The Law and Technology Society, NLSIU



Aarogya Setu: It is a contact-tracing mobile application that was made by the Indian government to notify users of their recent contact with a COVID-infected person by using phone’s Bluetooth and location data. The data is then shared with the government for the big data analysis.

AASMA – Advanced Application for Social Media Analytics. It tool that collects information about suspected people from their social networks like Twitter, Facebook, YouTube, Flickr, and Google. These data collected will be used to track later any activity of a suspected person.  It has been developed by the Indraprastha Institute of Information Technology. It has been in use by the centre and various states of India. Very limited is available about it in public knowledge which is the reason for its incomplete knowledge. It is expected to include facial recognition technology too which will add to the concerns that already come with it.

Acquihire – An acquihire, also called Talent Acquisition, is an act of acquiring a company for skills and expertise of its employees. This type of acquisition is common in tech industry where leading companies like Google buy start-ups not because of its product and services but for skills of software engineers. Also, huge privacy risks are attached with it. Data so large is generally automatically created and thus needs to be constantly authenticated.

Anonymization-. Anonymization is a process by which the personally identifiable information is either modified or removed from the data resulting in data not being associated to any one individual. the process leads to a greater privacy and prevents the incident of data breaches.

Artificial Intelligence – Artificial intelligence (AI) refers to the capability of machines or software to mimic human actions of intelligence such as learning and problem solving. There have been numerous applications of artificial industry in various sectors such as medical, self-driving.  One example of artificial intelligence is reinforcement learning in which the computer software is designed in a way so that it competes with itself to get better. Examples of it reinforcement learning are Leela Chess zero, a program that has been developed to play chess.

Asymmetric key encryption – A cryptographic algorithm which uses a set of two keys- Private and Public. Public keys can be shared widely and serve as indicator of who the party is while private keys are not to be shared. RSA is one example of an Asymmetric key encryption system which has been widely used. It is only of the oldest systems of such nature.


Big data – Big Data is a collection of data so large (and moving so fast) that it is difficult to store and organize to put it to some use. It can be best described as in terms of the 4Vs, which refer to the volume, velocity, variety and veracity. In volume  and velocity it can be seen that more data has been created in the past few years than in the entire human history. Lots of data created every day  and they are at risk of being unorganized since they come from different sources and are many a times placed in an unstructured manner. Data so large comes with it with its own risk of it being of less veracity.

Biometrics – The work of identification of humans via their own characteristics is known as biometrics. It is further bifurcated into two parts: soft and hard biometrics. The biological  and physical characteristics like eye, facial features etc are dealt with by the Hard Biometrics. It uniquely identifies a person. On the other hand, the soft biometrics provide the info that is not permanent and fully distinctive in order to identify an individual. It includes traits like skin texture, skin colour, height, and ethnicity. The soft biometrics is often used to aide the hard biometrics. 

Blockchain– Blockchain is a system of shared ledger where the process of transaction recording and asset information is facilitated. Blockchain would help therefore in tracking and trading of anything that is put of its network, increasing the efficiency and accuracy of the transaction.

Bootstrapping– Bootstrapping is the act of financing a start-up by using your own resources rather than seeking an external help.

Botnet –  A botnet is just the name for a group of devices, connected on the internet working together, making it essentially an army of devices. Such attacks are common on IOT systems, often targeting the devices with  weaker or no password protection.

Brute Force Attack – A brute force attack in very simple terms is a mode of attack based on trial and error. The attacker tries to check for all the possible combinations hoping to get reach upon the correct combination. Needless to say, the amount of time taken to get through  using brute force attacks would be extremely large where the passwords are extremely long and allow for a variety of possible types of data entry. To put this into perspective. A 8 digit password containing only numbers, would mean 10^8 possible cases.

