Wednesday, January 11, 2012

Electronic Authentication Policy Of India

Electronic authentication (e-authentication) is a very useful service provided it is safe, secure and reliable. Similarly, e-authentication must also be supported by a sound legal framework that governs its uses and abuses.

We have no e-authentication policy in India. Even we have no legal framework for e-authentication in India. Although some efforts in this regard were made through the Aadhar project of India yet the very constitution and functioning of Aadhar project is unconstitutional. For some strange reasons, the unique identification authority of India (UIDAI), which is managing the Aadhar project, thinks that it is above constitution of India. This attitude of Aadhar and UIDAI has brought it to a stage where it is about to be scrapped.

So as on date we have no legal framework for e-authentication in India, no authority that can deal with e-authentication in India and no policy framework for e-authentication in India that has been implemented at the national level. If this is not enough, we have no encryption usage policy of India that can ensure cyber security of e-authentication in India.

If both cyber security in India and use of encryption in India are missing, the credibility of any e-authentication system is in great doubt. Possibility of data breaches and cyber attacks cannot be ruled out. Securing of critical national infrastructure of India from cyber attacks has still not achieved and introducing an e-authentication system without robust cyber security is not a wise move.

The cyber security trends in India 2011 by Perry4Law Techno Legal Base (PTLB) indicate that cyber security in India is still ignored by various stakeholders. Whether it is banks or strategic computers of Indian government, all of them have proved to be vulnerable to cyber attacks.

E-authentication is also useful for providing mobile banking services in India. Cyber security of Internet banking in India is still poor and e-banking risks in India are abundant. Mobile banking cyber security in India is still to be established before it can be explored in India.

E-authentication cannot succeed in India till we take care of various techno legal policy issues. Without removing various obstacle of e-authentication, using the same in India would create more problem than solutions providing.

Sunday, January 8, 2012

Mobile Banking Cyber Security In India

Mobile Banking is the buzz word these days. While the idea of mobile banking is promising yet it requires certain prerequisites to be successful in India. The chief among these requirements is the requirement to have a robust cyber security for mobile banking in India.

Cyber security in India in general and cyber security for online banking transactions in particular is not in good shape. The Cyber security trends in India 2011 also reflected this position. Mobile banking in India is still not popular due to various factors. For instance, e-banking in India is not safe, Internet banking cyber security in India is missing and online banking in India is not safe. In these circumstances, mobile banking in India is risky due to absence of mobile cyber security in India.

Even the Reserve Bank of India (RBI) is aware of this situation. RBI constituted a working group on information security to ensure cyber security among Indian banks. As per RBI’s recommendations, all banks should create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest.

However, banks of India have shown no willingness to incorporate cyber security into their day to day functions. Till now the directions of RBI to appoint CIOs and steering committee has not been followed by banks of India. The recommendations of the RBI have still not been implemented.

Naturally, Indian banks are poor at developing cyber security policies and implementing the same. Banks of India are also not providing positive confirmation to the originator of NEFT transactions. When basic level aspects are missing, incorporating cyber security in the day to day transactions of banks in India is really difficult. In these circumstances, the decision of RBI to remove financial limits from mobile banking transaction in India can be a trouble than facility. Hopefully, the proposed integrated banking law of India would address all these issues.

However, Indian banks cannot afford to ignore one aspect. The cyber law in India has prescribed cyber law due diligence for various stakeholders. Cyber due diligence for banks in India is just a part of the same. Cyber due diligence for Indian companies including banks operating in India is very stringent. If these due diligence requirements are not followed by Indian banks, civil, criminal and financial penalties can occur.

Cyber security for banking and financial sectors of India is urgently required as they perform very crucial functions. RBI must ensure the same by getting its directions strictly enforced as soon as possible.

Electronic Filing Of Consumer Complaints In India

The use of information and communication technology (ICT) for justice delivery system is well known. Even use of ICT for judicial and legal reforms in India is well understood. The role of ICT for effective judicial system in India is though well known yet very few efforts in this regard have been undertaken in India.

One can understand this position from the fact that till now we are still waiting for the establishment of first e-court in India. Even we have a single techno legal e-courts training and consultancy centre in India. Similarly, online dispute resolution in India is still a distant dream.

