#Fact Check – Analysis of Viral Claims Regarding India's UNSC Permanent Membership

Introduction

Web applications are essential in various sectors, including online shopping, social networks, banking, and healthcare systems. However, they also pose numerous security threats, including Cross-Site Scripting (XSS), a client-side code injection vulnerability. XSS attacks exploit the trust relationship between users and websites, allowing them to change web content, steal private information, hijack sessions, and gain full control of user accounts without breaking into the core server. This vulnerability is part of the OWASP Top 10 Web Application Security Risks.

‍

What is Cross-Site Scripting (XSS)?

An XSS attack occurs when an attacker injects client-side scripts into web pages viewed by other users. When users visit the affected pages, their browsers naively execute the inserted scripts. The exploit takes advantage of web applications that allow users to submit content without properly sanitising inputs or encoding outputs. These scripts can cause a wide range of damage, including but not limited to stealing session cookies for session hijacking, redirecting users to malicious sites, logging keystrokes to capture credentials, and altering the DOM to display fake or phishing content.

‍

How Does XSS Work?

1. Injection: A malicious user submits code through a website input, like a comment or form.
2. Execution: The submitted code runs automatically in the browsers of other users who view the page.
3. Exploitation:The attacker can steal session information, capture credentials, redirect users, or modify the page content.

The fundamental cause behind the XSS vulnerabilities is the application of:

• Accepting trusted input from the users.  
• After users' input, web pages have the strings embedded without any sanitisation.  
• Not abiding by security policies like Content Security Policy (CSP).  

With such vulnerabilities, attackers can generate malicious payloads like:  <script>alert('XSS');</script>  

‍

This code might seem simple, but its execution provides the attacker with the possibility to do the following:  

• Copy session tokens through hidden HTTP requests.  
• From attacker-controlled domains, load attacker scripts.  
• Change the DOM structure to show fake login forms for phishing.

‍

Types of XSS Attacks: XSS (Cross-Site Scripting) attacks can occur in three main variations: 

1. Stored XSS: This type of attack occurs when an attacker injects an administered payload into the database or a message board. The script then runs whenever a user visits the affected board.
2. Reflected XSS: In this attack, the danger lies in a parameter of the URL. Its social engineering techniques are attacks, in which it requires tricking people to click on a specially designed link. For example:
3. DOM-Based XSS: This technique injects anything harmful without the need for server-side scripts, in contrast to other approaches. It targets JavaScript client-side scripts such as `document.write` and `innerHTML`. Without carrying out any safety checks, these scripts will alter the page's look (DOM stands for Document Object Model). If the hash is given a malicious string, it is run directly within the browser.

‍

What Makes XSS a Threat?  

‍

A Cross-Site Scripting attack is only a primary attack vector, and can lead to significant damage that includes the following: 

• Statement Hijacking. This uses scripts to steal cookies, which are then used to pose as authorized users.  
• Theft of Credentials. Users’ passwords and usernames are wrenched from keystroke trackers.  
• Phishing. Users are prompted with deceitful login forms that are used to capture sensitive details.  
• Website Vandalism. Modified website material lowers the esteem of the brand.  
• Monetary and Legal Consequences. There are compounding effects to GDPR and DPDP Act compliance in case of Data breaches, which incur penalties and fines.  ‍

‍

Incidents in the Real World  

In 2021, an XSS Stored attack occurred on a famous e-commerce platform eBay, through their product review system. The malicious JavaScript code was set to trigger every time an infected product page was accessed by customers. This caused a lot of problems, including account takeovers, unauthorised purchases, and damage to the company’s reputation. This example further worsens the fact that even reputed platforms can be targeted by XSS attacks.

‍‍

How to Prevent XSS?

Addressing XSS vulnerabilities demands attention to detail and coordinated efforts across functions, as illustrated in the steps below:

 Input Validation and Output Encoding:

• Ensure input validation is in place on the client and server.
• Perform output encoding relative to context: HTML: <, >, &.
• JavaScript: Escape quotes and slashes

Content Security Policy (CSP): CSP allows scripts to be executed only from the verified sources, which helps diminish the odds of harmful scripts running on your website. For example, the Header in the code could look to some degree like this: Content-Security-Policy: script-src 'self';

Unsafe APIs should be dodged: Avoid the use of document.write(), innerHTML, and eval(), and make sure to use:

• TextContent for inserting text.
• CreateElement() and other DOM creation methods for structured content.

