Breach Page 6
Hidayatullah says the entry of companies like BugsBounty is a welcome development. ‘I think giving researchers a responsible disclosure mechanism and a reward is awesome.’
While the information security market abroad may have the space for firms such as BugsBounty, these firms need to educate Indian companies a lot more. Transparent conversations about vulnerabilities and breaches aren’t so common in India, even though there are countless instances of vulnerabilities being exploited. And this lack of conversation is a major issue, according to Bikash Barai, founder of iViz, an information security company that he later sold to Cigital. ‘Maturity in thinking around information security issues is severely lacking in the Indian context. For example, seventy-two out of the 100 major start-ups that we analysed in a study were “negligent” in implementing and maintaining reasonable security practices and procedures.’
More often than not, companies in India clam up when news of breaches break out in the media. Their reaction is to deny the breach and then to go incommunicado, hoping that the media and the public will soon lose interest and the crisis will tide over.
There is even less incentive for start-ups and companies headlining the new economy to report these instances because it then becomes a matter of public record. As the chief executive of one of India’s big Internet-economy companies points out, ‘ . . . if things are made public, it makes it a point of discussion at investment meetings or M&A meetings and when due diligence happens. Most promoters don’t want that to happen as it can affect the valuation of their companies. People just say let’s just move on. What turning the head away often leads to is to incentivize other miscreants to repeat things like this.’
That is where Zomato’s response to the breach in its systems was remarkably different. Cynics may point out that they had few options but to come out in public, considering that HackRead had already broken the news, but they did show remarkable transparency in dealing with the breach and in communicating with their users about it. From periodically updating their blog to sending out emails to every user, particularly to those affected by the breach, Zomato has certainly raised the standard of handling such instances in India, where the default option is to go mum.
Pradyot Ghate explains the reason why Zomato went the extra mile: ‘It is important to take your users into confidence. We believe that the users’ information is owned by them. It is important to tell them the extent of what has happened and how it has happened. Even if you don’t know how, then you need to tell them that we will tell them when we know.’
Patidar and Ghate both say there was a negative impact on the usage of Zomato immediately after the issue became public. They believe the impact would have lasted for longer if Zomato wasn’t proactively communicating with their users. Things may take a while to get back to normal, and there still may remain doubts in the minds of at least a few users in the days ahead, but Zomato seems to have gained considerable sympathy by going public. One can hope that the company learns from the experience and increases the importance—both in terms of budget and personnel—given to security and adopts the best practices rather than stay reactive.
It was a very long chain of unfortunate events that led to the security breach at Zomato. For most companies in India, there is much to learn from the circumstances that led to it and how Zomato responded to it. Perhaps the most pertinent of these lessons stems from the upside of communicating openly with users.
CHAPTER 3
THE SLOW DEATH OF PIRACY
What Happens When an Industry Comes Together and Fights Theft
Pavan is short and wiry and sports a rather unkempt stubble. The grey T-shirt and the ashen trousers he is wearing on an unusually cold day for February in New Delhi have seen better days, but he looks comfortable in them.
He sits right next to the stairs on the first floor of a building at Nehru Place in New Delhi, surrounded by a cacophony of badly printed signs screaming ‘Laptop Repair’. Nehru Place is one of the biggest hardware markets in the country, with thousands of shops selling pretty much everything powered by electricity.
Next to Pavan is a small foldable table, and on it, stacked one on top of the other, are perhaps fifty-odd discs of pirated games like FIFA 16 and Call of Duty. They are neatly arranged by genre. There is a black backpack with more of these gaming discs stowed carefully under the table. Pavan also hawks pirated software, but he hasn’t displayed them in the pile. They too are inside the backpack.
Walking around Nehru Place, it is hard to miss young guys like Pavan walking around with a few printed A4-size sheets of paper in their hands, screaming ‘software games!’ to get your attention. There is a certain charm to the bizarre combination of old-world hawking and new-age technology. With smartphone hyper-growth being the flavour of the day, tempered glass for mobile phones is also aggressively hawked in these markets these days.
What is difficult to find are copies of pirated movies.
There was a time when pirated movies were ubiquitous. Just a few years back, Nehru Place, along with markets like Palika Bazaar in Connaught Place, were the go-to localities in the capital for pirated movies. The labels on these DVDs were badly printed on cheap paper, but they did the job they were supposed to—attract the attention of the hordes who passed by.
Nehru Place used to be something of a distribution centre for pirated copies of these movies. Back in 2012, just a day after the movie Barfi released, its DVDs were selling like hotcakes for Rs 30 apiece in Saket, a Delhi neighbourhood, just a short walk from a multiplex where tickets for the movie were selling at Rs 350 a pop.1 On asking where he got the DVDs, all the twenty-year-old hawker, who went by the name Praveen Kumar, revealed was, ‘I get the discs from “big people” in Nehru Place for Rs 18 each. This will sell very well—till the next big movie is released.’ Who are these ‘big people’? Praveen refused to answer.
