from IIT Guwahati said that no one has actually done any research on SIM card cloning because the activity is illegal in the country. The assumption about the lack of expertise is simply not true: one can find a detailed, one-year old post online about cloning cards of the various Indian telecom operators. Indian Express wrote about cloning in February 2005.

In 2005-06, when I used to work in NASSCOM, we did several training programmes for police officers which started with the demonstration of SIM cloning. The idea was to catch their attention and then talk of the various kinds of cyber crimes. It used to work well, but applications of such cloning were difficult to cite. Finally, a real life situation turns up where a terrorism suspect has used cloned cards. It would be interesting to find out what advantages he saw in doing so.

11:14PM - Political aspirations

We were watching the Obama - McCain debate the other day on TV. As McCain held forth on what he was going to do on becoming the President of USA, I asked my son, who is in fifth standard: "Would you want to join politics when you grow up?"

His emphatic and immediate "NO!", with a rueful shake of head, surprised me. "Why not", I asked him. "I will have to learn so many speeches", he said!

10:24PM - Global Innovation Outlook - Security and Society

Since 2004, IBM has been periodically hosting a very interesting brainstorming exercise, called Global Innovation Outlook (GIO) on various themes. I was invited by them to participate in a 'Deep Dive' session of GIO 3.0, with the theme of 'Security and Society'. This was held in Taipei on 20-21 May 2008. Similar sessions were held at Moscow, Berlin, Tokyo, Chicago and Vancouver. The GIO blog gives more details of the individual sessions.

The idea of the brainstorming exercise was simple and well-executed. A lot of bright and accomplished thinkers on the subject of security were put together and asked to express their thoughts on the emerging aspects of security. The IBM co-ordinating team laid down the protocol of engagement and guided the discussions in the productive direction. Personally, I enjoyed meeting people from different nationalities and getting to know their assessment of the problem.

IBM has recently put out the report of the Deep Dive on Security on Society. Though a largish file (6 MB), it is worth a good look for some unusual perspectives from a diverse group of people, capable of stimulating some novel thoughts.

8:12AM - Blast in Kabul

Terrorism continues to target the Indian nation within the country and outside. The latest in this series is yesterday's blast in the Indian embassy in Kabul which killed 41 people. The risk of such incidents is higher in 'frontier' places like Kabul and one only hopes the lessons from this incident are not lost. One name in the list of embassy officials killed caught my eye. V. Venkateshwara Rao, an IFS officer of 1990 batch is the first IFS officers to be martyred. [C.Raja Mohan has paid a tribute to Venkat (http://www.indianexpress.com/story/332701.html) in the Indian Express].

I had met Venkat during my first visit to US at a dinner at the residence of Dr V.S. Seshadri, then Minister in the Indian embassy in Washington DC. My colleague in NASSCOM, Sunil Mehta, who is also no more, was with me and, I remember, the evening was spent in some small talk, but mostly in a deep discussion about the Indian IT industry. I was impressed with the Venkat's easy-going nature and his keenness to absorb information about the issues important for the IT industry. During my next visit, I enquired about him and was told about his moving out of the US assignment.

I always assumed that our paths will cross sooner or later. Obviously, one can't make too many things for granted...

7:24AM - The Fringe Benefits of Failure, and the Importance of Imagination

J.K. Rowling is an iconic figure in today's age when there are not too many believers. Needless to say, our family is a member of the fan club and went through the breathless experience of buying and reading the Harry Potter series, as soon as the books were released for publication.

Rowling gave a commencement speech at Harvard recently. It is wonderful and deeply moving, like much of her writing. The closing part of the speech:

Unlike any other creature on this planet, humans can learn and understand, without having experienced. They can think themselves into other people's minds, imagine themselves into other people's places.Of course, this is a power, like my brand of fictional magic, that is morally neutral. One might use such an ability to manipulate, or control, just as much as to understand or sympathise.

And many prefer not to exercise their imaginations at all. They choose to remain comfortably within the bounds of their own experience, never troubling to wonder how it would feel to have been born other than they are. They can refuse to hear screams or to peer inside cages; they can close their minds and hearts to any suffering that does not touch them personally; they can refuse to know.

I might be tempted to envy people who can live that way, except that I do not think they have any fewer nightmares than I do. Choosing to live in narrow spaces can lead to a form of mental agoraphobia, and that brings its own terrors. I think the wilfully unimaginative see more monsters. They are often more afraid.

What is more, those who choose not to empathise may enable real monsters. For without ever committing an act of outright evil ourselves, we collude with it, through our own apathy.

One of the many things I learned at the end of that Classics corridor down which I ventured at the age of 18, in search of something I could not then define, was this, written by the Greek author Plutarch: What we achieve inwardly will change outer reality.