Secure Cookies: Apply the HttpOnly and Secure cookie flags to block JavaScript access. 

Framework Protections: Use the protective features in frameworks such as:

• React, which escapes data embedded in JSX automatically.
• Angular, which uses context-aware sanitisation.

Periodic Security Assessment:

• Use DAST tools to test the security posture of an application.
• Perform thorough penetration testing and security-oriented code reviews.

‍

‍Best Practices for Developers: Assume a Secure Development Lifecycle (SDLC) integrating XSS stoppage at each point.

• Educate developers on OWASP secure coding guidelines.
• Automate scanning for vulnerabilities in CI/CD pipelines.

‍

‍Conclusion:

To reduce the potential danger of XSS, both developers and companies must be diligent in their safety initiatives, ranging from using Content Security Policies (CSP) to verifying user input. Web applications can shield consumers and the company from the subtle but long-lasting threat of Cross-Site Scripting if security controls are implemented during the web application development stage and regular vulnerability scans are conducted.

‍

References

• https://owasp.org/www-community/attacks/xss/
• https://www.paloaltonetworks.com/cyberpedia/xss-cross-site-scripting
• https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting
• https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

‍

‍

Introduction

The most significant change seen in the Indian cyber laws this year was the passing of the Digital Personal Data Protection Act, 2023, in the parliament. DPDP Act is the first concrete form of legislation focusing on the protection of Digital Personal Data of Indian netizens in all aspects; the act is analogous to what GDPR is for Europe. The act lays down heavy compliance mandates for the intermediaries and data fiduciaries, this has made it difficult for the tech companies a lot of policy, legal and technical changes have to be made in order to implement the act to its complete efficiency. Recently, the big techs have addressed a letter to the Minister and Minister of State of Meity to extend the implementation timeline of the act. In other news, the union cabinet has given the green light for the much-awaited MoC with Japan focused on establishing a long-term Semiconductor Supply Chain Partnership. 

Letter to Meity

The lobby of the big techs represented by a Trade Body named the Big Tech Asia Internet Coalition (AIC) this week wrote to the Ministry of Electronics and Information Technology (Meity), addressing it to the Minister Ashwini Vaishnav and Minister of State (MoS) Rajeev Chandershekhra recommending a 12-18 month extension on the implementation of the Digital Personal Data Protection Act. This request comes at a time when the government has been voicing its urgency to implement the act in order to safeguard Indian data at the earliest. The trade body represented big names, including Meta, Google, Microsoft, Apple and many more. These big techs essentially comprise the segment recognised under the DPDP as the Significant Data Fiduciaries due to the sheer volume of data processed, hosted, stored, etc. In the protective sense, the act has been designed to focus on preventing the exploitation of personal data of Indian netizens by the big techs, hence, they form an integral part of the Indian Data Ecosystem.  The following reasons/complications concerning the implementation of the act were highlighted in the letter:

• Unrealistic Timelines: The AIC expressed that the current timeline for the implementation of the act seems unrealistic for the big techs to establish technological, policy and legal mechanisms to be in compliance with section 5 of the act, which talks about the Obligations of a Data Fiduciary and the particular notice to be shared with the data principles in accordance with the act. 
• Technical Requirements: Members of AIC expressed that the duration for the implementation of the act is much less in comparison to the time required by the tech companies to set up/deploy relevant technical critical infrastructure, SoPs and capacity building for the same. This will cause a major hindrance in establishing the efficiency of the act.
• Data Rights:  Right to Erasure, Correction, Deletion, Nominate, etc., are guaranteed under the DPDP, but the big techs are not sure about the efficient implementation of these rights and hence will need fundamental changes in the technology architecture of their platform, thus expressing concern of the early implementation of the act. 
• Equivalency to GDPR: The DPDP is taken to be congruent to the European GDPR, but the DPDP focuses on a few more aspects, such as cross-border data flow and compliance mandates for the right to erasure, hence a lot of GDPR-compliant big techs also need to establish more robust mechanisms to maintain compliance to Indian DPDP.     

