Sunday, June 19, 2011

Techno Legal Decryption Solutions By PTLB

A Government Panel has recently given its opinion that Encrypted Services in India would not be banned even if the Intelligence agencies cannot “Intercept” these Encrypted Communications. This would not be pleasant news for Home Ministry of India and Intelligence Agencies of India who now have to acquire Techno Legal Intelligence Gathering Skills to deal with Encrypted Communications.

Home Ministry of India and Intelligence Agencies never understood the point that E-Surveillance can never be a “Substitute” for Intelligence Gathering Skill and Cyber Skills. Now the message has been delivered, they must start working in the direction of acquiring good Techno Legal Intelligence Gathering Skills.

The Intelligence Infrastructure of India is in bad shape. The same needs an “Urgent Rejuvenation”. Projects like National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and System (CCTNS), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), National Counter Terrorism Centre (NCTC), etc cannot be “Outsourced” to Private Companies as far as their “Core Functions” are concerned. Otherwise, the whole purpose of such Projects would be defeated. In order to perform the Core Functions of these projects, Intelligence Agencies and Law Enforcement Agencies of India must develop necessary Skills in this regard.

To start with we must formulate the Encryption Policy of India. Till now we have neither an Encryption Policy of India nor do we have Encryption Laws and Regulations in India. The second step must be to enter into Public Private Partnerships (PPP) with IT Experts who can help the Home Ministry in successfully completing its various Projects. The next step must to provide Techno Legal Trainings to Intelligence Agencies and Law Enforcement Agencies of India.

Indian Government must develop solutions “Independent of E-Surveillance” so that Intelligence Agencies can decrypt secure and highly encrypted data and voice and written communication transferred across secure networks via Internet.

At Perry4Law Techno Legal Base (PTLB) we can assist the Indian Government and its agencies to establish Techno Legal Intelligence Infrastructure of India. The same would include using both Technical as well as Legal Mechanisms to deal with Encryption and Decryption issues.

Our Techno Legal Solutions are “Specifically Designed” to cater the needs of Human Rights Protection in Cyberspace. Since access to Internet is now a Human Right as per United Nations, Indian Government must implement all its Projects keeping in mind Human Rights and Fundamental Rights as enshrined in the Constitution of India.

Thursday, June 9, 2011

Cyber Forensics Laws In India

Cyber Forensics in India is still to be approved as an important part of Legal and Judicial System of India. Till now we do not have a specific and dedicated Cyber Forensics Law in India. Cyber Forensics is an amalgamation of Legal and Computer Science principles. Thus, it is essentially Techno Legal in nature.

This Techno Legal nature of Cyber Forensics has raised certain problems before the Law Enforcement Agencies of India, Legal Fraternity, Judicial Fraternity and the Governmental Departments dealing with the Cyber Forensics issues.

While the Police, Lawyers and Judges are still struggling to deal with Cyber Crimes and Cyber Forensics issues yet Government Departments are facing a shortage of Skilled Cyber Forensics Professionals. Suitable Techno Legal Cyber Forensics Courses in India and Cyber Forensics Education in India can reduce the shortage of Skilled Cyber Forensics Professionals in India.

India has been facing these problems because till now Cyber Forensics Policy of India has not been formulated. An ideal Cyber Forensics Policy of India must concentrate upon issues like Legal Framework for Cyber Forensics, Skills Development of Cyber Forensics, Trainings of Law Enforcement Officials, Lawyers, Judges, etc.

Cyber Forensics Policy of India cannot be implemented by a single stroke. It has to be formulated step by step and in a systematic and planned manner. Indian Government must pay attention to the Cyber Forensics Laws of India in general and Cyber Forensics Policy of India in particular.

Cyber Crisis Management Plan Of India

Crisis Management is an important aspect of planning and management of any project or eventuality. If we have a proper Crisis Management Plan, losses of lives and property is minimised to a great extent. We have Crisis Management Plans in India against floods, earthquakes and other natural calamities. However, are we prepared for Cyber Crises in Indian Cyberspace?

India has formulated a Crisis Management Plan for its Cyberspace. However, like other Policies and Strategies in India, it has not been implemented in true letter and spirit. Even the basic level Cyber Security Preparedness in India is not up to the mark.