That is an astonishing statement and yet proven a thousand times every day of our lives. It expresses, in part, our inescapable connection with the outside world, the fact that we touch other people's lives simply by existing.

But how much more are you, Harvard graduates of 2008, likely to touch other people's lives? Your intelligence, your capacity for hard work, the education you have earned and received, give you unique status, and unique responsibilities. Even your nationality sets you apart. The great majority of you belong to the world's only remaining superpower. The way you vote, the way you live, the way you protest, the pressure you bring to bear on your government, has an impact way beyond your borders. That is your privilege, and your burden.

If you choose to use your status and influence to raise your voice on behalf of those who have no voice; if you choose to identify not only with the powerful, but with the powerless; if you retain the ability to imagine yourself into the lives of those who do not have your advantages, then it will not only be your proud families who celebrate your existence, but thousands and millions of people whose reality you have helped transform for the better. We do not need magic to change the world, we carry all the power we need inside ourselves already: we have the power to imagine better.

I am nearly finished. I have one last hope for you, which is something that I already had at 21. The friends with whom I sat on graduation day have been my friends for life. They are my children's godparents, the people to whom I've been able to turn in times of trouble, friends who have been kind enough not to sue me when I've used their names for Death Eaters. At our graduation we were bound by enormous affection, by our shared experience of a time that could never come again, and, of course, by the knowledge that we held certain photographic evidence that would be exceptionally valuable if any of us ran for Prime Minister.

So today, I can wish you nothing better than similar friendships. And tomorrow, I hope that even if you remember not a single word of mine, you remember those of Seneca, another of those old Romans I met when I fled down the Classics corridor, in retreat from career ladders, in search of ancient wisdom:

As is a tale, so is life: not how long it is, but how good it is, is what matters.

I wish you all very good lives.

Thank you very much. 

 

8:40AM - The next level of detail

Yesterday, on way to Taipei, where I will be attending the Deep Dive session on Society and Security of the IBM Global Innovation Outlook, I passed through the Hong Kong airport. In the transfer area, there was the usual queue for security. When I neared the security portal (a.k.a. Door Frame Metal Detector or DFMD), I noticed that the trays being given to the passenger to put their laptops, phones, coins and watches were coming back to the originating point thorugh a nicely designed pair of guide rails and there was no unnecessary shuffling and bustle for the security people who were focusing on their assigned parts of the task. What is more, each tray had two A-5 size laminated and serially-numbered paper tokens, one stuck to the tray itself and the other given to the traveller to help him collect his stuff on the other side. Now, I found this to be a nice touch of thoughtfulness. A person is on tenterhooks when passing through security. At that point, when he is asked to give up his precious possessions even for a few moments, this assurance of comfort through providing the token is indeed welcome.

This was in contrast to the near-chaos at Mumbai airport security, where there were multiple queues for the same gate and no queue management in sight. The failure of the Indian planners to provide us with world class of airport is all the more galling when one sees the excellence elsewhere.

6:21PM - Slicing and dicing

Jairam Ramesh, Union Minister of State for Commerce for  recently shared his thoughts on the IT industry with the Executive Council of NASSCOM.  The entire speech is available here.

I found the speech refreshing for the way it presented data about the Indian IT industry.  To illustrate, an extract is given below.

A couple of months back, the securities firm CLSA came out with detailed analysis of the Indian IT industry which revealed that:
• 20-25% of India’s GDP expansion over the next 3-4 years will come from IT;
• India’s IT exports will cross India’s oil imports from 2007/08 onwards assuming that oil prices are at around $ 65 a barrel;
• The IT industry –directly and indirectly—will pick up a third of the addition to the urban labour force over the next three-four years.
• Over the next three-four years, the IT industry will pick up around 80-85% of India’s employable engineers.
• One in seven income tax payers in the country will be a IT professional by 2010 up from the current one in ten.

There is more insightful analysis in the speech.  It is this kind of approach to present statistics which make them meaningful and relatable.

9:12PM - ITU Regional Workshop on Cyber Security

I just returned after spending a week in Hanoi, Vietnam, where a regional workshop, involving the countries of Asia Pacific region, on evolving a framework for ensuring cyber security, was held.  This workshop (http://www.itu.int/ITU-D/cyb/events/2007/hanoi/) was hosted by the International Telecom Union, which is trying to bring uniformity of approach among all countries which are grappling with the issue of how to promote the safe use of information technology.  I had attended the Council of Europe Convention on Cybercrime Conference recently.  The ITU approach goes beyond the Council of Europe approach, which seeks to put in place a comprehensive legal framework, harmonisation of laws, capacity building in enforcement of laws in cyber space and international co-operation in criminal investigation. The ITU approach includes this as one element among other equally important elements.  The remaining four are as follows.

