Abstract:
The journey of the Indian data protection framework started in 2018 with the introduction of the initial draft as ``Personal Data Protection Bill (PDPB-2018)''. Subsequently, a revised draft PDPB-2019 was introduced. This went through revisions as PDPB 2021 and Digital Personal Data Protection Bill (DPDPB-2022). Finally, it was passed as ``Digital Personal Data Protection Act'' (DPDPA, 2023). The framework emphasized on protected data processing while the user's privacy is honored.
In this thesis, we look at the technical aspects in DPDPA and suggest ways to address the different clauses of the bill. We have analyzed four components: a) user's consent that states the nature and scope of consent-based data processing, b) right to access/right to nominate to assure the right to nominate someone as a nominee,c)data breach to enable appropriate technical measures to prevent and analyze data breach. d) storage/logging to preserve and evaluate various logs that strengthen security posture and incident response. Enhanced approaches have been explored under each obligation for stronger data management and processing aligning with the framework.
In analysing user’s consent, we have described that encoding of requisite security and privacy properties will ascertain stronger consent processing. We formalize these properties as Proofs of Consent (PoC) and categorized them into three layers. The acquisition of a higher layer will minimize adversarial risks and ascertain greater transparency. Next, we have proposed a model Shielded Consent Manager (SCM) using blockchain and other cryptographic primitivesfor retrieval of consent to grant permissions to access android resources. Further, following the right to nominee obligations, we have proposed a model Digital Asset Inheritance Protocol (DAIP) using CertificateLess Encryption (CLE) and Identity Based System (IBS) to convey the user’s online persona efficiently to the descendent after his death. DAIP allows the nominee to successfully retrieve the asset after the user’s demise, even if a nominee is uninformed regarding the asset. Then, we have proposed the system model of a Data Breach Incident Assessor(DBIA) aiming for breach assessment. It helps inthe validation of a threat actor’s claim, understanding the root cause of a breach, analyze the scope of the compromise, and provide analysis according to the regulation. Finally, an End System URL Analyzer (ESUL) to analyze the URL based logs in end system is presented.
The simulation and result analysis is done for each of the above approaches. We show that enhanced security approaches can help to realize the obligations in DPDPA, thus ensuring robust data management and processing.