Tag: Cybersecurity

Feedback on DPDP Rules, by February 18th 2025: IT Ministry

The government has released the draft Digital Personal Data Protection Rules, 2025, aimed at strengthening data privacy. While the rules outline clear guidelines for consent, data retention, and breach notifications, they notably exclude penal provisions. The draft is open for public consultation until February 18, 2025, inviting feedback on its implementation and potential improvements.

On Friday, January 3, 2025, the Union government unveiled the draft Digital Personal Data Protection (DPDP) Rules, 2025, designed to implement the provisions of the Digital Personal Data Protection Act, 2023. Although the Act was enacted more than a year ago, the corresponding enforcement rules have been under development and are now open for public feedback.

The DPDP Act establishes a legal framework to regulate “data fiduciaries”—entities responsible for collecting personal data from “data principals” or individuals—and aims to safeguard this data from misuse while imposing penalties on organizations that breach data protection norms.The DPDP Rules, 2025, represent a significant milestone in building a secure, transparent, and user-focused digital environment.

The proposed rules outline the obligations of data fiduciaries when collecting user data. They require fiduciaries to inform users about the specific data being collected, the purpose of the collection, and provide a clear and detailed explanation enabling users (referred to as “Data Principals”) to give informed and explicit consent for the processing of their personal data.

The draft DPDP Rules are open for public feedback until February 18. According to the Ministry of Electronics and Information Technology (MeitY), submissions will be treated confidentially and will not be disclosed at any stage. Stakeholders can share their inputs through the MyGov portal, where the Ministry is accepting submissions.

Key Highlights:
1. The draft DPDP Rules propose the registration of “consent managers” who will assist data fiduciaries in obtaining user consent in a standardized format. The rules permit the government and its agencies to collect personal data for providing subsidies and benefits, subject to specified standards. Data collected for statistical purposes is exempt from certain restrictions.

2. The rules also mandate the deletion of user data if a service—such as an e-commerce platform, social media, or online gaming—is not used for an extended period, following a 48-hour notice to the user. Data fiduciaries must display the contact details of their data protection officer on their website.

3. The rules require that consent notices be written in clear, plain language and include essential details, such as a list of personal data being collected, to help users make informed decisions about data processing. Data fiduciaries must also provide a communication channel allowing users to withdraw consent or exercise their rights under the Act, such as requesting data erasure.

However, it lacks specificity, as the rules do not require mapping each piece of personal data to its exact purpose. Instead, data must simply be listed separately, leaving room for improvement in clarity and accountability.

4. For Children’s Data, the rules mandate that data fiduciaries adopt appropriate technical and organizational measures to ensure verifiable parental consent before processing any personal data of minors. To achieve this, fiduciaries may rely on voluntarily provided details of identity and age, a virtual token linked to such details issued by authorized entities, or verified details available through services like Digital Locker.

5. The processing of Indian citizens’ data outside the country is subject to future requirements that the government may outline through subsequent orders, ensuring additional regulatory oversight.

6. Users must be notified if their personal data is compromised, ensuring greater transparency and accountability. The rules also mandate that detailed incident disclosures be made to the Data Protection Board within 72 hours of a breach. Data fiduciaries are required to implement technical and operational safeguards to prevent data breaches and must notify the Data Protection Board of India (DPBI) of any breach within 72 hours.

7. The Rules establish specific data retention and erasure timelines for large e-commerce platforms, online gaming services, and social media intermediaries. The system must delete user data if the user hasn’t logged in for three years. While this is a significant move toward better data management, the reasoning behind limiting these requirements to these three categories remains unclear.

8. The rules clarify the processes for exercising rights under the Act, ensuring that both Consent Managers and Data Fiduciaries provide clear instructions on how users can exercise these rights on their websites or apps. This is a promising development in enhancing user control over their data. However, the requirement that Consent Managers must be Indian companies raises concerns about balancing accountability with fostering competition, potentially limiting options for users and companies.

In conclusion, the draft DPDP Rules, 2025, represent a significant step in strengthening data privacy and user rights in India. As the IT Ministry invites public feedback, stakeholders have a crucial opportunity to shape the final framework and ensure its effectiveness in safeguarding personal data.

