Tuesday, December 8, 2015

Foreign Telecom Companies May Face Opposition And Lesser Market Share In India

The heat is growing against foreign telecom equipments makers. Those on the list include the Chinese companies like Huawei and ZTE that are increasingly seen as a potential national security and cyber security threat to India and other jurisdictions. Recently, the Indian Electrical and Electronic Manufacturers’ Association (IEEMA) suggested that Indian government should consider banning imports of equipment related to power generation and telecom from China. This has come after the intelligence agencies of India expressed similar opinion.

Similarly, the increasing targeting of foreign nationals by intelligence agencies like National Security Agency (NSA) of U.S. and Government Communications Headquarters (GCHQ) of United Kingdom has also badly shaken the trust upon telecom companies operating from these jurisdictions.

For instance, Cisco, IBM, Microsoft and Hewlett-Packard have reported declines in business in China since the NSA surveillance program was exposed. Similar treatment is expected in India as India has already justified its Preferential Market Access (PMA) Policy for domestic telecom equipments manufacturers. India is also considering formulating norms for import and testing of telecom equipments in India. The security agencies of India have even suggested use of indigenously made cyber security softwares.

Recently the Telecom Merger and Acquisitions (M&A) Guidelines 2014 of India were announced by Indian government. The FDI policy for telecom sector of India 2014 (PDF) has also been revised to espouse greater interest of foreign telecom stakeholders. However, various telecom policies of India are subject to clear cut exception of national and cyber security compliances on the part of foreign and domestic telecom companies. In the present circumstances, companies like Huawei, ZTE, Cisco, IBM, Microsoft, Hewlett-Packard, etc would be required to ensure techno legal telecom due diligence compliances in India before their offers and proposals are accepted in India.

To control the damage these companies have started exploring mechanisms to inculcate trust among users and governments of foreign nations. Some of them have even embraced the idea of developing surveillance free products to keep praying eyes and ears at minimum.  These include use of sophisticated encryption technology and development of self destruction products in case of possible breach of security. However, encryption laws of India and cloud computing legal risks in India are still not considered by these foreign companies.

We at Perry4Law believe that all Subsidiary/Joint Ventures of Foreign Companies in India, especially those dealing in Information Technology and Online Environment, must mandatorily establish a server in India. Otherwise, such Companies and their Websites should not be allowed to operate in India. The Ministry of Home Affairs, India and Intelligence Bureau (IB) are already exploring this possibility.

A “Stringent Liability” for such Indian Subsidiaries dealing in Information Technology and Online Environment must be established by Laws of India. More stringent online advertisement, e-commerce, telecom security and cyber security provisions must be formulated for such Indian Subsidiary Companies and their Websites.

Saturday, November 21, 2015

Indian Department Of Telecommunications Would Investigate Govt Snooping Allegations By Vodafone

It is no more a secret that Governments across the world are indulging in e-surveillance and eavesdropping using technology and telecom infrastructures. India is no exception to this practice. Rather India is one of the most endemic e-surveillance nations in the world. The draconian laws like Telegraph Law and Indian Cyber Law are helping Indian government and intelligence agencies to indulge in unreasonable and unfettered e-surveillance at anytime and at any place. There is also an urgent need to bring intelligence agencies reforms in India as the intelligence infrastructure of India is in big mess.

Recently, the telecom giant Vodafone revealed existence of secret wires to facilitate e-surveillance by various Governments. It has been reported that even India has been using this service to indulge in e-surveillance. We have no constitutionally sound e-surveillance laws in India (PDF) as on date. Even e-surveillance policy of India is missing and there is a complete chaos in this regard. We have no telecom security policy of India as well that can prevent unauthorised e-surveillance and security threats against telecom infrastructure of India.

India has become notoriously infamous for her e-surveillance exercises and India cannot afford to maintain this negative image any further. This is the reason why Narendra Modi Government may be analysing the e-surveillance projects like The Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India.

In line of this approach, the Communications and Information Technology Minister Ravi Shankar Prasad on Tuesday said the Department of Telecommunications (DoT) would look into allegations made by Vodafone regarding use of secret wires by India along with other countries.

The Congress led Government was well known for its “Anti Constitutional and Pro Surveillance” approach. Only time would tell whether Narendra Modi led Government would continue this approach or bring order in the chaos created by the Congress led Government.

Whatever the case may be, we need to ensure Civil Liberty Protection in Cyberspace for Indian Citizens “At All Costs and By All Means”. The digital life of Indian citizens is not at all safe and is open to various forms of e-surveillance and eavesdropping. In the absence of support form Indian Government, Self Defence is the only viable option left before Indian Citizens to safeguard their digital lives. The initiatives titled PRISM Break and Reset the Net are worth exploring in this regard as a “Starting Point”.