Indo-Japan MoC

A Memorandum of Cooperation (MoC) on the Japan-India Semiconductor Supply Chain Partnership was signed in July 2023 between the Ministry of Electronics and Information Technology (MeitY) of India and the Ministry of Economy, Trade and Industry (METI) of Japan. This information was shared with the Union Cabinet, which is led by Prime Minister Narendra Modi. The Ministry of Commerce (MoC) aims to expand collaboration between Japan and India in order to improve the semiconductor supply chain. This is because semiconductors are critical to the development of industries and digital technologies. The Parties agree that the MoC will take effect on the date of signature and be in effect for five years. Bilateral cooperation on business-to-business and G2G levels on ways to develop a robust semiconductor supply chain and make use of complementary skills. The cooperation is aimed at harnessing indigenous talent and creating opportunities for higher employment avenues. 

MeitY's purpose also includes promoting international cooperation within bilateral and regional frameworks in the frontier and emerging fields of information technology. MeitY has engaged in Memorandums of Understanding (MoUs), Memorandums of Covenants (MoCs), and Agreements with counterpart organisations/agencies of other nations with the aim of fostering bilateral collaboration and information sharing. Additionally, MeitY aims to establish supply chain resilience, which would enable India to become a reliable partner. An additional step towards mutually advantageous semiconductor-related commercial prospects and collaborations between India & Japan is the strengthening of mutual collaboration between Japanese and Indian enterprises through this Memorandum of Understanding. The “India-Japan Digital Partnership” (IJDP), which was introduced during PM Modi's October 2018 visit to Japan, was created in light of the two countries' complementary and synergistic efforts. Its goal is to advance both current areas of cooperation and new initiatives within the scope of S&T/ICT cooperation, with a particular emphasis on “Digital ICT Technologies."

Conclusion 

As we move ahead into the digital age, it is pertinent to be aware and educated about the latest technological advancements, new forms of cybercrimes and threats and legal aspects of digital rights and responsibilities, whether it is the recommendation to extend the implementation of DPDP or the Indo-Japan MoC, both of these instances impact the Indian netizen and his/her interests. Hence, the indigenous netizen needs to develop a keen interest in the protection of the Indian cyber-ecosystem to create a safer future. In our war against technology, our best weapon is technology and awareness, thus implementing the same in our daily digital lifestyles and routines is a must.  

References

• https://www.eetindia.co.in/cabinet-approves-moc-on-japan-india-semiconductor-supply-chain-partnership/
• https://www.moneycontrol.com/news/business/startup/trade-body-representing-big-tech-urges-govt-to-extend-dpdp-act-implementation-by-1-5-years-11605431.html
• https://www.google.com/url?rct=j&sa=t&url=https://www.eetindia.co.in/cabinet-approves-moc-on-japan-india-semiconductor-supply-chain-partnership/&ct=ga&cd=CAEYACoTOTI3Mzg4NzEyODgwMjI2ODk0MDIaOTBiYzUxNmI5YTRjYTE1NTpjb206ZW46VVM&usg=AOvVaw2lEO7-cIBZ_ox1xV39LGLs

‍

‍

India is the world's largest democracy, and conducting free and fair elections is a mammoth task shouldered by the Election Commission of India. But technology is transforming every aspect of the electoral process in the digital age, with Artificial Intelligence (AI) being integrated into campaigns, voter engagement, and election monitoring. In the upcoming Bihar elections of 2025, all eyes are on how the use of AI will influence the state polls and the precedent it will set for future elections.

Opportunities: Harnessing AI for Better Elections

‍

Breaking Language Barriers with AI: 

AI is reshaping political outreach by making speeches accessible in multiple languages. At the Kashi Tamil Sangamam in 2024, the PM’s Hindi address was AI-dubbed in Tamil in real time. Since then, several speeches have been rolled out in eight languages, ensuring inclusivity and connecting with voters beyond Hindi-speaking regions more effectively.