ICANN Issues Breach Notice to .TOP Registry

In a recent development, ICANN has issued a Notice of Breach to the .TOP Registry Operator after URLAbuse highlighted multiple compliance failures. The breaches include neglecting abuse reports, not adhering to internet safety protocols, and failing to pay required fees. ICANN has mandated corrective actions to be completed by August 15, 2024. URLAbuse continues to play a crucial role in identifying and reporting internet abuses, ensuring a safer online environment.

URLAbuse successfully triggered action against the .TOP Registry Operator, prompting ICANN to issue a Notice of Breach on July 16, 2024. The notice outlines several compliance failures by the .TOP Registry Operator, including neglecting abuse reports and failing to follow essential internet safety protocols.

ICANN has set an August 15, 2024, deadline for the .TOP Registry Operator to implement corrective actions. These actions include creating a plan for Uniform Rapid Suspension (URS) compliance, updating their website with abuse contact information, confirming receipt of abuse reports, and enhancing DNS abuse mitigation efforts. If these requirements are not met, ICANN may initiate termination proceedings under the Registry Agreement.

The question remains: when will the .TOP Registry Operator take strict action, and why is such negligence occurring in a highly interconnected internet world where DNS is a fundamental root?

References:
  • https://www.icann.org/uploads/compliance_notice/attachment/1225/hedlund-to-wenxia-16jul24.pdf
  • https://news.urlabuse.com/ICANN-Issued-Breach-Notice-to-TOP-Registry-After-URLAbuse-Complaint

Geo-fencing: Location On Work

In the world of technology, tracking is not a strenuous task, which will require meticulous efforts. Geo-fencing is one of the technology blessings we are working with. But what is this geo-fencing, how has it developed, in what ways it works, how is it useful and where is it used? Let’s discuss all these answers one by one via this article.

GEO-FENCING

In the word Geo-fencing, the Prefix “Geo” is a Greek word meaning “earth or land” and “fencing” means “drawing an imaginary border” Thus, Geo-fencing defines as setting up fencing or a virtual perimeter boundary to know whenever an object enters within the marked fencing zone.

As the definition explained above, defines Geo-fencing technology as a location-based service (LBS). In this, the app or any other medium by which the service is in use depends on GPS (Global Positioning System), Wi-Fi or cellular data and RFID(Radio-Frequency Identification) to activate the organized action which is based on whenever a device enters or exits the set virtual boundary locations or Geo-fence. The alert can be sent in many ways set up by the developer, it can be in a trigger form of text, pop-up, push notifications, track alert messages etcetera. 

How the Geofencing Work?

The developer set up the virtual boundary using GPS or RFID services or even an IP address in some cases to set up the fencing zone and then set up a per-planned alert system for the device which is going to enter or exit from the fencing zone. As soon as you enter the fence, will be tracked by the developer in case of tracking; you will get a push notification, if the fencing is set up for some marketing or business deals, you will get a message if the fencing is set up for any other purposes related to work personal or professional. So, therefore we can say that Geo-fencing has made life easy for everyone except those who are in the adversary zone. The fence in the Geo-fencing can vary in the perimeter zone, i.e., they can be changed,  reduced or increased depending upon the user and developer. 

Example: If you are running a salon and you want the customers in closer proximity to your location to know about the venue, you can set up the fencing perimeter and send the alerts in whatever format you want to give. 

Geo-fencing Application

In this era of digitization, Geo-fencing has become a crucial way for every sector whether it is a public or private one; whether it is in the security zone or marketing world; whether it is in IT or business firms. Once geographic fencing is set, the opportunities and usage are seemingly endless and that’s one of the reasons that it has become especially popular in marketing and social media lines.

Some of the common Geo-fencing Applications are as follows:

Security: Geo-fencing can be used to make your devices more secure. Like you can set your own Geo-fencing for your device for a specific area like your home, to get push-up notifications whenever someone enters your home.

Social networking: With Geo-fencing development comes its usage in one of the most popular platforms of the last decade called social media. Geo-fencing is the social media app network that gives the application of location status, location sending, and location-based stories to other devices and all these are all made possible with Geo-fencing. 