Things have changed now. Ask Pavan why he doesn’t keep the latest movie to hit the silver screen and his answer is straightforward. ‘Aajkal kaun DVD dekhta hai. Sabke pass phonewala Internet hai. [These days no one sees DVDs. Everyone has Internet on their phones.]’ Then, as an afterthought, he says, ‘Policewala picture ka DVD dekha toh mere liye mushkil ho jaata hai. [If a cop sees DVDs, he will give me trouble.]’
The days of being brazen and open about to selling pirated movies in Indian cities are clearly over. There was a time when these DVD-walas used to be a fixture on the streets of every major city. Not any more and much of it has to do with three things—technological shifts, change in consumer behaviour and better enforcement of the law. And then there’s how the industry came together to fight theft of the content it made with sweat and love.
The slow death of physical piracy is a huge victory for the entertainment industry. But that doesn’t mean the war against what is probably the most visible example of data theft—piracy of entertainment content—is over.
The proliferation of streaming platforms has for the first time enabled creators to deliver content legally over newer platforms while making money. The launch of Netflix, HotStar, Jio and Amazon Prime in India has made it easy for people to access content in high definition over the Internet without breaking laws.
But even before the legal channels opened up, it was the pirates who had showcased the possibility of the Internet as a powerful distribution medium. Despite the multi-year pitched battle fought both offline and online between movie studios and filmmakers on one side and pirates on the other, torrents are still available for the latest movies as soon as or even before they release. Filmmakers and copyright holders have always gone after them, but have not exactly managed to put an end to piracy. For those who are so inclined, sites offering illegal streams for movies are just a few taps on a Google search bar away.
What really happened over the last few years, with the advent of high-speed Internet, is that the primary battleground in the war that content creators have been waging against pirates has shifted from the street to the Internet. A
whole new generation of pirates—far removed from the Pavans of the world—has been finding ways to make money off someone else’s work.
Despite the multi-decade, multi-national and multi-billion dollar push to fight this, the pirates have always found newer ways of making money from stealing content. Pretty much every time those who owned IP made strides to combat piracy, the thieves came back with newer technology, aided by newer business models. This fight has also been littered with several missteps, including the blurring of lines between copyright protection and infringement of privacy. But the fight may finally be tilting decisively towards the IP owners. This is the story of that fight.
* * *
Baahubali 2: The Conclusion, one of the biggest and most opulent Indian movies ever made, released with much fanfare on 28 April 2017. It was the second in the fantasy franchise that now holds the box office record for grossing more than almost any other Indian movie in history.
The day the movie was to release, the production house, Arka Media, received a rather bizarre communication from someone who went by the name of Rahul Mehta. He introduced himself as the head of an anti-piracy agency and dropped a bombshell that shook Arka Media. He claimed that he was in touch with pirates who had managed to get their hands on a high-definition copy of the movie. Documents that were filed to the police by Arka Media revealed the nature of the threat. Unless a payment of Rs 15,00,000 was made within the next three days, they would upload the movie on the Internet.
Mehta went on to share a short high-definition clip from the movie, which the pirates had purportedly given him to prove that theirs was not an empty threat and that they indeed had the copy in high definition.
This sort of direct blackmail of producers by pirates is relatively new. Around the same time, Larson Studios, a post-production company based in Hollywood in the United States, had a breach where several shows were stolen. A hacker who went by the name thedarkoverlord leaked the season premiere of the Netflix show Orange Is the New Black on the torrent site Pirate Bay in a similar case where his demand was not met. He then threatened to release more of the content he had stolen.2 It later emerged that the hacker went on to release the season, even after he was paid a reported $50,000 by the studio.3
Arka Media involved the anti-piracy cell of Telangana Police and industry bodies immediately.4 They had reason to suspect that Mehta was the same guy who had slipped away during a raid just a few years back.
After deliberation, the producers and the police decided to spring a honeytrap. They invited Mehta, who is based in Delhi, for a discussion in Hyderabad. He agreed to the meeting. He met people from the company, including a policeman who was posing as a production manager, in the Jubilee Hills neighbourhood.
Mehta was brazen in his conversations and wanted to thrash out an audacious deal. The twenty-six-year-old claimed his ‘agency’ was influential among piracy syndicates across the country. He said these syndicates would be interested in working out an arrangement where if a certain amount was paid to the pirates every month, they would help keep movies from leaking. Pirates on a retainer, if you will. Mehta even shared a draft agreement which would explore what he termed as a ‘different approach’ with pirates.
What Mehta didn’t realize was that the police machinery was churning full steam across the country even as he was negotiating in Hyderabad. The cops and the producers were collecting evidence and raiding suspects to nab the gang behind the leak of Baahubali 2.
They had, by then, zeroed in on the origins of the leaked clip that Mehta had shared using the unique watermarks that are digitally embedded in each of the copies distributed. The watermarks are made by digital cinema services companies like United Media Works. Such services essentially help movie halls access the content through satellites, or over the Internet, thus eliminating the need for physical distribution of reels and ensuring that movies are screened in the largest possible number of cinema halls, thus maximizing revenues for the movie in the initial days after its release. The movies thus distributed are then encrypted and stored at the movie halls. Logs are kept to monitor the number of shows which these movie halls run, thereby allowing the producers and distributors to keep a close watch on the money they are due.