There are many aspects of a Cyber Crisis Management Plan. For instance, Cyber Security, Cyber Law, Cyber Forensics, Anti Cyber Terrorism Plans, Anti Cyber Espionage Plans, Anti Cyber Warfare Plans, Human Rights Protection in Cyberspace, Critical ICT Infrastructure Protection, etc are some of the “Components” of a Cyber Crisis Management Plan.

Theoretically, India has a Cyber Law in the form of Information Technology Act 2000 (IT Act 2000), Cyber Security in the form of Government Guidelines, Cyber Forensics Practices in Governmental Laboratories alone and so on.

However, practically we have no Cyber Crimes Laws in India as the Cyber Law of India has made almost all the Cyber Crimes “Bailable”. We may have a Cyber Law but India has no Cyber Crimes Law. So Legal Framework for preventing Cyber Crimes is “practically missing” in India.

As far as Cyber Security is concerned, we have no Cyber Security Laws in India and no Cyber Security Policy in India. The Governmental Guidelines are meant for Government Departments alone and even these Government Departments do not follow the same. Government Websites are the most frequently defaced websites in India. Similarly, Government Computers are the “most successfully breached” Computers in India. Computers of Defense Forces, Prime Minister’s Office (PMO), Ministry of External Affairs (MEA), Ministry of Home affairs, etc have been successfully breached without even notice by these Ministries/Offices.

As far as other components of Cyber Crisis Management Plan of India are concerned, even they do not exist in India. We have no Cyber Forensics Laws in India, no Cyber Terrorism Policy in India, no Cyber Warfare Policy in India, no Critical ICT Infrastructure Protection Policy in India and no Human Rights Protection in Cyberspace in India.

In fact, Projects like Aadhar, NATGRID, CCTNS, Central Monitoring System (CMS) of India, etc are openly violating the Human Rights of Indians. These Projects are operating without any Legal Framework, Parliamentary Oversight and Judicial Scrutiny.

Even the basic Privacy Rights in India are missing. It is only now the Law Ministry of India has proposed the Right to Privacy Bill 2011 of India. Further, Data Protection Law in India is urgently required. We also need a Data Security Policy of India so that sensitive information and data of projects like Aadhar, NATGRID, CMS, etc is not “misused” once it falls in the wrong hands.

India cannot have a robust and effective Cyber Crisis Management Plan till it considers these aspects and actually starts working in the direction of achieving these components.

Saturday, April 2, 2011

The Draft Intelligence Services (Powers and Regulation) Bill, 2011

A Draft Bill titled the Intelligence Services (Powers and Regulation) Bill, 2011 has been recently circulated in the Lok Sabha. The Bill has been circulated by Manish Tewari, Member of Parliament. The bill though circulated but could not be introduced as the Lok Sabha was adjourned sine die on Friday. It is likely to be introduced in the next session of Parliament.

The Bill intends to establish a Legal Framework for Intelligence Agencies of India. Presently, Intelligence Agencies of India are not governed by any Legal Framework and they are not under Parliamentary Scrutiny.

This is a serious “Constitutional Issue” as exercise of Law Enforcement and Intelligence Powers without any “Constitutionally Valid Law” is serious violations of Constitutional provisions. Finally, some sort of law making has been sought that would also bring Transparency and Accountability among the Intelligence Operations in India. The present Intelligence Infrastructure of India is in big mess and the Bill if made an enforceable law would bring some respite.

However, there are many “Techno Legal and Constitutional Issues” that are “still missing” from the Bill. I/We would discuss the same subsequently. In this post I wish to discuss some of the provisions of the Draft Intelligence Services (Powers and Regulation) Bill, 2011.

The Bill seeks to give statutory status to:

(i) Research and Analysis Wing
(ii) Intelligence Bureau and
(ii) National Technical Research Organisation.

with a view to regulate the manner of the functioning and exercise of powers by the Intelligence Agencies within and beyond the territory of India and to provide for the coordination, control and oversight of such agencies.