Human resources: For fencing the on-field employees, and workers and to track the employees, companies nowadays use Geo-fencing to keep a record of employees. Geo-fencing is also useful as a way to automate time cards, employee clocking means keeping track of when they go in and out, within the premises.

Marketing: Geo-fencing is a popular way for business firms to promote themselves by an alert pop-up whenever you are within the fencing range of the company. One of the best use of Geo-fencing is that it helps businesses in targeted ads to a specific audience instead of mass-adherence to figure out the right set of strategies with the right set of people based on the user’s location data.

Telematics: Telematics, the process of merging telecommunications and informatics via any device- Geo-fencing plays a very useful role here as well by allowing companies to set virtual zones around sites, work premises and secure zones. 

Smart appliances: Smart appliances have made us enter the smart world and Geo-fencing is one of the smartest use of these smart appliances  With the capability of smart work of appliances, it’s easier than ever before like reminding you of some household chores, reminding you some office-related files, kids assignments and all. 

The use of Geo-fencing in handling Pandemic COVID19:

When the entire nation is struggling for survival from the pandemic coronavirus, people in technology are working to tackle this problem via the use of technology. Developers from different zones of the country have developed a geo-fencing-based app for COVID-19 to track the people who are on the fence about getting affected by the Coronavirus.

Ministry of Electronics and information technology (MEITY)-GOI has developed an app called ‘AAROGYA SETU’ for citizens to know the risk of contracting COVID-19 by Geo-fencing tracking service. The tracking is done via Bluetooth & location-generated social graphs, which can show your interaction with anyone who has tested positive-All you have to do after the installation is to switch on the Bluetooth and location. By switching on the following you will be in the line of sight of developers and once you crossed paths with the red zone area you will get an alert message based on the information. Thus, Geo-fencing is playing a crucial role in handling this pandemic.

Geo-fencing Future

In this world of data-privacy where everyone is concerned about their data getting stolen, Geo-fencing faces the same criticism of possibilities of a data breach but as said by Nasscom chief R. Chandrasekhar, ‘There is nothing called fully perfect security in IT’, thus we can’t play the data-breach game with Geo-fencing anymore. According to a press release from Markets and Markets (https://www.marketsandmarkets.com/), the Geo-fencing industry is expected to grow by over 27% by 2022, citing “technological advancements in the use of spatial data and increasing applications in numerous industry verticals.”

References:

https://en.wiktionary.org/wiki/Wiktionary

https://meity.gov.in

https://en.wikipedia.org/wiki/Geo-fence

HTTP V/S HTTPS

HTTP (HTTP://)– Hyper Text Transfer Protocol is a Protocol designed for communication between client (Web browser) and server(Web server). It was projected in 1989 by the world wide web. It operates on Port 80 and transfers data in plain text. There were a few revisions in HTTP until http1.1 released in 1996.Then after finding so many loopholes, There was a mega release of HTTP/2 in 2015. Later, HTTP/3 as the proposed successor to HTTP/2 came out, which is already in use on the web, using UDP instead of TCP for the underlying transport protocol. 

Advantages of HTTP:-

  1. HTTP can be implemented with other networks as well as protocols.
  2. HTTP pages are stored on computers as internet caches.
  3. The platform of HTTP is independent, thus allowing cross-platform porting.
  4. It can be used over Firewalls.

Issues with HTTP:-

  1. HTTP is a stateless protocol, which means it does not require the HTTP server to retain information or status about each user for the duration of multiple requests. Each time the requests will be treated unique or new irrespective whether it is new or old.
  2. No privacy, as open for all, and anyone can see the content.
  3. Data Integrity is 0, here as security and privacy are absent here and anyone can alter the content.
  4. Anybody irrespective of a genuine user or not, can intercept the request and can get the username and password.

HTTPS (HTTPS://)– Hyper Text Transfer Protocol Secure, an advanced as well as the secured version of HTTP. It allows secured transference with the help of SSL (Secure Sockets Layer). HTTPS is a combination of SSL/TLS with HTTP. It provides encrypted data and secured transference with the help of key-based encryption algorithms, in which key is generally 40 or 128 bits in strength. It operates on port 443 and transfers data in Cipher (encrypted) format.