Buffer Overflow Attack – A Buffer overflow attack is a type of DoS Attack, specifically a flooding Dos Attack. This attack is premised on the fact that while there are temporary buffers allocated for data to be kept temporarily, and these buffers have certain memory sizes allotted to them. A Buffer Overflow Attack aims to increase the allocations more than what’s allowed. This has the effect overwriting adjacent memory locations and could lead to issues like crashes and memory access errors


Catfish – A catfish is a person  who creates a false online identity in order to defraud someone, seek revenge, commit identity theft, or lure someone into a relationship deceptively

CCPA – California Consumer Privacy Act-The strongest privacy legislation in the US enacted by the California state. The CCPA is a law that allows any customer whose data is being shared two crucial things- First, It provides them the opportunity to see all the data that has been stored by companies about them whose services they avail; second, they can ask the list of third companies with which. For example, if a news website shares data advertisement companies, the consumer can get to see all the information that has been stored by the news website and all the advertisement companies with which all the data has been shared to provide with personalized advertisements. In addition, California law allows consumers to sue companies if the privacy guidelines are violated.

Cloud computing – Refers to the service of providing computational services ranging from applications, storage to processing power and other such commodities handled by dedicated servers linked to a cloud network over the internet, such services are largely priced as per the usage of the consumer. E.g Microsoft azure

CMS– The Central Monitoring System is an Indian government system that is aimed at centralizing the telephone interception process. It will change the earlier process in which there was a requirement of telecom service providers to intercept calls. Now the CMS will its regional cells will ensure a centralized system of intercepting calls and the requests for call interception would be made to a central authority.  It is installed by the center for the development of telematics under the Department of Telecommunications of the Central Government. This system has raised concerns of arbitrary access to and abuses of private conversations. This is potentially due to the fact that India lacks any legislation and the centralized system has the potential of mass surveillance.  It will over

Coding: Coding is the process of creating instructions for computers. It allows the programmers to create programs, operating systems, and mobile apps.

Competition Commission of India (CCI) – It is the statutory competition authority of India that has decided various antitrust cases in the tech sector. CCI has been formed to develop competition in the markets. By prohibiting anti-competitive M&As, abuse of power, and anti-competitive deals across markets, the CCI encourages competition and prohibits the misuse of market power by any firm. Preserving consumer welfare in terms of quality, innovation, price, and choice is one of its key aims.

Consent Management– Consent management is a process or system that allows users to determine what personal information they are willing to share with other parties. It ensures user participation and supports management and enforcement of jurisdiction privacy policies.

Consent: Consent refers to permission of data principal to let data principal to let fiduciary collect his or her child. Consent definition has been further elaborated in Personal Data Protection Bill, 2019 as consent must be free having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872); informed, having regard to whether the data principal has been provided with the information required under section 8; specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing; clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

Cookie: Cookies are information packets which allow the website to track the user’s preferences and log in information.

Cryptocurrency – It is a tool for digital payment which doesn’t depend on the banks for the verification of transactions. It relies on a peer to peer system which allows any individual to transact payments from any corner of the world. Rather than the physical form, the payments of cryptocurrencies exist purely as digital entries to an online database. It is a currency associated with the internet that uses cryptography, which is the process of converting legible information into an almost uncrackable code, to track purchases and transfers.

Cyberbullying: Cyberbullying means viciously harming, intimidating, insulting or blackmailing individual(s) using electronic means like SMS, e-mails, videos etc. This includes, hacking accounts, sending inappropriate messages, stalking, blackmailing with some information which might be personal to the individual, etc.

In India no specific law deals with Cyberbullying and it has been nowhere defined in law. However, some provisions like s. 66E, 67, 67A of the Information Technology Act, 2000 can be read extending to cover cyberbullying with respect to circulating private content. Some provisions of Indian Penal Code, 1860 like s. 354D (Stalking), s. 509 (offending the modesty and privacy of a woman), s. 499 (defamation) might also come to the rescue.