The Statement of Objects and Reasons of the proposed Bill says that Intelligence agencies are responsible for maintaining internal security and combating external threats to the sovereignty and integrity of the nation. These responsibilities range from counter-terrorism measures tackling separatist movements to critical infrastructure protection. These agencies are operating without an appropriate statutory basis delineating their functioning and operations. This tends to, among other things, compromise operational efficiency and weakens the professional fabric of these agencies. It also results in intelligence officers not having due protection when performing their duties.

Assessments and gathering of information by intelligence agencies are catalysts for law enforcement units to act, necessitating that these be reliable, accurate and in accordance with law. This kind of efficiency has been hindered by obscured responsibilities that have plagued the functioning of the agencies.

Article 21 of the Constitution provides that no person shall be deprived of his life and personal liberty except according to the procedure established by law. The Supreme Court of India has carved a right to privacy from the right to life and personal liberty. Such rights to privacy are compromised when agencies undertake surveillance operations.

In Re: Peoples Union of Civil Liberties v. Union of India, the Supreme Court issued detailed guidelines regarding telephone tapping. A proper legal framework is required to regulate surveillance of other forms, using different technologies, as well. There is an urgent need to balance the demands of security and privacy of individuals, by ensuring safeguards against the misuse of surveillance powers of intelligence agencies. Therefore, legislation is imperative to regulate the possible infringement of privacy of citizens, while giving credence to security concerns.

In view of the reasons stated, the Bill seeks to enact a legislation pursuant to Entry 8 of List I of the Seventh Schedule of the Constitution of India to provide: -

(a) A legislative and regulatory framework for the Intelligence Bureau, the Research and Analysis Wing and the National Technical Research Organisation;
(b) Designated Authority regarding authorisation procedure and system of warrants for operations by these agencies;
(c) A National Intelligence Tribunal for the investigation of complaints against these agencies.
(d) A National Intelligence and Security Oversight Committee for an effective oversight mechanism of these agencies; and
(e) An Intelligence Ombudsman for efficient functioning of the agencies and for matters connected therewith.

The Bill is a very good beginning though it requires many “improvements” before it is finally passed by both the Houses of Parliament. I hope and wish the Modified and Improved Bill would become an applicable law very soon.

Wednesday, March 9, 2011

First Techno Legal Cyber Crimes Investigation Manual Of India

Cyber law is a technical subject and this is the reason why law enforcement officials, lawyers and judges find it difficult to understand and apply. This is also the reason that we have a very bad conviction ratio for cyber criminals in India.

The task of police, lawyers and judges would become easier if there is a ready reference that they can refer and rely upon in cases of cyber crimes. Perry4Law Techno Legal Base (PTLB) and Perry4Law are in the process of writing the first and exclusive techno legal cyber crimes investigation manual of India.

The proposed manual would briefly cover areas like cyber law, cyber crimes, cyber forensics, incidence response, authorship attribution, anonymity, traceability, privacy issues, etc. It would also cover national and international best practices in this regard. The manual is in the final phase of preparation and it may be available to governmental departments and general public after few months.

In fact, an exclusive, extensive and techno legal cyber forensics investigation manual/book has already been written by Praveen Dalal, Managing Partner of Perry4Law and CEO of PTLB. These two manuals/books would cover almost the entire gamut of cyber law, cyber crimes and cyber forensics jurisprudence of India.

Perry4Law and PTLB are also in the process of writing manuals and books in other fields as well. So keep a close watch for the same at this platform and other sites of Perry4Law and PTLB.

We hope Indian government and other stakeholders would find these books/manuals useful and would actively utilise them for effective cyber law and cyber crimes investigations.

Sunday, March 6, 2011

E-Discovery In India And Its Uses

By
Baljeet Singh

Electronic discovery has many purposes to achieve. It can be used as an effective measure to prevent frauds from being committed by timely detection of suspicious activities. It can also be used for detection of these frauds and crimes after their commission. Thus, e-discovery is both preventive and curative in nature.

E-discovery must be regulated by a legal framework to give it legitimacy. E-discovery law in India has still to be enacted. Although India has the cyber law of India incorporated in the form of information technology act 2000 (IT Act 2000) yet it is far from being sufficient for cyber forensics and e-discovery purposes. Suitable legislation in this regard is urgently needed in India.