Advantages of HTTPS:-

  1. Sites running over HTTPS are redirected, which means even if you type in HTTP:// by mistake, it will redirect to an HTTPS over a secured connection.
  2. Secured with SSL/TLS and provide full encryption over data.
  3. Each SSL Certificate contains unique, authenticated information about the certificate owner.

Issues with HTTPS:-

  1. HTTPS protocol can’t stop stealing confidential information from the pages if they are saved as cache memories on the browser.
  2. SSL data can be encrypted only during transmission via a network, thus the text in the browser memory is still not cleared with SSL.

Difference between HTTP and HTTPS :-

                 HTTP

               HTTPS

-Hyper Text Transfer Protocol

-Hyper Text Transfer Protocol Secure

-Less secure and encryption is absent.

-Secure and encrypted with SSL/TLS.

-Uses Port 80.

-Uses Port 443.

-Doesn’t scramble data before transmission, thus vulnerable to hackers.

-Scramble Data before transmission, thus secure.

-It operates on TCP/IP level protocol.

-It operates on the same HTTP protocol but with SSL/TLS.

-No SSL and data encryption.

-SSL and data encryption are required.

-Fast in procession.

-Slow in processing in comparison to HTTP.

-It operates on an Application layer.

-It operates on the Transport layer.

-It transports plain text information.

-It transports cipher text information.

SSL/TLS-Secure Connection

Whenever we browse the internet, we see some site URLs, there is a padlock present and in some, it is absent. The presence of this padlock symbolizes secure communication between the user and the server. This padlock consists of a secure communication certificate and that certificate communication is called SSL Certificate communication i.e., Secure Socket Layer. SSL’s function is to build a secure chain of trust between the user and the server. The certificate is provided by a Certificate Authority (CAs) like Let’s Encrypt, Bypass, Comodo, GeoTrust et cetera, which actually builds the chain of trust running the certificate validation in a hierarchical manner.

Most modern web browsers have flagged sites without SSL/TLS as insecure or unsafe. Going forward, SSL/TLS certificate may become a mandatory website hosting requirement. By hosting a website with SSL/TLS certificate, it provides security to the data transferred between the website and the Website visitor, by encrypting the communication, in addition to this the SSL/TLS certificate also helps to verify the identity of the site, thereby helping users to surf on a secure and encrypted connection. The SSL certificate consists of Website Owner information including Domain and sub-domain name, the Validity period of the certificate, Public key used for encryption

TLS is the new or updated version of SSL; TLS has evolved from SSL (Secure Socket Layer) only, which was developed by Netscape Communication in 1994. SSL 1.0 was never used but followed by SSL and 3.0. TLS 1.0 is based on SSL 3.0. TLS 1.3 is the latest version, published in the year 2018  and almost all Cas are using or moving to TLS1.3. The presence of secure connection or TLS can be seen through HTTPS presence in URL, which is an implementation of TLS encryption on top of HTTP protocol, which is used by all the websites running web services. Hence, any website over https is deploying TLS only.

                       USER——–(SSL/TLS HANDSHAKE)——–CLIENT

SSL CERTIFICATE VALIDATION AT DIFFERENT LEVELS:

1)    DOMAIN VALIDATED CERTIFICATE: In this validation, only a domain name is validated and a certificate is issued in this validation name only. That’s why it is the easiest validation in the SSL certificate validation game. It is beneficial for servers who are just willing to take SSL for namesake or blogs, and small enterprises not dealing with products or selling.

2)    ORGANISATION VALIDATED CERTIFICATE: In this validation, additional details like the address of that particular server with the domain name will be required for the validation check to pass. Thus, it is a bit more stringent than domain one. The additional details validation makes it more trustworthy on the user’s end.

3)     EXTENDED VALIDATION CERTIFICATE: This is the most cost-equipping, trustworthy, time taking validation. This is required by all the large e-commerce, enterprises and business to mark up with the customer trust level.

TYPES OF SSL CERTIFICATES:

1)    Single Domain SSL: As the name defines, it is a single domain name, thus, only and only single name domain SSL will be generated, and no other name or sub-domain name will be able to use the certificate.