A Cyberbullying complaint can be lodged by filing an FIR at a local Police station which will refer the matter to the Cyber Cell of Police if required.

Cyberpsychology – Cyberpsychology is the study of the human mind and its behaviour in the context of its interaction with digital technology, particularly the internet.


De-anonymization-De-anonymization is the process of the identifying the encrypted data or information that was obscured resulting in making the process of data mining difficult. The process result to retrieve lost data helping in understanding the information mined in a better way.

Denial of Service (DOS) Attack – Refers to a method of cyber attacks wherein the objective is to deny the utilization of an online service via overloading the servers of the online service by overwhelming the server with traffic from various users, devices, instances etc. There are multiple ways in which such an attack could take place. It could involve completely crashing the system by exploiting some inherent bug or it could simply involve flooding it with so many requests, that the system either slows down drastically or comes to a complete halt.

DDOS Attack – It is an attempt to disrupt the movement of usual traffic on a specific server by flooding it with traffic. Unlike a simple, denial of service attack, a Distributed Denial of Service Attack makes use of multiple systems that have been compromised, as a means to flood the server with traffic. The main idea here is that each server can only handle a certain amount of requests at a time. By overcrowding it with requests from these systems, the server is rendered either completely incapable, or unusably slow for the genuine users, causing economic and reputational losses for the organization.

Data breach means unauthorized leak of data.   It refers to the process where a cybercriminal acquires access to privileged data through illegal means in order to use that data to make money.

Data centre: Data Center is a crucial unit of an organization or a company that stores, processes and transmits data across other departments or units of the organization or the company. It registers each and every information of the daily working of the organization. Data Centers are highly secured and crucial components of an organization.

Data Localisation: Data Localisation is the practice of processing and storing data of an individual in his/her home country before transmitting it to other countries for the desired purposes.

Data Masking: Data Masking is the process of the hiding sensitive and confidential information by insertion of some special characters so that the information cannot be misused by third parties. For e.g. transaction messages from Bank which replace some digits of the account number with the symbol ‘x’ (073xxxxxxxxxxx00212).

Data minimization: Data minimization is a principle enumerated in the General Data Protection Regulation (GDPR) which says that only relevant and necessary amount of data be collected for the purpose it is being collected.

Data Protection Authority: Data Protection Authority is an independent public authority that monitors and address any violation of the privacy or data protection laws. It looks into the complaints lodged against such violations.

Data Transfer– It refers to the transmission of information from one computer node to another via some communication channel.

Dictionary attack – A Dictionary attack is not very different from a brute force attack in terms of the rationale behind it’s working. Here the attacker might have a list of commonly used phrases, words and terms which are known to be used as passwords by various organisations. The advantage of such an attack is that the time taken would be much less than a simple brute force attack since you are not trying every possible combination of those characters. The disadvantage is that it would only work if the password is amongst the list or dictionary of passwords available with the attacker.


EHR Standards– Passed in 2016, EHR standards are governmental guidelines for collection, storage, retrieval and exchange of clinical information. Using a common standard ensures homogeneity and helps different systems communicate effectively with one another.

Encryption-Encryption is the process of converting a data into code which leads to masquerading the true nature of the data and the intricacies in the data. In computing, unencrypted data is also known as plaintext, and encrypted data is called ciphertext.

End to End Encryption – It is mode of communication of data which intends to keep third parties out of the loop while transferring information between two parties. How it does this is by ensuring that the information is transmitted in a form in which a potential third party intending to swoop in would not be able to comprehend it. This is done through the use of keys on both sides of the communication, with the sender encrypting it with it’s key and the receiver decrypting it with it’s own key.  There is always the possibility that the encryption could be broken down but it would require an unrealistic amount of effort in terms of computing power to achieve the same.