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security Grounds

Recently the National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was released by Department of Electronics and Information Technology (DeitY). However the same was not made part and parcel of the National Security Policy of India. Further, the cyber security policy of India itself was insufficient and weak on many counts including lack of privacy safeguards. The cyber security policy is also not at all framed to cover the telecom security aspects as well.

India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. It would also be interesting to see what types of telecom security policies would be implemented for border regions of India. Telecom security in India is not in a good shape and Indian telecom infrastructures are vulnerable to numerous cyber attacks. Recently it was reported that Huawei was accused of breaching national security of India by hacking base station controller in AP.

We have no implementable cyber attacks crisis management plan of India. The critical ICT infrastructure of India (PDF) is in a poor shape.  The cyber security trends of India 2013 (PDF) proved that India has still to cover a long field before cyber security can be effectively implemented in India. Thus, telecom infrastructures and equipments located at borders of India would be more vulnerable to cyber attacks than general telecom infrastructures of India.

The Telecom Commission may clear an Rs 7,103-crore rollout of Greenfield 2G networks in regions close to the Chinese and Bangladesh borders. These regions are presently outside the mobile loop. There are 8621 villages in locations of strategic importance across the northeast that are proposed to be brought under the cellular loop for the first time to bolster mobile-based surveillance on national security grounds.

Universal Services Obligation Fund (USOF), which will fund the project, will shortly invite bids from telcos for rolling out nearly 6,700 base stations in these regions. The USOF is the Department of Telecommunication’s (DOT) rural network infrastructure financing arm.

But it remains to be seen whether USOF will tweak tender norms to ensure any future cost escalations triggered by India’s spectrum reframing policy are shouldered by telecom operators. It would also be relevant to observe how the telecom security and cyber security aspects would be managed by Indian government in the near future.

Vodafone Confirms Existence Of Secret Wires For Government E-Surveillance And Eavesdropping Worldwide

From time to time media has reported that intelligence agencies around the world are using backdoor access to computers, servers and telecom infrastructures. Special equipments and arrangements have been made to grant intelligence agencies direct access to various infrastructures so that they can indulge in e-surveillance at will.

The Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India are the Indian versions of this practice. This is possible as we have no dedicated privacy laws in India. There is also no need to get a court order or warrant to tap telephone in India as it is purely an “executive act”. This result in illegal phone tapping and e-surveillance activities at mass scale in India that cannot be reported or ascertained due to limitations placed under various Indian laws.

We need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc and come up with better laws so they remain Constitutional. These laws have become an instrumentality to violate Civil Liberties in Cyberspace of Indian Citizens by both our politicians and intelligence agencies of India. Further, there is an urgent need to maintain a “balance” between law enforcement requirements and civil liberties protection in India.

In United States (U.S.), James Clapper had confirmed that NSA has been targeting foreign citizens for surveillance. Radio waves and Malware have also been used by NSA for world wide e-surveillance. Malware like FinFisher are increasingly being used for global electronic spying, e-surveillance and eavesdropping. Further, GCHQ and NSA have intercepted and stored webcam images of millions of innocent Internet users.

While the White House has limited options in this regard yet courts in different States of U.S. have shown their sensitivity towards e-surveillance and privacy violation issues. In fact, U.S. government has been seeking an order from FISA court for extended storage of telephone metadata and call records.

Although this practice of intelligence agencies of various nations was well known yet no company or individual came forward for long to expose the same. Edward Snowden came forward with the largest disclosures about illegal e-surveillance by intelligence agencies around the world. Now Vodafone has made some disclosures about the dark side of e-surveillance by intelligence agencies.

Vodafone, one of the world’s largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond. The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people. The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a “nightmare scenario” that confirmed their worst fears on the extent of snooping.

Direct-access systems do not require warrants, and companies have no information about the identity or the number of customers targeted. Mass surveillance can happen on any telecoms network without agencies having to justify their intrusion to the companies involved. Industry sources say that in some cases, the direct-access wire, or pipe, is essentially equipment in a locked room in a network’s central data centre or in one of its local exchanges or “switches”. Government agencies can also intercept traffic on its way into a data centre, combing through conversations before routing them on to the operator.

Vodafone’s group privacy officer, Stephen Deadman, said: “These pipes exist, the direct access model exists. “We are making a call to end direct access as a means of government agencies obtaining people’s communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used”.