E-discovery is also relevant for law enforcement, lawyers and judiciary. Legal and judicial fraternity of India needs a temperament for scientific knowledge. This includes knowledge about cyber law, cyber forensics, digital evidencing and e-discovery.

E-discovery requirements for banks in India have also significantly increased due to the recent guidelines by Reserve Bank of India that requires banks in India to exercise cyber due diligence and adopt sound cyber security practices.

E-discovery can also supplement due diligence, incidence response and periodic inspection of computers and other technology related systems. This helps in timely detection of frauds and other crimes.

We have a single techno legal e-courts training and consultancy centre of India. It is managed by Perry4Law Techno Legal Base (PTLB). It provides techno legal research, training and education in the fields like digital evidencing in India, e-discovery in India, e-courts training in India, judges training, etc.

Friday, March 4, 2011

Cyber Due Diligence Could Have Prevented Citibank Fraud

By
Praveen Dalal
The Gurgaon based Branch of Citibank was in controversies recently due to the fraud committed by one of its employees. Many depositors and high networth individuals (HNIs) of Citibank were defrauded upto the tune of Rs 460.91 crore in that fraud.

The modus operandi of the crime was very simple. The accused committed the fraud by mobilising funds to the tune of Rs 460.91 crore without authorisation from HNIs customers and certain corporate for the purpose of investing in stock market, assuring them high returns. The accused fabricated a circular of the Securities and Exchange Board of India (SEBI) to lure people into investing into accounts held by his accomplices.

However, Banks and Financial institutions must also be conscious of these fraudulent possibilities and they must be well prepared to prevent and tackle the same. For instance, Banks and Financial Institutions must regularly engage in “Forensics Audit” and “Incidence response”. Presently, Banks and Financial Institutions engage in these “Essential Exercises” when something fraudulent or wrong has already taken place.

Incidence Response and Forensics Audits are essential part of the overall “Due Diligence Strategy” of a Bank or Financial Institution. Recently, the Reserve Bank of India (RBI) executive director G Gopalakrishna said that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the Board Level at the earliest. This also means that Banks and Financial Institutions now have to engage in “Cyber Due Diligence” on a “Mandatory Basis”.

Similarly, Amendments have been proposed in the Banking Regulations Act 1949 (BRA 1949) by the Finance Ministry of India. Under the proposed Amendments, RBI would get more “Regulatory Powers” to regulate the affairs of Banks. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including “Supersession” of bank Boards.

RBI must also constitute a “Core Working Group” consisting of Techno Legal Experts from all fields. This Group can analyse Frauds and Regulatory Aberrations committed by Banks and Financial Institutions or their employees.

The Banking Reforms in India are already in progress and these suggestions can also be a part of the same so that confidence and trust of Bank Customers and Investors is retained.

Banking Regulation Act Amendments Approved By Cabinet

By
Praveen Dalal
Finance Ministry of India and Reserve Bank of India (RBI) have been working in the direction of bringing many good Financial and Banking Sector Reforms in India. In this direction RBI has already issued two good policy documents that would streamline use of Information Technology to enhance core banking practices in India.

The first document is a report of its Working Group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as Information Technology Vision Document for 2011-17 (IT Vision 2011-17). The vision document has recommended many good suggestions including requiring that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of Board of Directors.

Further, RBI has shown its willingness to allow big industrial houses to set up banks in India. However, it would not allow them to open the banks unless RBI gets the “Power to Supersede” Boards of banks that are not being run properly. RBI also wants the right to oversee the operations of the promoting company and any affiliates that will have business relationships with the bank. RBI has been suggesting bringing suitable Amendments in the Banking Regulation Act, 1949 (BRA 1949) in this regard.

Reacting immediately the Cabinet approved the long-pending amendment to the BRA 1949. The proposed amendments align voting rights of shareholders in proportion to the equity held and provide more regulatory teeth to the RBI. These powers now include the power to supersede bank boards.

Finance Minister Pranab Mukherjee would bring the proposed amendments in the BRA 1949 in current session of Parliament (March 2011) to carry forward the proposals made by RBI in this regard. Mukherjee said RBI proposes to issue guidelines for new private bank licences by the end of March. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including supersession of bank Boards.