EU-US privacy shield: The EU – US Privacy Shield was a legal framework which was set up to facilitate and regulate the transmission of data between European Union and the US for business purposes. It was set up in replacement to the International Safe Harbor Privacy Principles which had been struck down as invalid by the European Court of Justice in 2015. However, the EU – US Privacy Shield has also been declared invalid by the European Court of Justice in July 2020.

e-Vehicle– Refers to a vehicle that utilizes electric motors or traction motors for propulsion with the main source of fuel being electricity which may be either stored in a battery collected through solar panels or even converted from conventional fuel via electric motors. These vehicles are further divided into 3 subtypes namely: 

  1. BeV (Battery Electric Vehicles) – Refers to electric vehicles that are fully electric and store electricity through the usage of an onboard battery and require the battery to be recharged after depletion. 
  2. PHeV (Plug-in Hybrid Vehicles) – Refers to electric vehicles that can recharge their on-board batteries via a plug-in to an external power source or through the conversion of fuel into electricity via an onboard engine and generator
  3. HeV (Hybrid Electric Vehicles) – Refers to electric vehicles that have the same capabilities as PHeV vehicles without the added functionality of recharging their on board batteries via a plug-in to an external power source 


FISA courts – The FISA or Foreign Intelligence Surveillance Court was established by Congress in 1978 to oversee the government’s foreign intelligence surveillance. The Rules of Procedure govern all proceedings in the Foreign Intelligence Surveillance Court. The FISA Court issue surveillance orders at the request of the government. Today, the court hears about one to two thousands of individualized surveillance requests every year and it approves the overwhelming majority of them. Critics of the court say that the mission of the court has crept over time to authorize increasingly broad surveillance that increasingly sweeps in the communications of Americans all without any warrant.

FRT – Facial Recognition Technology-It is loosely defined as an algorithm that can match a particular face against a database of faces available. This term, heard frequently in mobile unlock software, online examinations, inter alia.  Its efficiency has been increased over the years and consequently, it is being used in a number of surveillance programs. This technology, however, like any other program has its bugs and it has been seen that it is inefficient in identifying people of color. The wrongful identification of people can lead to a number of problems including false convictions.   


GDPR– European Union General Data Protection Regulation. It lays down standards for privacy protection and imposes hefty fines and criminal sanctions. It has a larger scope than that of CCPA, in the sense that it covers not only business entities but also public institutions and not-for-profit organizations. People can request the organizations to give all the information that has been collected by them free of cost. And the organization is supposed to reply to them within a month.

Geo Fencing – Geofencing is a technology that uses virtual fences or perimeters around a physical location. Geofences detect when someone comes in or leaves the given region. When this happens, it is possible to trigger events and actions, such as sending a notification to the users’ mobile phone. It is used by service providers to limit their services in a pre-defined location or geographic area.


Hashing – Hashing is the process of using secure algorithms to encrypt data in the form of a hash, which is a seemingly random collection of characters. Unlike encryption, however a hash would not be reversible. That is to say that, it would not contain enough information for an attacker to reverse engineer it and get back to the original piece of data.

HIPPA– Health Insurance Portability and Accountability Act. It is a US legislation that lays down standards that have to be maintained to protect the data of patients. It lists out conditions in which the data collected electronically can be used which includes disclosure to the patient, for medical operations, or with prior permission of the person, etc. Over and above that, the covered entities (those that have the responsibility to ensure privacy of patient’s data) have been obligated to maintain levels of security standards and maintain integrity and confidentiality of their system. Violations of HIPPA rules can be reported to the NHS Office in US.

Howey Test– This test determines whether a cryptocurrency is an investment contract or not. It will be categorized as so if “a person invests her money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party”.

HTTPS – HTTPS (Hypertext Transfer Protocol Secure) is a communications protocol for secure communication over a computer network which is widely used on the Internet. HTTPS provides authentication of the website and associated web server with which one is communicating which protects against man-in-the-middle attacks. Additionally, it provides bi-directional encryption of communications between a client and server which protects against eavesdropping and tampering with or forging the contents of the communication. In practice this provides a reasonable guarantee that one is communicating with precisely the website that one intended to communicate with as opposed to an imposter as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.