Friday, November 20, 2015

CBSE Asks Schools To Tackle Sexual Abuses And Strictly Implement POCSO Act 2012

Recently the Central Board of Secondary Education (CBSE) issued CBSE Guidelines for Prevention of Bullying and Ragging in Schools 9th March 2015, Reg: (D.O. No. 12-19/2012-RMSA-I) (PDF). As per the guidelines, CBSE has directed all its affiliated schools to form an anti-bullying committee. Now it has been reported that CBSE has asked all affiliated schools to tackle sexual abuse instances in schools and ensure strict compliance of the Protection of Children from Sexual Offences Act (POCSO) 2012 (PDF).

Sexual incidences create a lifelong mental trauma for the victim of the same. Many times the victim is not being able to communicate effectively about the offence and this result in a continued exploitation and mental agony for the victim. To make this daunting task easier, from now onwards, teachers, management and all employees of CBSE affiliated institutions will be made aware of the provisions of the POCSO Act 2012.

As per the Act instances of child abuse would need to be promptly reported as the central board is aiming for an improved response system and an alert machinery to take immediate action on reported cases of misbehaviour with students. A circular in this regard has been issued to school managements.

School complaints committee consisting of principal/vice-principal, a male teacher, a lady teacher, one boy and girl from students and a non-teaching staff member, will be set up to serve as complaints redressal body.

Aadhaar Not Compulsory For Government Services Supreme Court

Aadhaar is the most controversial project of India as it violates human rights and civil liberties in cyberspace. In fact, if you speak against Aadhaar project at social media platforms like Twitter, your tweets would be censored with impunity. Since its inception, Aadhaar project is a heavily censored subject in India. At the time of writing this post, Twitter is still censoring dissenting tweets regarding Aadhaar.

The dissenting tweets regarding Digital India are also censored by Twitter in real time and almost all of them are censored to give a positive image of Digital India project. We have written an article titled “Digital India and Aadhaar Related Critical Policy Suggestions and Views of Praveen Dalal” where all the censored dissenting tweets about Aadhaar and Digital India projects have been catalogued for ready reference.

Aadhaar has also been clubbed with Digital India project and that had made the combination the biggest digital panopticon of human race. This digital panopticon of India must be urgently declared unconstitutional by Indian Supreme Court. Similarly, Aadhaar project of India must also be declared unconstitutional by Indian Supreme Court. Despite the clear directions (PDF) of Supreme Court, both Central and State Government have made Aadhaar compulsory for various services. This is not only contempt of court but also a clear violation of Constitutional provisions and safeguards. For instance, Digital Locker tied up with Aadhaar is illegal and would not serve Digital India.

The Central Government is lying before the Supreme Court by claiming that Aadhaar is not mandatory for government services. The reality is that Aadhaar has been made compulsory for all government services directly as well as indirectly. Supreme Court of India has taken a stringent view against this process of making Aadhaar compulsory. It has directed that Aadhaar cannot be made compulsory for government services and any authority violating this direction of Supreme Court would be taken to task.

Supreme Court on Monday reiterated its earlier order that Aadhaar card is not compulsory and added that officials who insist on them will be taken to task. A Bench of Justices J. Chelameswar, S.A. Bobde and C. Nagappan clarified that demands made by officials for Aadhaar card is in clear violation of the Supreme Court’s interim order of September 23, 2013. In the 2013 order, the apex court had directed that “no person should suffer for not getting the Aadhaar card, inspite of the fact that some authority had issued a circular making it mandatory”.

“It is a matter of great public importance. The issue has serious implication in terms of Constitution. Notwithstanding the court’s order, there is insistence for Aadhaar. There is complete apathy on the part of officials,” senior advocate Gopal Subramaniam, representing one of the petitioners and Bangalore-resident, Mathew Thomas, submitted.

As an example, he referred to NCT government’s notification on March 9, 2015, insisting that couples require Aadhaar cards to get their marriage registered under the Special Marriage Act. In fact, senior advocate Anil Divan pointed out that the Bombay High Court Registrar had recently received an official communication asking him to make Aadhaar mandatory for disbursal of salary to staff and even judges.

Mr. Subramanium argued that collection of personal data of residents of India under the Aadhaar scheme is not exactly a government activity, but outsourced to private contractors. “On the surface it (Aadhaar) is a simple document of identity, but it has linkages by means of iris scans and biometric details. God forbid if identities are exchanged or mistaken. The Executive’s scheme involves private partners. Who are these private partners?” Mr. Subramanium submitted.

Submitting how the ordinary man is now prone to the perils of identity fraud, Mr. Subramanium said the “Sovereign State also has the duty to protect its citizens, to protect his identity, his personal information against possible misuse”.