2)    Wildcard SSL certificate: The domain and all sub-domain along with this will be able to use the certificate known as Wildcard SSL. The sub-domain list can be seen by clicking on the padlock icon in the URL.

3)    Multidomain SSL certificate: Multiple distinct domains can use a single certificate issued in the name of all the distinct domains. The domains are neither the sub-domain of a single domain nor the multiple pages of a single domain.

TLS/SSL HANDSHAKE:

(Image Source: https://www.geeksforgeeks.org/secure-socket-layer-ssl/)

Phase 1:  This is Establish Connection Phase. The client sends a ‘HELLO’ message with its TLS version, List of Cipher Suites and Random Client’s Number and the server replies with a ‘Hello’ message along with its SSL certificate, Cipher suite chosen and a Random Server’s number.

Phase 2: This is the Pre-secret master key Generation Phase. A client sends one more random string which is encrypted with a Public key (which is taken from Server’s SSL certificate), commonly called a ‘pre-secret master key’. The server decrypts this secret key with the private key of its certificate.

Phase 3: This is thesession key Generation Phase. The client as well as the server generates the session key using its own random numbers and pre-secret master key. The session key at both ends generated will be the same.

Phase 4: Handshake Ends. The session key will be verified and authenticated at both ends, it should be the same, then only a secure connection is established and the data moves now in an encrypted manner. If anyhow the key differs, the connection won’t be established. Once the connection is established both client and server send a ‘Finished’ message to each other and a green signal for encrypted data transfer will proceed.

This TLS/SSL handshake is validated till TLS1.2, in TLS 1.3 the handshake has been changed a little bit. In place of a 4-way handshake, it is now based on 2-step handshake validation or completed in just one round trip of a handshake. The TLS1.3 is more secure, encrypted and less time taking than all the previous versions.

UPGRADE IN TLSV1.3:

                              (Image Source: https://timtaubert.de/images/tls-hs-static-rsa.png)

Phase 1: Establish Connection. Same as TLS1.2 Phase 1, TLS1.3 also commences the handshake with the “Hello” message with an add-on of a list of supported cipher suites and a guess of which key agreement protocol will be chosen by the server along with the Client’s chosen key agreement protocol.

Phase 2: Validation Completion. The server replies with a “Hello” message with the key agreement protocol that it has chosen, key share, certificate and ‘Finished’ message.

The Server “Finished” message, which was sent in the 6th step in the TLS1.2 handshake, is sent in the second step in TLS1.3. Thus, completing the round trip in just 2 steps.

Phase 3: Finished Message. In the last step, the client will validate the server certificate, and generate a key share while using the key of the server. Once all the checklists are done client sends a “Finished” message. Now, the data encryption begins.

Cipher Suite:  A complete set of cryptographic algorithms require to secure a network connection through SSL/TLS. For each set, there is a specific algorithm. The SSL/TLS does the Handshake process for building the secure connection and during the handshake, the client and the web server will use the following cipher suite components:

O  A key exchange algorithm is used to determine how symmetric keys in the handshake will be exchanged. Example: RSA (Rivert-Shamir-Adleman).

O  An authentication algorithm, which function is to tell how the authentication at both ends client as well as server will be implemented and finished. Example: DSA (Digital Signature Algorithm).

O  An Encryption cipher, to encrypt the data. Example: AES (Advanced Encryption Standard)

O  A Message Algorithm, a function is to check and administrate how the data integrity checks will be carried out. Example: SHA (Secure Hash Algorithm)

It’s not ‘Fishing’, it’s “Phishing”!

In today’s digital world, the trending threat isn’t “fishing”—it’s “phishing,” where fraudsters bait victims with deceptive emails to steal sensitive data.

There was a time when fishing was in trend but it’s the new digital world of new India and here the trending hashtag nowadays is not fishing it is phishing. Yes, you see it written, the homophones type these words are too way different. The only similarity between these two is the process of capturing the fish in the former and the customer for fraud in the latter one.

WHAT IS PHISHING?