Informational privacy-  Refers to the privacy of the data about a particular person. It is the right of a person to prevent it from breaches and have some control over it. The amount of data created every day makes it very vulnerable to breach, consequentially leading to privacy violations. 

Initial coin offering– An initial coin offering is a way of raising capital in the form of blockchain and cryptocurrency. An initial coin offering is closely related to how an initial public offering (IPO) works. In both these offerings the companies raise capital though while an ICO is an investment that enables the investor to get hold of a coin, it is also more commonly known as a coin or a token in return for investment, unlike in the situation of IPO where there is a issuance of securities.

Internet of Things – The Internet of Things (IoT) is a giant network with connected devices. These devices gather and share data about how they are used and the environment in which they are operated. Until recently access to the internet was limited via devices like the desktop tablet or smartphone but now with IoT practically all appliances can be connected to the internet and monitored remotely. IoT is a system of interrelated devices connected to the internet to transfer and receive data from one to the other. A smart home is the best example of IoT.


K.S. Puttaswamy Judgments – A 9 Judge Bench of the Supreme Court on 24th August, 2017 delivered a unanimous verdict in Justice K.S. Puttaswamy vs. Union of India, affirming that the Constitution of India guarantees to each individual a fundamental right to privacy. It is of wider significance because, by putting the right to privacy at the heart of constitutional debate in the world’s largest democracy, it is likely to provide assistance and inspiration for privacy campaigners around the world. The Court also declared that the right to privacy is not an absolute right. Justice Chandrachud observed that any invasion of privacy by state or non-state actor must satisfy the triple test, i.e., Legitimate Aim, Proportionality and Legality. On 26th September, 2018, the Supreme Court, in Justice K. S. Puttaswamy v Union of India, by a 4:1 majority upheld the Constitutional validity of the Aadhaar Act, while striking down certain provisions as unconstitutional. Justice Sikri observed that the Aadhaar Act doesn’t violate the right to privacy. He said that the standard of review to test privacy infringements by a law is the just, fair and reasonableness standard (three-fold Puttaswamy test) and not the strict scrutiny test; and the Aadhaar Act passes the three-fold test. The dissenting opinion was delivered by Justice D.Y. Chandrachud in the Aadhaar Case. He held the Aadhaar Act to be unconstitutional. He observed that the Aadhaar Act and the regulations are silent on the question of informed consent and do not provide for procedure through which individual can access their information.  In this regard, the proviso to Section 28(5) which bars the individual from accessing their own data should be invalid as it violates the fundamental principle of ownership of personal data.

Killer Acquisition– When a large company buys out a smaller, innovative start-up to nip the competition in the bud, it is called as a Killer Acquisition.


Location Tracking: Location tracking refers to act of surveillance of the physically location by tracing the movement of people or objects. Location tracking technology is in use every day with GPS navigation and locations markers on digital pictures. Usually, location tracking is often associated with smartphone use since smartphones have a GPS chip.


Machine learning – Machine learning is a subfield of artificial intelligence. It focuses on the design of system, that can learn from decisions. It can make decisions and predictions, based on experience which is data. Machine learning enables computer to act and make data-driven decisions rather than being explicitly programmed to carry out a certain task.

Man in the Middle attack – A Man in the middle attack is a very common form of cyber-attack wherein the attacker secretly enters the communication chain between two parties, who are under the presumption that they two are the only ones having access to the particular piece of information. In simple terms, for two communication points A and B, the attacker attempts to impersonate A end point for B and impersonates end point B for A.

Metadata– Metadata is very aptly referred to as “data about data”. There are various types of metadata that could include ways about collecting data, the type of data collected, etc. It refers to the descriptive details about data including origin, format, time, date, etc, and not the data itself. For example, meta data about phone conversation would include the duration of a phone call, the person contacted, etc, and not the conversation itself. 