• a national strategy
• incident management
• government-private sector collaboration
• development of a culture of cybersecurity

1:27PM - Better Badge Design

I have attended quite a few conferences of late.  Many a times, I have gone there knowing only a few people (mostly the one person who invited you) and have returned with several acquaintances - people with whom one shares similar opinions and with whom one can work together in future. 

All such conferences follow a predictable pattern: people generally get introduced to each other by themselves or through someone known to both, see them speaking from the stage, ask questions and make comments, chat during the cultural dinners and at times politely argue with.  It is fascinating... 

Sometimes, during a discussion around the table, you want to know about the identity of a person who impresses you with his knowledge and you try to steal a glance at his badge to read his name only to find it the wrong side up.  So, the one conference organiser who comes up with a badge design which has the name of the delegate on both the sides gets extra marks from me for that kind of attention to details which separates the good from the best.

10:32AM - Software Piracy in India

Express Computer, in its current issue, has done a lead story on software piracy, which carries a few quotes from me. 

Another aspect of piracy, which the story does not touch upon, is that it leads to reduced diversity and a depressed off take of alternative and open-source software, which finds no takers due to the easy availability of full-fledged, commercial competing products.  There was an interesting write up in Businessweek a few day ago on this.  Worth a read.

7:22PM - Top Countries for Cyber Crime

Recently, I was queried by Andy Greenberg of Forbes about a Sophos report on countries of origin for malware.  As seen from the default language of the malware program, UK English (which would account for UK and India) figured very low on the list.  The Forbes article (The Top Countries For Cybercrime) can be found here.  Given the low reporting of cyber crime and the borderless Internet, this is an interesting approach to locate hotspots of criminal activity.

Moinak Mitra of Economic Times did a follow up story (Indian geeks rated good citizens in cyber city), after he spoke to me on the India-specific points.

5:47PM - Rule of Law in Rural India

Two news items, which tell volumes about the rule of law in rural India, caught my attention during this week.  The first one was a report in Business Standard about rural credit cards.  This was a sample validation of the scheme which has seen issue of 66 million Kisan Credit cards by banks ever since the scheme was launched by the government in 1999-2000 to provide credit to small and marginal farmers.  It is estimated that over Rs 10,000 crore has been disbursed through the Kisan Credit Cards in the last seven years. In a village in Chattisgarh, 13 farmers were startled to receive notices for loans worth Rs 13.80 lakh, pocketed by a local tout, who had taken their signatures under false pretexts.  If this is what can turn up in a sample survey, one can imagine the extent of the total amount siphoned off.  Even if there is no outright fraud, there may be heavy corruption, pushing up the real interest rates on the loan to the usual usurious levels.

I have come across many people who complain vociferously about the taxes the government is collecting from them.  Now, nothing being more certain than taxes and death, it does not serve much purpose.  In a country where the government will continue to play a major role to spur development and remove disparities, tax collection is going to be the main way to raise resources.  The real question is if these taxes are being spent in the right manner and if the money is creating assets for the poor which will make them self-sufficient.  One of the important mechanisms of ensuring that there are fewer leakages is to have a rule of law, when in case of a fraud being reported or corruption being noticed, the culprits can be swiftly and demonstratively brought to book.  This calls for deep and durable police reforms.

The instance, which underlines the need for promoting the rule of law, was reported from Nanded in Maharashtra, when several government officials were beaten up in presence of a police contingent.  While in this case, the policemen seem to have been outnumbered, it remains a fact that in rural areas the police machinery functions keeping the local power equations in mind and takes the path of least resistance and operating at low levels of professional competence.  This results in their losing the ability to take firm action when required suddenly and unexpectedly.  With expectations of each section of the society rising, such clashes will become more frequent and the police organisation needs to be able to remain insulated from the local political influences and give a better account of itself.  Another practical reason for pushing through some radical reforms!

8:02AM - The Power to Arrest and Its Misuse

Last week, a Professor from India's top academic institution contacted  me for some advice.  This is what he narrated to me: His brother, who mostly stays abroad, was experiencing marital discord.  There were several attempts to reconcile over the five years of marriage, but these were unsuccessful.  One fine morning, there was a knock on the door of the Professor and he found a posse of police officers from the city where the estranged wife was residing, accompanied by an officer from the local police station.  The Professor was arrested and taken to the other city for being produced before a court for seeking police remand.  It turned out that his brother's wife filed a criminal case under section 498A against his brother, but had also cited the in-laws in the complaint.  The local police, taking no chances, promptly arrested the FIR-named accused persons, from wherever they were.  According to the Professor, the FIR was a carefully drafted one with the help of an advocate and included completely fabricated material to support the allegations of mental torture and demand of money from the girl's family.  Not only did the Professor himself have to undergo the pain of an unjustified arrest, his 70-year old mother had to frantically seek anticipatory bail.  The Professor had to spend over a month to handle this crisis, resulting in considerable inconvenience to the Institute and his students.