“You better advise the States, if the officials insist, it would have consequences. We will take them to task. This is absolutely not right,” Justice Chelameswar observed.

SC Has Killed Cyber Law Due Diligence In India To A Great Extent

Cyber law due diligence in India (PDF) for Internet Intermediaries is incorporated in the Information Technology Act 2000 (IT Act 2000). Section 79 read with Information Technology (Intermediaries Guidelines) Rules, 2011 (PDF) deals with cyber law due diligence obligations of Internet Intermediaries of India.

There has been lots of confusion and protests against the Internet Intermediary liability applicable to the Intermediaries. Although internet intermediary liability in India has been clarified yet doubts and problems persisted in this regard. As a result cyber law due diligence requirements in India is neglected with impunity.

According to the cyber law developments of India 2014 provided by Perry4Law Organisation (P4LO) and Cyber Crimes Investigation Centre of India (CCICI), some serious cyber law related issues deserve immediate attention of Indian government. We were waiting for a positive response from Indian government but meanwhile the judgment of Shreya Singhal v. Union of India (24th March 2015), Writ Petition (Criminal) No.167 Of 2012 (PDF) was delivered by Indian Supreme Court.

This judgement has come as a big blow to the cyber law due diligence obligations of Intermediaries in India. The main problem seems to be reading down of Section 79(3) (b) and Rule 3(4) By Supreme Court in a manner that would be counter productive in the long run. In fact, reading down of Section 79(3) (b) and Rule 3(4) is more problem than solution as the Supreme Court erred in adopting this approach.

Now it has become necessary for Modi government to urgently bring suitable amendments in the IT Act 2000. Unfortunately, Indian Parliament and Indian government are not capable of enacting effective techno legal legislations. This is the reason why even the most draconian and unconstitutional rules are simply approved by Indian Parliament without any analysis, debate and application of mind. Once approved, such rules become part of the parent Act and this creates serious law and order enforcement problems.

Even worst is constitution of authorities and projects by mere Executive orders. For instance, Aadhaar project is an unconstitutional project that has been created by an Executive order. Indian Parliament has not deemed it fit to dissolve the same and come up with a robust law in this regard. Supreme Court if India has directed on multiple occasions that Aadhaar is not compulsory for government services but Indian government is not paying any heed towards those directions. Aadhaar has been made compulsory by direct and indirect means and very soon even the Aadhaar project would be declared to be unconstitutional by Indian Supreme Court.

Even Modi government is following the steps of Congress government and is very indifferent towards ensuring Parliamentary oversight of various projects and initiatives. For instance, promising projects like Digital India and Internet of Things (IoT) (PDF) are still not governed by any legislative process. Naturally, there is no accountability and transparency for these projects as on date. In fact, Digital India project of India is heading for rough waters in these circumstances.

Indian cyber law has not been appropriate since its inception. Too much stress is given to suppress civil liberties and enhance e-surveillance. However, it has now reached a stage where immediate steps must be taken to protect civil liberties in cyberspace on the one hand and projects like Digital India on the other. This is also the high time to leave politics and do positive things for Indian masses.

E-Police Station In Delhi Would Register Online FIR For Motor Vehicle Theft Cases

Projects like Digital India and Internet of Things (PDF) are very crucial to ensure e-delivery of services in India. Fields like healthcare, Judiciary, dispute resolution, etc can be greatly benefited by the Digital India project. It is equally true that implementation of these projects is not an easy task as they are facing numerous techno legal challenges as well. The paced of India is also very slow in this regard. This has not deterred Indian government to launch ambitious initiatives like National E-Health Authority (NeHA) of India that would strengthen healthcare facilities in India.

It is also necessary that the cyber security of digital India project must also be ensured in such a manner that a balance between civil liberties protection and national security requirements is maintained. Recently the Supreme Court of India struck down (PDF) Section 66A of Information Technology Act, 2000 as it violated freedom to speech and expression. This was a case of enactment of bad law implemented in even worst manner. Due to the indifference and vested interests of Indian government, now even genuine victims of cyber bullying, cyber crimes and sexual offences are left with almost nil remedies. We at Perry4Law’s Techno Legal Base (PTLB) believe that this judgment of Supreme Court must be immediately reviewed in public interest.

In another good initiative undertaken by Indian government, the Delhi Police on Thursday launched their first e-police station to deal exclusively with cases of motor vehicle theft. The pilot project of the “Motor Vehicle Theft (MVT) Application” is now accessible on mobiles and computers. Presently this facility is available only for police stations in South Delhi and the same will be extended to entire Delhi after sorting out technical glitches and other problems. The formal inauguration of the e-police station and the MVT App will be done next month by Prime Minister Narendra Modi, after which the e-police station and MVT app will be made available for public use, a senior crime branch officer said.