MLAT: Mutual Legal Assistance Treaty (MLAT) is an agreement between two or more states that aims to streamline the process of exchanging and gathering information. These treaties are commonly used for gathering facts in a criminal investigation. 


NCRB: The National Crime Records Bureau (NCRB) is an intelligence agency of the Indian government. It collects and analyses crime data to assist Indian police with Information Technology and criminal intelligence

Node – The definition of node is bit context based and a blanket definition may not be ideal. In very simple terms it is essentially a point on the network which is capable of receiving, transmitting and creating information over the network

NSA: National Security Agency is an intelligence agency of the USA government that seeks to promote national security by collecting and processing information of foreign and domestic citizens.


Obfuscation – Obfuscation is the method of making something hard to comprehend. Code Obfuscation is the method of altering a file, program or code, so that it becomes unusable for a hacker, yet stays completely functional. Although, actual method instructions may be changed by obfuscation, it doesn’t change the program’s output.


PDP bill– The Personal Data Protection (PDP) bill is a legislative bill that seeks to extend the right of privacy of citizens. There are two versions of this bill. The 2018 version was framed by the B.N. Srikrishna Committee, while the 2019 version has been issued by the government. Both versions are largely inspired by the GDPR, but also deviate from it in many aspects.

PETs– Privacy-enhancing technologies (PETs) are a set of tools that seek to protect users’ privacy without harming the utility of data collected. The usual PETs include obfuscation, encryption, data masking, etc.

Phishing attack – Refers to a method of cyber attacks where the objective so the gather the data of an individual by posing as an entity or an organisation collecting information for a particular purpose prompting them to follow a link in order to collect data through misrepresentation. This method of attack can also be used to deliver payloads of malware, ransomware etc.

Polygraph test – Also popularly known as a lie detector test which requires the usage of a polygraph, a device which measures various psychological indicators such as heart rate/blood pressure, respirator and skin conductivity. During this test the subject is posed a number of  control questions to which the subject must answer truthfully, if in case there is a change in the psychological indicators from the normal there is an indication of nervousness, anxiousness which would indicate that the answer of the subject is not truthful. As per the decision in Selvi v. State of  Karnataka the polygraph test cannot be imposed on a person without his or her consent. The court also laid down various guidelines under which the consent to a polygraph test can be obtained.

PRISM  It’s a system used by NSA, in order to gain access to the user’s private communication of popular internet servers which includes various email and social networking sites. It allows the collection from the servers of Microsoft, Google, Facebook, Yahoo and other online companies directly.

Privacy– Defining privacy is a very difficult task. Assuming that a definition is possible, it includes so many different facets that deserve a detailed thesis of their own. But to make an attempt, privacy is the state that is free from the intrusion of community in the individual’s space. This idea is based on Emersonian individualism, which endorses the solitude of an individual. It is essential for an individual’s autonomy and a postulate for human dignity. Privacy can be further sub-divided into various types such as bodily privacy, informational privacy, decisional privacy, etc.

Privacy policies – A privacy policy is an agreement between the company and the user of the website about how the company will collect, use and process user information. It also should contain information about how you can opt out of providing your information, how you can delete your information or how you can remove consent from the company to prevent them from further having access to or processing your information.

Profiling: Data Profiling is the process of analysing an existing set of data for collecting essential information in form of summaries or accessing the quality of the data for further use.

Project Insight– This project uses big data available with the department and other government organizations like registrar of companies and other data available from IT returns, TDS/TCS statement and collates them in order to ensure that they are in conformity with each other. A 1000 crore rupees project of the income tax department of India which is built with the help of L&T Infotech. Another controversial aspect is that it will use the data available on social media sites like twitter and Instagram to monitor if the income revealed matches with the expenses.

Proof of Concept– Proof of concept is the exercising of verifying the feasibility and practical potential of certain method or idea.