However, India cannot remain aloof for long in this regard. The information technology act, 2000 (IT Act 2000) already carries non enforceable e-governance provisions and with the proposed electronic delivery of services bill 2011 of India this e-governance mandate is going to be little bit more enforceable.

In fact, positive developments in this regard have already taking a shape in India. For instance, the financial limits of mobile banking transactions in India have been removed to give better options of banking in India. Similarly, SEBI is contemplating electronic initial public offer (EIPO) in India. Even Indian judiciary is exploring the possibility of using an electronic bail communication system in India. Through the proposed Cable TV Networks (Regulation) Second Amendment Bill 2011 of India, digital television services would be offered to consumers at affordable prices and with superior quality.

In a latest development in this direction, electronic filing of consumer complaints would be allowed if the proposed consumer protection (amendment) bill 2011 is made an enforceable law. The proposed amendment has made provision for making of a complaint by electronic form also to the District Forum.

This is a positive development and it would help in expanding consumer protection in India. However, there are many techno legal issues that must also be adhered to before e-filing of consumer complaints in India is made fully operational. But these issues would be sorted out with the passage of time.

Friday, January 6, 2012

Critical Infrastructure Protection (CIP) And Homeland Security (HS) In India

World over critical infrastructure protection (CIP) and homeland security (HS) are considered as top priority areas. This is logical as well since both CIP and HS are important parts of national security of any nation.

With the growing use and dependence upon information and communication technology (ICT), nations are focusing upon ensuring robust cyber security. The international cyber security policy framework and Indian response to the same are proof of the same. In fact, India is considering use of public private partnership (PPP) for internal security of India. Although India is also considering working in the direction of cyber security yet its speed and efforts in this direction are slower as compared to international cyber security standards and efforts.

Cyber security in India is not what is required. As per the cyber security trends in India 2011 by Perry4Law Techno Legal Base (PTLB), cyber security expertise and practices adopted in India are neither adequate nor qualitative. There is an urgent need to strengthen the cyber security mechanisms of various stakeholders in India.

Homeland security in India needs to be strengthened. In fact, India US homeland security dialogue has already been initiated. Homeland security and cyber security market in India is growing. In fact, Microsoft and Symantec are exploring the cyber security market of India. European Union (EU) has also invited India to participate in a mega cyber security and cyber crime project.

Critical national infrastructure security in India needs to be strengthened. Highly sophisticated malware like Duqu, Stuxnet, etc targeted India in the year 2011 and India is still investigating the Duqu malware. Indian nuclear facilities, automated power grids, satellites, defense networks, governmental informatics infrastructures, etc are vulnerable to sophisticated cyber attacks. It is still not clear whether Indian satellites are safe from cyber attacks.

Supervisory control and data acquisition (SCADA) is another area of concern. Cyber protection of SCADA systems in India must also be ensured. Similarly, Indian defense and security against cyber warfare needs to be developed so that cyber attacks against India can be thwarted. A good cyber security policy in India must be formulated that must include a critical ICT infrastructure protection policy of India as well. Similarly, effective legal and policy framework for cyber security must also be created in India.

Although there are numerous aspects of Cyber Security Policy of India yet Critical Infrastructure Protection in India and Critical ICT Infrastructure Protection in India are the most important aspects of the same. Similarly, cyber law of India must also be strengthened to effectuate cyber security in India. Hopefully Indian government would consider these aspects this year.

Wednesday, January 4, 2012

Social Media Websites Investigation In India

Social media websites have become ubiquitous these days. Ask any Internet using person or organisations and he/it would tell you about usage of some form of social media websites. Social media is not only helpful in projecting own policies, thoughts and ideas but is also helpful in exploring new ventures and partnerships.

However, abuses of social media are also rampant. Social media is occasionally used for committing various cyber crimes and cyber contraventions. Although we have no dedicated social media laws in India yet the information technology act, 2000 (IT Act 2000), the cyber law of India, carries some provisions in this regard. These provisions have mandated social media due diligence in India for these platforms.

Further the cyber law of India has also prescribed an Internet intermediary liability in India. According to this liability social media websites in India are required to observe due diligence in order to escape civil and criminal sanctions.