The best part about the application is that this will enable the complainant to register a First Information Report (FIR) online and instantly receive a copy of the same without going to the police station. The application will also provide an “untraced report” of the stolen vehicle to the complainant within 21 to 30 days of the FIR, helping the complainant seek an insurance claim. This has greatly reduced the mental trauma and inconvenience that victims of vehicles theft used to face till now. We at PTLB welcome this initiative of Delhi Police and are committed to extent all possible assistance to it in this regard.

The other features of the application include electronic matching of stolen and unclaimed vehicles from the centralised databases and timely disposal of vehicle theft cases to reduce pendency at police stations and courts. The MVT application will ensure electronic transmission of digitally signed FIR to the complainant as well as the area SHO, designated Court, insurance company, etc. It will automatically send mobile text messages or emails to the police control room (PCR), all SHOs in Delhi police, district DCPs, state transport authority, all senior superintendents of police (SSPs) across the country, states crime records bureau (SCRB) and national crime records bureau (NCRB) simultaneously. This is the best part about the MVT application as a timely and coordinated action is must to successfully trace stolen vehicles.

Five FIRs related to thefts of vehicles were lodged with the e-police station through online registration. The first online registered FIR was related to theft of a Maruti Omni van falling under the Neb Sarai police station. We at PTLB believe that it would be a good idea to replicate this system for other crimes as well with necessary modifications, if required.


Monday, November 16, 2015

Indian Supreme Court Asks Central Government To Clarify Upon Privacy Invasive Software And Mobile Applications

Privacy is essential part of civil liberties and it has assumed more importance in the present connected world. We have computers, smartphones and many more mediums that capture, store and analyse personal and sensitive information on daily basis. It is natural that such information and data must be properly secured and adequately safeguarded. This is the reason why we need strong privacy and data protection laws on the one hand and effective and robust cyber security on the other.

Indian Supreme Court is already hearing few cases pertaining to privacy rights and their applicability in India. However, privacy rights in the information era are totally different from the traditional privacy rights. India has no dedicated laws on privacy and data protection (PDF) so far. We at Perry4Law Organisation (P4LO) strongly recommend that dedicated privacy and data protections laws must be urgently formulated by Indian Government. We also recommend that a techno legal framework must also be formulated by Indian Government as soon as possible.

Meanwhile the Supreme Court has taken up the cause against the privacy violating software and mobile applications. As per a media report, Supreme Court of India has taken a serious note of the software and mobile applications that can be used to extract private information from smartphones. The Court has asked the Central Government to clarify its stand in this regard and also to explain how such systems exist even though it’s clear that they are violating the law. A notice has also been issued to the Central Government, CBI as well as an IT firm: Spundan-The IT Pulse. The firm is known to sell such software, which according to the court can be used in anti-national activities.

The order was passed by a Three Judges bench comprising of Justice J S Khehar, Madan B Lokur and Kurian Joseph. This was on the basis of a plea which was filed by Prashant Pandey, known as the whistleblower in the Vyapan scam in Madhya Pradesh. He had alleged that personal records of anyone, be it judges could be acquired using this software. He has pleaded for a CBI probe into the activities of companies such as these. The petition reads, “The illegal interception of calls, generation of call detail records etc are not only violative of Indian Telegraph Act and Indian Wireless Telegraphy Act but are also fuelling various criminal activities like extortion and has a direct bearing on national security”.

Senior advocate Indira Jaising said, “The gravity of the situation can be ascertained by the fact that today subscriber details including complete name and address along with the date of birth, alternative mobile/ land line number, call detail records, location of a mobile of any person can be availed through this online software, be it of the chief minister of a state, judges of higher courts, head of various armed forces, senior scientists etc by anyone who has installed this software on personal computer after purchasing it from IT Company”.

Guidelines On Protection Of Good Samaritan While Saving Lives Of Road Accident Victims (2015)

Protection of lives of road accident victims is possible to the maximum possible extent only if good people come forward to take them to hospitals. A timely first aid and early access to medical facilities is sine quo non for lesser mortality rates.

Supreme Court of India addressed this issue and other related ones in Savelife Foundation & Anr v. Union of India & Anr, Writ Petition (Civil) No(s). 235 Of 2012 (SC) (PDF). A Committee was constituted by the Supreme Court and one of the points of reference was incorporated into clause (x) which reads as follows:
(x) Deliberate and develop a set of guidelines for protecting Good Samaritans from police harassment and legal hassles. The guidelines will aim to address the root causes for fear of harassment and legal hassles in general public regarding helping injured victims. These guidelines will also serve as a foundation for further legislative work in the area of protecting Good Samaritans.