Pseudonymization– Pseudonymization is a process of data management where the information in a particular database is changed into one or more identifier or pseudonyms therefore enhancing privacy by replacing the most vulnerable data records by artificial identifiers or as the name suggests pseudonyms.  To pseudonymize a data set, the additional information must be kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.

Purpose limitation principle – As per this principle data that is being collected for a particular purpose must solely be used for that purpose only. However, its nuances may be different depending upon the relevant jurisdiction. Under the GDPR, it means that personal data collected should be collected for an explicit purpose and should not be used for purposes other than what the data was collected for. 


Quantum computing– Normal computers rely on two signals, 0 and 1. Quantum computing rely on qubit (quantum bits) that can allow them to exist in more than one state. This branch of computing has been inspired from the peculiarities of quantum physics. They have been a cause of concern as they have the potential to disrupt present encryption systems that can compromise various information very critically. This potential exists because of the exponential speed at which they can operate far more than the usual computing. Most modern encryption is based on the fact that normal computing will take years to encrypt something. However, computing will be able to encrypt such data very simply.


Right to be Forgotten: The right to be forgotten is a civil right to request the removal of personal information from the Internet. This right emanates from an EU case called Google v. Spain, in which the claimant asked Google to remove links to an old newspaper article about his previous bankruptcy, as there was no legitimate reason for the outdated information to remain accessible online. The European Court of Justice accepted the claim and thus gave birth to the right to be forgotten.


Safe harbour: Safe Harbour is a provision of a statute, regulation or a contract which saves a person or entity from liability or reduces liability in case certain pre-decided conditions have been met. It can provide for a blanket or a partial protection from liability or penalty.

Sandbox– As the name suggests, it is a software testing environment that enables users to run programs or software or execute files without affecting the system on which they run. It is used by software developers to test new programming code and by cybersecurity professionals to test potentially malicious software. Sometimes a regulator also develops a sandbox, in which it relaxes some of the regulations and monitors the progress closely.

Schrems I: It is one of the landmark judgments in the domain of International privacy cases. This case arose from a complaint, by an Austrian privacy advocate named Max Schrems, against Facebook to Irish Data Protection Commissioner.  The complaint targeted the tech giant’s use of a data transfer tool known as Standard Contractual Clauses. Mr. Schrems challenged the transfer of E.U. citizen data was taking place between U.S. Facebook, which was located in Ireland. This case was heard by the Court of Justice of the European Union which led to the invalidation of the Safe Harbour arrangement which governed data transfer between the EU and the US.

Schrems II: The Court of Justice of the European Union is the Supreme Court of the European Union dealing with the case of European Union law. On 16th July, 2020, this court pronounced an important judgment in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, which is known popularly as Schrems II. In its judgment, the court declared the EU–US Privacy Shield as invalid on the ground that US surveillance programmes are invasive and personal data of individuals cannot be shared across with a certain level of protection as envisaged by the General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights (CFR). It invalided the agreement saying that the shield did not provide for an adequate amount of protection. It also directed the European Data Protection Authorities to stop transferring of data under standard contractual clauses to companies in US.

SHA-1 – The term stands for Secure Hashing Algorithm 1, which is a member of the Secure Hashing Algorithms family. As the name suggests, the main purpose of this algorithm is to create  unique hashes and was used as a part of several prominent security protocols and applications like the TLS and SSL. Initially it was believed to be secure to the point of being unbreakable, however later research has shown that it is not as secure and can indeed be tricked into creating the same hash for different files. Post 2010, most organizations have tried to move to better alternatives like the SHA – 2 and SHA – 3.