Phishing is a new type of cyber-attack often called a social engineering attack, commonly used to steal users’ data, like login credentials and credit card numbers. It occurs when an attacker, pretends to be a trusted entity to the customer and dupes a victim by making the individual open things like email, instant message, or text message which looks like valid ones but in reality, it would be consists of fraud data. Once the recipient gets tricked into clicking a malicious link, then the installation of malware starts, or the freezing of the system as part of a ransomware attack or the revealing of sensitive information, etc.

TECHNIQUES OF PHISHING

1) Spear Phishing:-

In this, the fraud individual targets a specific person or enterprise or some high authority level individual or company, as opposed to random application users. It’s a more in-depth version of phishing as it requires special knowledge about that particular organization, including its power, structure, and also confidential matters.

An attack might play out as follows:

A.      The fraud dealer does research and finds names of employees within an organization’s marketing department and gains access to the latest project invoices to look genuine.

B.      Acting as the marketing director, the attacker emails a departmental project manager using a genuine subject line. The text, style, and included logo duplicate the organization’s standard email template and the email seems like the same one with the same pattern that you won’t be able to recognize in one go.

C.      The link in the fraud email redirects you to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice to misguide you.

D.     The Person is then requested to log in to view the document. The attacker steals his credentials, gains full access to sensitive areas within the organization’s network, and does the spear phishing with you.

2) E-mail Phising

This phishing is based on a number of game things. An attacker sends out thousands of fraud messages to get the net significant information and sums of money, even if only a small percentage of the person falls for the scam.

Just like spear phishing here they again try to create the same spoofed email or texts to fraud you. In addition, attackers will usually try to push users into action by creating a sense of urgency and taking the victim into confidence of genuine.

The poor part is the links inside the messages resemble the legitimate counterparts, but also have a typically misspelled domain name or extra subdomains. Like https://www.bajajfinservmarkets.in/ and http://www.bajajfinservemarket.in/.

Similarities between these two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place and the next click it happens

HOW TO PROTECT YOURSELF FROM THIS SOCIAL ENGINEERING ATTACK!.

Phishing attack protection requires steps to be taken by both users and enterprises to stay away from this attack.

For users, vigilance and awareness is the key. A spoofed message often contains mistakes that expose its true identity and these are easily catchable. All you need is to see it in patience and with awareness. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example of email phishing. For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

· Two-factor authentication (2FA) is the most effective method for protecting from phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones with their confidential information.

  • In addition to using 2FA, organizations or individuals should enforce strict password management policies. For example, employees should be required to frequently change their passwords and not be allowed to reuse a password for multiple applications or use different and not easy passwords to log in.
  • Educational campaigns and awareness campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links and getting authenticated information from the genuine service provider, etc.

ICANN78: A Fellow Journey!

My journey as an ICANN fellow began just a few months back when I received that all-important email from our fellowship program manager, letting me know that I had been selected. But, here’s the twist – I didn’t actually check that email until the following day. I guess I was caught up in the busyness of life and didn’t realize what a significant moment it was.

Yes, before proceeding further, for those who don’t know what ICANN is?  Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit, American-based organization that operates as a multi-stakeholder group. It is tasked with overseeing the management and protocols governing various databases associated with the naming and numbering systems on the Internet. Its primary mission is to guarantee the stable and secure functioning of the global network.

Returning to my account of this journey, once I had confirmed my participation, our fellowship manager quickly became my primary point of contact. This was particularly valuable for newcomers like me. They played a vital role in helping us navigate the intricacies of the ICANN Fellowship program, serving as a friendly and knowledgeable guide to steer us through this thrilling opportunity.

But that wasn’t the end of the adventure. Getting a Schengen visa, which allows you to travel within certain European countries, turned out to be a journey in itself. It involved a whirlwind of activities – gathering documents, going through verifications, handling passports, and taking care of all those visa-related requirements. 

And let me tell you, it was no walk in the park. My first attempt at getting the visa didn’t go as planned. It was rejected, and the reason they gave was a bit perplexing – they said the “source of sustenance” was missing. I couldn’t help but wonder why the German government had turned down my application. After all, I was just going to be in their country for the duration of the fellowship, and I had everything I needed to support myself during that time.