In a welcome move, the Narendra Modi led Government has issued Guidelines on Protection of Good Samaritan While Saving Lives of Road Accident Victims (2015) (PDF). This shows the sensitivity of Indian Government towards the precious lives that can be saved if road accident victims can be taken to hospitals as soon as possible.

Although there is no dearth of good people to take accident victims to the hospitals yet legal formalities and legal hassles have forced many not to take the much needed actions. Now with these guidelines it can be hoped that more precious lives would be saved.

Perry4Law organisation (P4LO) welcomes this move of Indian Government and hopes that more such constructive and pro active initiatives would be taken by the Indian Government in near future.

Social Networking Laws In India Need Clarity And Codification

Social networking websites have a very crucial role to play in fields like business and commerce, personal relationships, leisure activities, political usages, speech and expression, etc. This is the reason why social media websites like Facebook, Twitter, LinkedIn, etc are very popular world over.

India has also a significant population that is attached to various social media or social networking websites. This has given rise to unique law enforcement and regulatory challenges before the countries around the world. While the United States has the advantage in the sense that most of these social networking websites are located within the legal and territorial limits of US authorities yet law enforcement authorities of India and other countries find it really difficult to manage law enforcement related activities arising due to abuse of these social networking websites.

The conflict of laws in cyberspace has further widened the law enforcement access deficit that India is presently facing. Most of the law enforcement agencies of India openly admit that when the server of a website is located outside India it becomes next to impossible to prosecute a cyber criminal using such a website and committing an offence against Indian citizen.

For instance, Bangalore cyber police is facing investigation difficulties with Facebook and it is well known. Similarly, the Delhi Police was too late to get access to IP address of the accused who hacked the e-mail account of Amrita Rai. It is also well known that most of the social networking websites that are operating in India are not complying with the laws of India.

The Information Technology Act, 2000 (IT Act 2000) is the cyber law of India that governs legal issues pertaining to e-commerce, e-governance, cyber contravention and cyber crimes. However, the cyber law of India is a piecemeal legislation that covers multiple areas and in this attempt it is not covering even a single area effectively. India must either formulate a comprehensive and holistic techno legal framework or it must adopt specific and dedicated laws for various fields. There is no doubt that India needs a new and better cyber law and the old one must be repealed.

It has been suggested that foreign websites and social networking websites must establish servers in India. It has also been suggested that India’s own social networking websites must be established so that compliance with Indian laws can be ensured. As per the amended Indian Companies Act, 2013, the directors of India companies can be held liable for cyber law and cyber security related techno legal compliances. Individuals, companies and their directors are also required to observe cyber law due diligence (PDF) under the IT Act 2000.

India has been using mutual legal assistance treaty (MLAT) to mutually cooperate on law enforcement related issues. However, MLAT is not always successful as the country to whom such a request is issued may deny cooperation if the act committed by the accused is not an offence as per the laws of that country. For instance, in the past US has refused to issue summons upon companies like Facebook, Google, etc citing similar grounds. So the MLAT route is not full proof and it is full of surprises.

Some stakeholders have started using social networking websites for business purposes in such a manner that they violate Indian laws. However, as the servers of these social networking websites are located outside India and are governed by foreign laws, Indian law enforcement agencies are helpless to enforce Indian laws against such stakeholders.

For instance, online pharmacies related legal compliances are absolutely ignored in India by most of the online pharmacies operating from India. As a result Perry4Law has suggested that online pharmacies laws must be enacted by Indian government. Similarly, the online card games websites in India are also in a limbo and they are operating in a legally risky manner. This is more so when social networking websites are used for games like online rummy, online poker and other online card games.

India has no dedicated privacy and data protection (PDF) laws. Indian government is also very committed to violate the civil liberties of Indian citizens in cyberspace. This is the reason why we have no privacy rights in India that can protect the privacy of Indian in cyberspace. Further, e-surveillance tools like Aadhaar have been clubbed with projects like Digital India and this has made the digital India initiative the biggest digital panopticon of human history. The social networking websites provides further data and information to Indian government for data mining purposes and this result in violation of privacy of Indian citizens.