Now, the so-called misuse of this section has been a matter of debate for quite some time now.  There are websites dedicated to this topic and there are some counter-views.  I am not going into that debate at all.  What I would like to refer to is the lack of clear guidelines and oversight on the power to arrest.  Often, the police investigator, on account of the prevailing practice or under pressure from his supervisors/media/society, proceeds to arrest all FIR-named accused persons as the first step of investigation without collecting any evidence to substantiate or refute the allegations contained in the FIR.  When one speaks to the field officers, they say that any delay or informed discretion shown invites severe criticism from a range of interest groups and no one in the police hierarchy is willing to take the heat. 

To me, investigation is a fact-finding exercise, in which arrest and custodial interrogation are necessary in a small percentage of the cases and other cases can be handled with professional investigative techniques.  From a tactical point of view too, the investigator also gets busy in the procedural matters of effecting the arrest, producing the accused before the magistrate, seeking his remand, getting his medical examination done and transporting him from place to place, resulting in further delay in establishing the truth, not to mention unfair and traumatic arrests, such as in the instant case. 

My suggestions in this regard, therefore, are as follows.

1. The police organisations should lay down a detailed step-by-step standard operating procedure which will guide the investigator about evaluating the need for arrest.  There should be a conscious attempt to promote a culture of respect for truth, rather than expediency.  All arrests in criminal investigations should be justified internally through self-speaking documentation and cleared at a sufficiently high level.  In CBI, this is done at the level of the Inspector General of Police.  In local police, this could be at the level of the DCP/SP.
2. The supervisory officers at all levels should show more moral courage in being objective and backing their junior team members.
3. The separation of investigation as a function distinct from maintenance from law and order will promote specialisation and professionalism, resulting in less frequent miscarriage of justice.  The impending police reforms in the country have great significance in this regard.

Many people in the society justify instant arrests on the ground that due to the abysmally low conviction rates, sometimes the detention during investigation is the only punishment the offender undergoes.  However, this militates against the principle that a person is presumed to be innocent till proven guilty by the due process of law.  The reform in the criminal justice system, which will remove such injustice, is thus the most pressing priority before society and the policy makers.  The civil society needs to get involved in the process urgently.

1:01PM - Octopus Interface 2007 conference re Cooperation against Cybercrime

7:16PM - Mumbai as an International Finance Centre

Those interested in Mumbai's future as a liveable city, would be enthused by the report of the High Powered Expert Committee (HPEC) on how to make Mumbai an International Finance Centre (IFC), the details of which are available on the Ministry of Finance site.  Ajay Shah's blog entry on the subject has an excellent collection of resources on this topic.

While skimming through the report and particularly the recommendations of the HPEC, there were some recommendations which caught my eye.  Chapter 8 deals with financial regime governance issues and concludes that '...the weakest links in an Indian effort to compete with other IFCs are issues of financial regulation (E6 to E11) and the overall weakness of its legal system. These are the areas on which this report places great emphasis as needing immediate strengthening if a viable IFC is to emerge in Mumbai.'  Chapter 15 contains the recommendations of the HPEC and it minces no words, while describing the functioning of the legal system 'leaving much to be desired.'  It goes on to recommend that 'urgent action be taken to remedy these short-comings with suitable reform of the legal system. If that cannot be done relatively quickly then, in the interim, consideration should be given
by policy-makers to establishing a special system of fast-track ‘financial’ courts and special arbitration mechanisms to deal with the legal and regulatory
complexities that an IFC and the provision of IFS will create.'

While many of the legal reforms will be in the area of civil dispute adjudication, there is a need to consider how to improve the effectiveness of investigation of financial crimes.  Thanks to the trends of adoption of new technologies and new business models, issues of data security have become extremely important.  There is a report in today's DNA about increased fraud levels among Indian companies.

The large scale stock market scams perpetrated by Harshad Mehta and Ketan Parekh are still to reach the logical end of prosecution, conviction and sentencing.  Having handled these cases at some stage, I can vouch for the severe dearth of adequate numbers of skilled investigators who are capable of  understanding financial crimes and bringing the offenders to book.  This is where the area of police reforms becomes relevant.  A good starting point would be separation of law and order and investigative functions.  There needs to be higher investment in these areas to build capacity and offer incentives for specialisation.