These are the much needed Banking and Financial Sector Reforms that were long pending. By including the contemporary issues of Information and Communication Technology, RBI has also covered a wide area. Hopefully Parliament of India would approve the amendments as soon as possible.

Chief Information Officers (CIOs) Made Mandatory For All Banks In India

Reserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of "second factor verification" at merchant establishments and ATMs shortly.

The requirements are arising out of the two recently released documents by RBI. The first document is a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as information technology vision document for 2011-17 (IT Vision 2011-17). The vision document envisages that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of board of directors. The vision document also requires that while following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to.

This requirement of CIO/CTO is arising because many small banks do not have a designated CTO and also do not have a clear framework on information sharing. RBI is interested in gradual shift to an online system where it can access all the information from the main server of the bank once the RBI's IT Vision is implemented. Those banks having no CIO/CTOs and a steering committee are now required to have these requirements fulfilled as soon as possible.

The objectives of vision document are to ensure the use of information technology beyond core banking and into newer areas like management of information systems (MIS) and better regulatory reporting.

The vision document has been prepared by a high-level committee chaired by deputy governor K.C. Chakrabarty. The vision document also recognises the growing operational risks arising out of adopting technology in the banking sector like use of Internet banking, which could affect financial stability.

If the vision document is fully implemented, it will ensure that the RBI gets access to the servers of all banks, including foreign banks so that it has access to all the banking transactions. Further, the vision document also emphasises on the need for internal controls, risk mitigation systems, fraud detection/prevention and business continuity plans. These are good banking reforms and they must be implemented by banks in India as soon as possible.

Tuesday, March 1, 2011

Intelligence Infrastructure Of India Is in Big Mess

By
Praveen Dalal
Intelligence Gathering and its timely Analysis and Utilisation are the bench mark of any good and effective Intelligence Infrastructure. When the terrorists attacked Mumbai recently, lack of Intelligence Sharing proved fatal.

Although Intelligence Inputs were available, they were not shared and made available in a timely manner. In other words, although Intelligence Agencies did no fail yet Intelligence Infrastructure failed to act in a timely manner. This happened for a simple reason that we have good Intelligence Agencies but we have a very bad Intelligence Infrastructure.

Intelligence Infrastructure of India needs streamlining. There are numerous Intelligence Agencies operating in India. However, there is no “Centralised Command” for the same. This results in an anomaly as there is no single authority to whom all of them can report and share their intelligence and other inputs.

The worst part is that the acts and omissions of these Intelligence Agencies are not governed by any Legal Framework. Parliamentary Scrutiny of Intelligence Agencies in general and Intelligence Infrastructure in particular are absolutely missing.

The example of the former is lack of Legal Framework for Intelligence Agencies and Law Enforcement Agencies of India. The example of the latter is absence of Legal Framework for Projects like Crime and Criminal Tracking Network System (CCTNS), National Intelligence Grid (NATGRID), Central Monitoring System (CMS), Aadhar/UID Project, etc.

CCTNS links up all of India's Police Stations and NATGRID would connect 21 sets of available databases for instant analysis and results. The “Biometric Details” obtained by Aadhar Project would be added to this list.

In short, the Intelligence Agencies and Intelligence Infrastructure of India have no clear cut direction, guidance and control. Time has come to create a good and effective “Intelligence Infrastructure” in India. We have already recommended that a “Centralised ICT Control System” (CICS) must be established by the Home Ministry of India under the guidance of Mr. P.Chidambaram.

If there are numerous Intelligence Agencies working for different Government Ministries/Departments, there is a possibility of “Lack of Coordination” and “Inadequate and Inappropriate Information Sharing”. Nothing can be more beneficial than a “Centralised ICT Control Centre” for the Indian National and Internal Security.

In fact, Mr. P.Chidambaram has already expressed his desire to establish a National Counter Terrorism Centre (NCTC) that would act as an “Umbrella Organisation” for all Intelligence Agencies. It may also be considered as a “Centralised ICT Control System” and Home Minister must work really hard to establish NCTC as soon as possible.