Examination of the digital watermark threw up the name of Veena Cinema theatre in Tivhra, a small town in the Bibusarai district of Bihar. The police machinery whirred into action in the massive multi-state operation. It didn’t take long for the owner of the movie hall in Bihar, Divakar Kumar, to be arrested.5
The accused had made the copy with help from a computer whiz, in the wee hours of 28 April. The computer whiz had found a way to hack into the set-up without setting off any alarms which would have warned the producers of unauthorized access.
Almost simultaneously, Mehta’s office in Delhi was raided while he was in Hyderabad. Thirty-seven-year-old Jitender Kumar Mehta, twenty-seven-year-old Tauffiq and thirty-nine-year-old Mohd Ali were arrested with copious evidence of piracy—hard discs containing copies of multiple films. In all, six were arrested; they included Chandan, who was part of the syndicate in Bihar. One of the accused, Ankit Kumar alias Monu, managed to evade the cops. The same day, Mehta, revealed to be the kingpin of the operation, was nabbed in Hyderabad.6
Funnily enough, Jitender Kumar Mehta and Tauffiq were arrested for piracy just two years ago, in 2015. They were nabbed as part of an operation that had busted a similar piracy syndicate. Rahul Mehta had evaded capture then. That operation had tracked the piracy ring that had leaked the first Baahubali movie.
* * *
In July 2015, Business Standard ran a story with the headline ‘MP Police Bust Pirated Film Racket’.7 The man purported to be at the centre of this racket was a young computer engineer, Priyank Pardesi. The cops who arrested him in Pune found the trail to 1234 films—including the first Baahubali movie—that were allegedly uploaded to streaming websites on the Internet by Pardesi.
Pardesi had, according to news reports, worked with some of the biggest multinational tech companies and had seemingly little in common with those who were traditionally engaged in piracy. That was indicative of a shift. Theft of entertainment IP and making money off someone else’s sweat had morphed from being something that had crime syndicates and small-time crooks operating at the centre into something else.
Pardesi was a new kind of criminal to the law enforcement system—the white-collar criminal who was well versed in technology and its darker arts. Physical piracy was more or less a tool for survival for those like Pavan in the lower income groups who didn’t have many options to make ends meet.
With those like Pardesi, the motivations were a little more complex, with even an element of vanity coming into the picture. Being the first pirate to upload a movie on the Internet earned pats on the back and established the pirate as a name to reckon with in online piracy forums. Like black hat hackers, pirates often wanted this kind of recognition. The potential to make money sweetened the enterprise. A lucrative business model had emerged around streaming.
Take the case of the first instalment of Baahubali, which was one of the movies Pardesi is alleged to have uploaded in 2015. It was a popular movie to pirate, and according to a report in The Hindu in late 2015, ‘ . . . through 1,500 links, 15.78 lakh people downloaded the movie [Baahubali] and another 10 lakh people watched it illegally.’
That is more than two-and-a-half million eyeballs. If that is even conservatively multiplied by the average price of movie tickets in India, it works out to a significant sum of money, assuming that everyone who watched the pirated version would, in its absence, have gone to a movie hall.
As with most things on the Internet that capture eyeballs, advertising has emerged as the go-to moneymaking option for pirates looking to stream movies to a willing, hungry audience. Digital advertising networks, who are often unaware of the content they advertise, push ads for them, just as they would do for any other website.
Other online monetization practices—search a
nd pay-per-view included—form part of the mix, but it is advertising that is far and away the biggest money spinner. Digital Citizens Alliance, a United States-based coalition of consumers, businesses and Internet experts, which studied 589 sites containing stolen content in 2014, found that just the small number of sites they tracked generated an ‘estimated $209 million in aggregate annual revenue from advertising.’ That is a significant return for what is a low-investment business; server space and website maintenance, cost of hardware and money paid to the sources of the content are the only expenses for the white-collar pirate.
This business model has been under threat as copyright holders have been working with major digital advertising networks to cut off the advertising money that fuels the growth of illegal streaming sites. That could be one of the reasons why Mehta was forced to try to extort money from producers rather than directly put up the movie on streaming platforms to make money. The tightening noose seems to have made pirates desperate to try riskier propositions.
* * *
The fight against theft of entertainment content is not one that has been only about choking business models. One of the biggest challenges over the years for IP owners has been to control the leakage at the source of prints, which lies at the foundation of such piracy.
While Baahubali 2 may have been leaked by copying from a digital print, the vast majority of pirated copies still have their origins in the simple act of a person holding up a camera to a screen to capture it—camcording. Uday Singh, managing director of Motion Picture Distributors Association in India, which is affiliated to Motion Picture Association, a coalition of Hollywood studios, suggests that 90 per cent of all pirated movies consist of such camera prints.