Nevertheless, business and other stakeholders are required to comply with applicable privacy, data protection, cyber law and other laws applicable to their respective fields. One of the requirements that is applicable to all stakeholders including e-commerce players pertain to observation of cyber law due diligence (PDF). Similarly, e-commerce laws in India are also required to be adhered to by various stakeholders. Since the stakeholders are also using the platform of foreign companies, they are also subject to the laws of foreign jurisdictions as well. Thus, there is no significant benefit of hosting a website on a foreign server if the law enforcement agencies of India are committed to punish an offender.

Perry4Law Organisation (P4LO) hopes that this article would help various stakeholders in sensibly using the social networking websites so that they remain on the right side of the law. At the same time P4LO also believes that very soon social networking related laws and regulations would be clearly enacted by the Indian government for the larger benefit of all stakeholders.

National Counter Terrorism Centre (NCTC) Of India Must Be Constituted Urgently

Establishment of the National Counter Terrorism Centre of India (NCTC) has been facing many problems and difficulties. These include administrative, political and technological problems that need to be addressed on a priority basis by the new Government. The obvious but unsolvable terrorism dilemma of India cannot be allowed to be continued any longer in the larger interest of India.

By its very nature and design any proposed NCTC shall be managed by intelligence and security agencies of India. India has plethora of intelligence agencies and security agencies. These include Research and Analysis Wing (RAW), Aviation Research Centre (ARC), Intelligence Bureau (IB), National Technical Research Organisation (NTRO) and Defence Intelligence Agency (DIA), etc.

However, the administrative and political structure governing these agencies is highly defective as they are operating in a decentralised manner. There is no centralised authority or Ministry that can coordinate or collaborate between different intelligence and security agencies. Further, there is no Parliamentary oversight of these intelligence agencies as well.

On top of it Civil Liberties and National Security requirements of India are not balanced at all. This would give rise to constitutional issues and create problems for such agencies in future. For instance, the immunity request of these agencies for engaging in cyber deterrent act cannot be accepted in these circumstances that would be an essential function of NCTC in future.

As Mr. Narendra Modi is committed to keep the internal security part of Home Ministry with himself, these issues can be easily managed. The proposed Prime Minister’s Office (PMO) would emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India. It would also not be difficult to constitute the proposed NCTC in these circumstances as the centralised approach towards NCTC would eliminate interference of different Departments/Ministries. Mr. Modi can comfortably guide and supervise NCTC from the PMO.

However, NCTC must not be established in the manner proposed by the previous Government. The “safest and easiest method” to establish NCTC is to give a Parliamentary Scrutiny to intelligence agencies and their functioning. In the same legal framework, establishment and role of NCTC can be formulated.

The NCTC is very significant and essential for the National Security of India. Terrorist attacks against India are on increase and we need a “Specilaised Institution” like NCTC to provide and analyse valuable intelligence inputs and leads. The real problem seems to be “lack of coordination and harmonisation” between the Centre and States and the PMO must resolve this problem while establishing NCTC.

There are other related problems as well. For instance, the intelligence infrastructure of India is in big mess.  We need to develop intelligence gathering skills development in India so that effective intelligence can be generated, processed and used in real time. On the legislation front, a legal framework on the lines of Intelligence Services (Powers and Regulation) Bill, 2011 must be formulated and enacted by our Parliament. The National Intelligence Grid (Natgrid) Project of India has already been launched. However, a legal framework for Natgrid project of India is also needed as an unaccountable Natgrid is not a panacea for intelligence failures of India.

Surprisingly, the bureaucrats at Home Ministry have dropped the reference of NCTC altogether from their proposed report to Mr. Modi. They believe that NCTC is not a viable project and it need not to be part of the projects that have to be undertaken on a priority basis. It seems the bureaucrats are well aware of the previous dislike of Mr. Modi towards NCTC and they do not wish to offend him.

This is a highly unfortunate situation. No project should be dropped simply because Mr. Modi has disliked the same in the past. It is the constitutional duty of bureaucrats to suggest inclusion of projects of National Importance keeping aside their own biases, prejudices or fears. If they simply drop a worth project like NCTC on the basis that Mr. Modi disliked it in the past nothing is more embarrassing and unfortunate than such an approach. Even if Mr. Modi is averse to NCTC as on date, the bureaucrats must suggest the same. Of course, if there are some other issues, besides personal preferences or dislikes of Mr. Modi, they must be openly and frankly communicated to Mr. Modi and let him decide ultimately.

The things and circumstance have changed drastically and it is high time to analyse projects like NCTC as per contemporary standards and requirements. The present circumstances are in favour of constitution of NCTC and the same must be done as soon as possible.

Monday, November 2, 2015

Cyber Crimes And Cyber Attacks Insurance In India: A Techno Legal Perspective

Insurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements.

Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.

In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

Sunday, November 1, 2015

Cyber Security Law Firms In India

About four years back, India's leading techno legal ICT law firm Perry4Law wrote about cyber security legal practice in India. The article was very clear in its message that techno legal fields like cyber law, cyber security, cyber forensics, cyber warfare, cyber terrorism, etc are not the preferred field of legal practice for law firms and lawyers in India and other countries. The main reason for avoiding cyber security legal practice was lack of expertise to manage complicated cyber security related issues. Only law firms like Perry4Law have been managing techno legal issues of cyber security, cyber law, cyber forensics, e-discovery, etc in India so far.

Then came the positive development and lawyers and law firms
started exploring the areas like cyber law, cyber security, cyber forensics, etc. Although the number of such lawyers/law firms is negligible yet the growing interest in the techno legal fields would increase such numbers in future. Further, techno legal issues would also change the way traditional businesses and transactions would be carried out in future. For instance concepts like cyber insurance, online dispute resolution, e-courts, digital evidencing and e-discovery, media forensics, cyber forensics, etc would be very much used in future.

However, technology laws have their own peculiar problems. Cyber laws are generally curative in nature as against the desirable preventive requirements. They are formulated keeping in mind the crimes/cyber crimes that have already taken place instead of what cyber crimes can possibly happen in future. In short, cyber laws must be “futuristic” in nature as against “historical” in their applicability. This brings novel legal challenges before lawyers and law firms as cyber security legal practice becomes very challenging and research oriented field.

Cyber crimes and cyber attacks have increased tremendously world over. No country is safe from cyber crimes and sophisticated cyber attacks. Despite this position there is no method or procedure to asertain international legal issues of cyber attacks. Perry4Law Organisation (P4LO) has been managing the exclusive techno legal blog on international legal issues of cyber attacks and the same can be accessed here. Further, to spread public awareness in the techno legal fields, P4LO has also been providing global techno legal news and views and the same can be accessed here. A virtual law campus (VLC) has also been launched by Perry4Law's Techno Legal Base (PTLB) so that skills developments in the fields like cyber law, cyber security, e-discovery, cyber forensics, etc can be ensured for various stakeholders including lawyers.

With issues like cyber espionage and cyber warfare, the traditional armed forces and legal fraternity are now collaborating upon a very unique platform where lawyers need to have a sound knowledge of both law and technology. It seems the techno legal community alone would be able to dare to explore issues like cyber law, cyber security, etc in future.

Friday, October 30, 2015

Blog On International Legal Issues Of Cyber Attacks


For instance, if a simple exercise of internet protocol tracking is undertaken, it takes months before any information is received from a foreign jurisdiction. Even in such cases, these are exceptional cases and not a general practice. In this process, the crucial digital evidence is lost forever and the cyber crimes investigation becomes a cold trail.

As there is a severe conflict of laws in cyberspace, it is very important to be aware of various technology related laws of various jurisdictions. However, it is not possible to be aware of all the laws of various jurisdictions. In order to spread public awareness in this regard, Perry4Law Organisation (P4LO) has been managing a dedicated blog on international legal issues of cyber attacks and cyber security. It is the exclusive techno legal blog on the topic not only in India but in entire world.

The blog has covered many techno legal aspects like use of cyber espionage malwares, need for the national security policy of India, legal immunity against cyber deterrent acts in India, open source intelligence through social media websites, protection of Indian cyberspace, national counter terrorism centre (NCTC) of India, cyber security challenges of India, cyber preparedness of India, the Wassenaar Arrangement and cyber security issues, intelligence agencies reforms in India, banking cyber security, techno legal analysis of Gameover Zeus, cyber crimes insurance in India, smart cities cyber security in India, etc.

As on date we have no dedicated cyber security laws in India. This is the reason why cyber security is more ignored than complied with in India. Even the blooming e-commerce industry of India is devoid of required cyber security practices and requirements. Cyber security of banks in India is also not upto the mark. This has forced the Reserve Bank of India to constitute a IT subsidiary that would consider, monitor and prescribe cyber security related rules, regulations and practices for banks in India. Even the Companies Act 2013 has prescribed cyber security obligations for the directors of companies. This is in addition to the cyber law obligations of banks and directors of Indian companies.

It is well understood that international legal issues of cyber attacks are not easy to handle. Nevertheless, Indian government cannot afford to ignore this situation and it must urgently work towards making Indian cyber security robust, resilient and effective. P4LO hopes that our readers would find our blog on international legal issues of cyber attacks, cyber law and cyber security useful.

Source: CSRDCI.