The cyber law due diligence in India has now become well established and companies, social media websites and Internet intermediaries cannot take it lightly. However, this has not restrained the cyber criminals to use social media websites for criminal purposes. Even in many cases these social media websites fail to observe due diligence especially when they have actual knowledge of the offending act. This has resulted in an increased prosecution of social media websites in India.

The prosecution of social media websites in India is going to increase tremendously if they keep on ignoring the cyber law of India. Presently, the cyber crimes investigation in India is not upto the mark and this in many cases result in non prosecution of the offenders. With the growth of e-discovery in India and cyber forensics in India more prosecution of social media websites would be witnessed. E-discovery for social media in India is going to increase as the social networking laws in India are pointing towards this direction.

In short, cyber due diligence for Indian companies is increasingly being enforced and social media websites are no exception to this rule. Social media websites investigation in India is going to increase in future and these platforms must be well prepared to deal with this same.

In their own interest, social media websites must not only meet the cyber due diligence requirements but must also ensure e-discovery compliances so that social media websites investigation can be facilitated and they can defend themselves more appropriately in various court cases and quasi judicial forums.

Tuesday, January 3, 2012

Internet Access Is A Human Right But Is It Useful?

Civil liberties are essential for the sustainable growth of human beings. A country that does not respect civil liberties cannot be a democratic and civilised nation. This is the reason why we have human rights that are protected by United Nations and respective country.

However, civil liberties protections in cyberspace are still ignored for unknown reasons. It may be due to lack of knowledge and expertise regarding cyberspace or because nations do not wish to extend the human rights protection to the same.

Fortunately some good steps in this regard have been taken by international community especially the European Council. The European Council is stressing upon protecting human rights in cyberspace and civil liberties protection in cyberspace. The European Council has also issued a resolution in this regard that deals with prohibition of abuse of state secrecy and national security for violating civil liberties. It has also expressed concerns regarding cyber attacks and political pressures upon cyber dissidents.

The United Nations must also work in the direction of defending human rights in cyberspace. Recently, UN declared that access to Internet is a basic human right. This is a good step in right direction. However, the efforts of United Nations regarding cyber laws and human rights in cyberspace need to be further expedited as they are slow in nature. An international cyber law treaty must be formulated by UN that must address the issues like freedom of speech and expression, Internet censorship, websites blocking, Internet kill switch, access to Internet, etc.

At the national level, India is desperate to control information technology. It has been forcing Internet intermediaries like Google and Facebook to pre screen and censor users contents. Blogs are manipulated in India to suppress critical issues that have been reported by few. The mainstream media is already not covering sensitive and controversial topics and even if some bold bloggers dare to do so they face censorship and penalties by various social media platforms like Google and Facebook. Manual action censorship by Google is very common regarding controversial posts and blogs that disappear instantly. Similarly, blocking of accounts by Facebook is also very common.

If access to Internet has been declared a human right by UN there is no sense in limiting it to mere access. What is the purpose of such Internet access if Internet censorship and websites blocking are deployed by states? If a citizen has access to Internet but her posts are deleted or censored the whole purpose is defeated. It seems UN has failed to consider this aspect of Internet access that has defeated the protection it has extended.

Civil Liberties Protection In Cyberspace

Protection of civil liberties in cyberspace is an area that has been ignored for long. Even international organisations like United Nations have not taken many steps in this crucial direction. This has also resulted in a limited growth of human rights protection in cyberspace in both public international law as well as private international law.

When totalitarian and orwellian states started blocking access to Internet altogether through mechanisms like Internet kill switch (IKS), Internet censorship, websites blocking, blocking of social media websites, etc, United Nations decided to step in. UN declared that access to Internet is basic human right.

Through a UN’s May 2011 report on freedom of expression on the internet, UN reminded parties to the International Covenant on Civil and Political Rights that they must uphold their obligation under Article 19 of that Covenant. Article 19 mandates that any limitation on the right to freedom of expression has to pass a three-part cumulative test that is designed to ensure the limitations are done in the least restrictive way and reflect a clear national security threat. Although existing principles of international law apply online, just as they do offline, yet states are not following this norm in reality.