Social Engineering attack – A Social Engineering Attack is one which tries to obtain sensitive personal information about a person by deception, by often pretending to be someone else. It needs to be noted that of all kinds of cyber attacks a social engineering attack is one which probably requires the least amount of technology. The attacker first studies the prospective victim by gathering basic information about him/her a large part of which may be easily accessible. The attacker then keeps narrowing down and tries to obtain information about the victim’s place of work, residence etc. Once, he has obtained sufficient amount of information to be able to masquerade, he begins his attack, mostly through phone calls or similar means. The attacker tries to use any confidential information he/she would have gathered till now to build trust and get more access.  The biggest aspect of a social engineering attack is that it relies on human error which is often the most difficult to prevent. The information obtained via a social engineering attack may be used to support other modes of cyber attacks.

SQL injection – An SQL injection or Structured Query Language Injection attack, is a means to obtain certain confidential information from databases. By entering certain malicious SQL statements, the database could be made to provide information that it was not supposed to,  Apart from accessing confidential data, an insecure database could also make it vulnerable to unauthorised deletion and manipulation of data within/from the database.

STELLARWIND – Under the administration of George W Bush, there was the beginning of the collection of records in the year 2001. This wide ranging wireless surveillance program was codenamed as STELLARWIND. As per the insiders, the agency collected the metadata for all the communications taking place from the USA to any of the other nations. It was after a dramatic rebellion in March, 2004 that the program was withdrawn.

Storage Limitation: Storage limitation is a privacy principle as per which the data must be stored only till the time it is necessary for the purpose of collection.  EU data protection law does not set specific time limits for different types of data but requires that controllers and processors set limits based on the purposes of the processing. Setting limits to storage — with clear policies on retention periods and erasure — is not only a data protection principle but also a good data governance policy. It reduced risks of leakages and helps to ensure that the storage costs are kept to the minimum.

Symmetric key encryption – A cryptographic algorithm which uses the same key for encryption and decryption. So, both parties must have access to this key for the process to be completed. AES or Advanced Encryption System as it is popularly known is one type of symmetric key encryption. There are three different levels of protection offered – 128 bit, 192 bit and 256 bit, with the last one being the highest level of protection.


Venture Capitalists– Venture Capitalists are entities that raise money from financial institutions (called limited partners, or LPs in industry jargon) such as pension funds, high net‐worth individuals, etc. and invest the same in start-ups. The investment strategy is prepared by general partners (GPs), who manage the entity.

Virtue Signalling– Virtue Signalling refers to the act of publicly expressing one’s opinions (often on social media) with the intent to garner praise and demonstrate one’s good character or moral righteousness of one’s stand on a particular issue.


Warrant  – A Warrant is a judicial decree, which gives the officers the authority to inspect an individual, vehicle or location for proof of wrongdoing and seize whatever proof they identify. In Riley v. California, the Supreme Court held that the police after arresting someone generally cannot conduct a warrantless search of the person’s cellular phone. The Supreme Court held that the police must usually get permission from a judge (a warrant) before searching someone’s cellular phone. The Supreme Court in Carpenter v. United States ruled that the location data used to convict someone, which was accessed by law enforcement through the third-party provider, was subject to a warrant and a subpoena under the Stored Communications Act was not enough to access that data.

White Paper– White paper is an informational document that identifies a complex problem and suggests a solution to the same. Most of the new technologies and especially Initial Coin Offerings often need a detailed whitepaper to gain traction of the investors. 


XKEYSCORE – It is an analysis and search system developed by the National Security Agency for the data collected by the other programs of surveillance. It has also been termed as a “one stop shop” for real time tracking, monitoring the activities of users and accessing the metadata and content. In order to select particular kinds of content the system incorporates databases and user interfaces. Further, the data can be accessed using the system by the use of soft and strong selectors like keywords and emails respectively.

This glossary has been prepared by Avinash Topno, Harshit Goyal, Kartik Garg, Kirti Meena, Mayank Singh, Parikshit Bansal, Prakhar Pipraiya, Shantanu Mishra, Shubh Mittal, and Viswanath Biju Nair. We would also like to thank Ishit Patel for providing us the necessary support.