So, my journey as an ICANN fellow has had its fair share of unexpected twists and turns. It’s been a lesson in patience, perseverance, and the importance of having a supportive fellowship manager to guide the way. And as I embark on this incredible opportunity, I can’t help but look forward to the adventures and discoveries that lie ahead. Who knows what other surprises were in store??

As a strong believer in God, I experienced a week filled with ups and downs. It was a week of rejection and acceptance and a pivotal moment that led me to discover an incredible opportunity. I had just been rejected, but in the same week, I was introduced to my mentor for a prestigious fellowship. Our very first Zoom meeting took place on that same day, and I decided to share my concerns with my mentor. To my amazement, he not only provided me with a solution but also offered guidance on how to ensure a successful second attempt. Miraculously, my visa application was approved.

Our mentor had a profound message for us: “ICANN is an ocean of opportunities. Your journey may not be easy, but the challenges you face will ultimately lead you to fruitful destinations.” This resonated deeply with me. Alongside seven fellow mentees, I embarked on a journey into the world of ICANN (Internet Corporation for Assigned Names and Numbers) and found myself in the At-Large Advisory Committee (ALAC). Our mentor continued to guide us throughout this incredible journey.

During our mentorship, we had the privilege of e-meeting individuals who had dedicated a significant portion of their lives to ICANN, with 10 or even 20+ years of experience. It was an inspiring experience that emphasized the depth and vastness of the ICANN community. As October arrived, we entered into the month of our fellowship. The first week was dedicated to “Prep-week,” where we were introduced to various community stakeholders in face-to-face e-meetings. These meetings provided us with a comprehensive overview of the different communities and their functions within ICANN. Living in India, I faced the challenge of dealing with a significant time difference. After long days at the office, I would rush back home, grab a quick meal, and then dive into the prep-week activities. It required not only physical presence but also a sharp and focused mind. This was an opportunity that I could not afford to take for granted.

The last day of our prep-week was a remarkable one, as all the fellows, accompanied by our fellowship manager, had the opportunity to connect with a multitude of individuals representing diverse corners of the globe. It was a truly enlightening experience that greatly broadened our comprehension of the global ICANN community.

Then came the long-awaited D-day, October 21, 2023, at Hamburg’s CCH. We were all dressed up and heading to the venue for our very first day of the event. The initial two days were nothing short of overwhelming. We found ourselves amidst a sea of acronyms, and quite honestly, even now, it can be a bit bewildering, to make choices about which sessions to attend. Sometimes it feels like trying to remember all those acronyms would put our neurons under too much stress.

However, the turning point arrived on day three. It was a day of warm welcome by the Government of Germany. The experience was simply enchanting as we walked into a hall filled with vibrant colors and the smiles of attendees, both new and seasoned, with eyes filled with the sparkle of dreams. It was a momentous experience that will be cherished for a lifetime. Over the next two days, we engaged in sessions, interactive parties, DNS Woman gatherings, and much more. One of the most exceptional aspects of ICANN is the incredible networking opportunities it offers. No matter how introverted a person may be, spending time here for these six days will likely turn them into an extrovert. It’s not so much about you stepping out of your introverted shell; it’s the supportive and inclusive environment at ICANN that makes you feel so comfortable that engaging with people becomes a delightful experience, rather than something to be hesitant about.

You build friendships, find constant companionship, and gain knowledge. ICANN embraces the ethos of working diligently and celebrating heartily. I encountered a multitude of individuals during my time there, too numerous to mention here in one blog post. However, one principle remains paramount: trust the process of networking, immerse yourself in social interactions, and embrace the learning opportunities. As my journey within ICANN unfolds, I am brimming with excitement to discover where this path will ultimately take me. The trials and prospects on the horizon serve as a testament to the adage that what initially appears to be a challenging journey often leads to the most gratifying destinations.

For those individuals who are considering becoming a part of ICANN, you can explore the following URL: https://www.icann.org/fellowshipprogram. This website provides a concise and informative overview of the fellowship. As for others, you are welcome to reach out to me through this LinkedIn link: https://www.linkedin.com/in/barkha-manral/

Never think that you are done with fellowship now it is the end, No instead it is the beginning because ‘ONCE A FELLOW,  ALWAYS A FELLOW’.