Thus, this declaration of UN has provided only a very limited standing to individuals and organisations to challenge actions of states that violate civil liberties protection in cyberspace. Further, although this declaration of UN may bring some respite in the regime of public international law yet private international law is still untouched and protected from this declaration.

States are still engaging in endemic e-surveillance activities world over. Even worst is the fact that they are actively enacting laws that goes against the very concept of civil liberties protection in cyberspace. Civil liberties like privacy rights, data security, data protection, speech and expression, etc are at grave risks in such circumstances. Till UN comes up with an international legal framework in this regard that can harmonise laws across the world not much can be expected from individual states.

An international cyber law treaty must be formulated of which the states should become parties and signatories. Civil liberties protection in cyberspace cannot be achieved till rights and obligations of various nations are demarcated in such treaty. Till then nations would keep on indulging in civil liberties violations in cyberspace.

Monday, January 2, 2012

Electronic Legal Due Diligence In India

Legal due diligence in India is not a new concept. Legal due diligence involves assessing the suitability, efficiency and viability of a company or organisation. Legal due diligence may be required to meet statutory and regulatory requirements or it may be necessary when a company wishes to invest in another company.

A contemporary form of legal due diligence, especially for companies and individuals engaged in information and communication technology (ICT) related services, is known as cyber due diligence. Cyber law due diligence in India has become mandatory due to the stringent nature of cyber law of India. In fact, cyber due diligence for companies in India and cyber due diligence for banks in India has already been prescribed. Similarly, cyber security due diligence in India is also becoming a must to have requirement.

Securities and Exchange Board of India (SEBI) is planning to use electronic initial public offer (IPO) in India. Foreign investments in pharmaceutical in India has been liberalised by Reserve Bank of India. Similarly, foreign direct investment (FDI) in India has also been liberalised in many crucial areas. Naturally, lots of investments, IPOs, private equity funds exchange and many more collaborative and cooperative activities would take place in India in the year 2012.

These developments would also make legal due diligence necessary. However, the traditional legal due diligence procedure relies heavily upon paper based documents and transaction. A better option is to engage in electronic legal due diligence in India (e-legal due diligence in India). The e-legal due diligence in India is cost effective, timely and efficient. It also can provide the best possible results for legal due diligence purposes.

Even legal frameworks are in the process of being established to accommodate these contemporary changes. For instance, the electronic delivery of services bill 2011 (EDS Bill 2011) has been proposed by Indian government that would make electronic delivery of services in India an acceptable norm.

Similarly, existing legal frameworks also facilitates digital preservation in India, e-governance, e-commerce, etc that would also require e-legal due diligence in India. The public records keeping framework of India requires keeping of public records that very few organisations in India are doing. Of course, public records keeping framework of RBI is an exception in this regard. Public records are also required to be maintained by the information technology act 2000 and right to information act 2005 of India.

All these requirements of public records keeping and e-legal due diligence in India can be managed by establishing virtual data rooms (VDRs). Many leading companies are already using VDRs to ensure legal due diligence in a smooth and efficient manner. With VDRs thousands of pages of content can be made available in just 24hrs or less. VDRs provide a secure and highly efficient method for sharing critical business information for electronic due diligence in merger and acquisition (M&A) advisory, IPO and secondary offerings, asset purchases, venture capital due diligence, bio tech licensing, commercial and corporate real estate ventures, financial restructuring, preparing for exit strategies, and many other transactions that require large amounts of document sharing.

Further, e-legal due diligence in India would also ensure that electronic discovery (e-discovery) requirements in India are duly met whenever needed. E-discovery services in India would be required in near future in India and e-legal due diligence can greatly facilitate the same. Individuals and companies must start exploring using e-legal due diligence as soon as possible for greater benefits of their own.

Internet Access Is A Fundamental Human Right In Cyberspace

Civil liberties protection in cyberspace has taken a centre stage these days. International community is getting serious in protecting valuable civil liberties that are openly violated by various nations. For instance, the Council of Europe issues a resolution that prohibits abuse of state secrecy and national security for violating civil liberties. Similarly, United Nations has also declared that access to Internet is a basic human right that cannot be taken away by national governments.