Monitoring and Transparency 

During Bihar’s Panchayat polls, the State Election Commission used Staqu’s JARVIS, an AI-powered system that connects with CCTV cameras to monitor EVM screens in real time. By reducing human error, JARVIS brought greater accuracy, speed, and trust to the counting process.

AI for Information Access on Public Service Delivery

NaMo AI is a multilingual chatbot that citizens can use to inquire about the details of public services. The feature aims to make government schemes easy to understand, transparent, and help voters connect directly with the policies of the government. 

Personalised Campaigning   

AI is transforming how campaigns connect with voters. By analysing demographics and social media activity, AI builds detailed voter profiles. This helps craft messages that feel personal, whether on WhatsApp, a robocall, or a social media post, ensuring each group hears what matters most to them. This aims to make political outreach sharper and more effective.

‍

Challenges: The Dark Side of AI in Elections

Deepfakes and Disinformation

AI-powered deepfakes create hyper-realistic videos and audio that are nearly impossible to distinguish from the real. In elections, they can distort public perception, damage reputations, or fuel disharmony on social media. There is a need for mandatory disclaimers stating when content is AI-generated, to ensure transparency and protect voters from manipulative misinformation.

Data Privacy and Behavioural Manipulation

Cambridge Analytica’s consulting services, provided by harvesting the data of millions of users from Facebook without their consent,  revealed how personal data can be weaponised in politics. This data was allegedly used to “microtarget” users through ads, which could influence their political opinions. Data mining of this nature can be supercharged through AI models, jeopardising user privacy, trust, safety, and casting a shadow on democratic processes worldwide. 

Algorithmic Bias

AI systems are trained on datasets.  If the datasets contain biases, AI-driven tools could unintentionally reinforce stereotypes or favor certain groups, leading to unfair outcomes in campaigning or voter engagement.

‍

The Road Ahead: Striking a Balance

The adoption of AI in elections opens a Pandora's box of uncertainties.  On the one hand, it offers solutions for breaking language barriers and promoting inclusivity. On the other hand, it opens the door to manipulation and privacy violations. 

To counter risks from deepfakes and synthetic content, political parties are now advised to clearly label AI-generated materials and add disclaimers in their campaign messaging. In Delhi, a nodal officer has even been appointed to monitor social media misuse, including the circulation of deepfake videos during elections. The Election Commission of India constantly has to keep up with trends and tactics used by political parties to ensure that elections remain free and fair.  

Conclusion

With Bihar’s pioneering experiments with JARVIS in Panchayat elections to give vote counting more accuracy and speed,  India is witnessing both sides of this technological revolution. The challenge lies in ensuring that AI strengthens democracy rather than undermining it. Deepfakes algorithms, bias, and data misuse remind us of the risk of when technology oversteps. The real challenge is to strike the right balance in embracing AI for elections to enhance inclusivity and transparency,  while safeguarding trust, privacy, and the integrity of democratic processes. 

References

• https://timesofindia.indiatimes.com/india/how-ai-is-rewriting-the-rules-of-election-campaign-in-india/articleshow/120848499.cms#
• https://m.economictimes.com/news/elections/lok-sabha/india/2024-polls-stand-out-for-use-of-ai-to-bridge-language-barriers/articleshow/108737700.cms
• https://www.ndtv.com/india-news/namo-ai-on-namo-app-a-unique-chatbot-that-will-answer-everything-on-pm-modi-govt-schemes-achievements-5426028 
• https://timesofindia.indiatimes.com/gadgets-news/staqu-deploys-jarvis-to-facilitate-automated-vote-counting-for-bihar-panchayat-polls/articleshow/87307475.cms 
• https://www.drishtiias.com/daily-updates/daily-news-editorials/deepfakes-in-elections-challenges-and-mitigation 
• https://internetpolicy.mit.edu/blog-2018-fb-cambridgeanalytica/ ‍
• https://www.deccanherald.com/elections/delhi/delhi-assembly-elections-2025-use-ai-transparently-eci-issues-guidelines-for-political-parties-3357978#