A few years back talking about human rights in cyberspace generated skeptic reactions. Things have not changed much even today but at least now we know that human rights can be extended to cyberspace. For instance, blanket e-surveillance, Internet censorship and websites blocking cannot be adopted lest human rights are absolutely ignored. The cyber law trends in India 2011 have shown that India has performed poorly on all these front. In fact, India is acting desperately to control technology.

At Perry4Law Techno Legal Base (PTLB) we have been supporting the efforts that can ensure recognition of human rights in cyberspace at both national and international level. At the national level, India is still not ready and willing to recognise human rights in cyberspace. At the international level, part of human rights in cyberspace has started gaining importance.

For instance, the United Nations (UN) has declared that right to access to Internet is a human right. Similarly, Organisation for Security and Cooperation in Europe (OSCE) has also supported this stand of UN through a recently released report.

The report has analysed the first ever of state regulations on Internet access within the 56-member OSCE. Finland and Estonia have already declared access to Internet as a human right and this is a good step in right direction. PTLB welcomes these reformative actions of Finland and Estonia.

Countries around the world are restricting human rights in cyberspace by citing national security, sovereignty, law and order and many such grounds. While none can doubt that national security is an important function of a sovereign state yet there must be a harmony between national security and human rights.

Giving a blind and absolute primacy to national security even if clearly means violating basic human rights is not a wise approach for a welfare state like India. We hope Indian government would consider empowering Indian netizens by recognising and strengthening their human rights in cyberspace.

Abuse Of State Secrecy And National Security: Obstacles To Parliamentary And Judicial Scrutiny Of Human Rights Violations

The Council of Europe has issued many important and far reaching resolutions and notifications in the year 2011. One such important resolution is titled as abuse of state secrecy and national security: obstacles to parliamentary and judicial scrutiny of human rights violations. This is in addition to the concerns shown by the European Council regarding cyber attacks and political pressures upon cyber dissidents. It seems European Council is stressing upon protecting human rights in cyberspace and civil liberties protection in cyberspace.

This also shows that the international community is getting serious about protection of civil liberties in cyberspace. For instance, the connection between United Nations and human rights in cyberspace is also well known where UN declared that access to Internet is a basic human right. However, the efforts of United Nations regarding cyber laws and human rights in cyberspace need to be further expedited as they are slow in nature.

As far as India is concerned the situation is really alarming. Law enforcement and intelligence agencies of India are practically working with no legal framework. Parliamentary scrutiny of law enforcement and intelligence agencies of India is still missing. Although draft bills for central bureau of investigation (CBI) and intelligence agencies of India were made, they were never considered by Indian parliament. Till now agencies like CBI, research and analysis wing (RAW), etc are working with no constitutionally sound law governing their operations.

Further, numerous e-surveillance oriented projects like Aadhar, national intelligence grid (Natgrid), central monitoring system (CMS), national counter terrorism centre (NCTC), crime and criminals tracking and networks system (CCTNS), etc have been launched without any legal framework and parliamentary scrutiny. Phone tapping in India is also not done in a constitutional manner. E-surveillance in India and Internet censorship in India has also increased a lot. Clearly, parliament has failed to address abuses of state secrecy and national security powers in India.

Even judicial scrutiny of e-surveillance and Internet censorship issues in India is not up to the mark. Fortunately, the Supreme Court of India is dealing with privacy violations through illegal phone tapping in India. While doing so the Supreme Court has observed that with the present state of technology used in India by law enforcement agencies and private individuals, privacy rights of Indians are at grave risk. The Supreme Court also recommended reformation of official secrets act of India keeping in mind the contemporary requirements and environment. This is a good sign but the Supreme Court of India must expedite these matters as they have been pending for long.

Parliamentary oversight and judicial scrutiny are the twin safeguards that can prevent excessive abuse of state secrecy and national security powers in India. Unfortunately, presently both of them are missing and this has resulted in an intelligence mess in India. Further, India is desperate to control technology rather utilising it.

We need dedicated and separate privacy laws, data privacy laws and data protection laws in India to tackle state abuse of its sovereign powers. The sooner these procedural and constitutional safeguards are adopted in India the better it would be for the larger interest of India.