Monday, January 23, 2012

Legal Issues Of Cloud Computing In India

Cloud computing is a process in which essential hardware and software based services are provided by a third party with no requirement to install such hardware and software by the service seeker. In other words, computational powers, hardware upgrades and latest software are provided on rent in an online environment where individuals and organisations can use the same.

Cloud computing is basically a cost saving mechanism where hardware and software costs are saved by using third party hardware and software. However, cloud computing has its own share of troubles especially in countries like India.

For instance, as per the research and studies of Perry4Law and Perry4Law Techno Legal Base (PTLB), cloud computing in India is risky and India is not ready for cloud computing. Now even other companies have endorsed this conclusion and it has been reported that chief information officers (CIOs) in India are not comfortable using cloud computing in India.

So the chief problem that is emerging in India is that cloud computing in India is still not trusted and India is still not ready for cloud computing. We have no cloud computing policy of India.

This is the reason why cloud computing in India is still at the infancy stage. The primary reasons for this situation is absence of legal framework for cloud computing in India, missing privacy laws, absence of data protection laws in India, inadequate data security in India, etc. Even the basic level cloud computing regulations in India are missing.

Even the cloud computing due diligence in India is missing and companies and individuals are using the same in great disregard of the various laws of India. Cloud computing service providers in India are required to follow cyber law due diligence in India. The cyber law due diligence for Indian companies is now well established but cloud computing and e-commerce service providers are not taking it seriously.

In fact, some companies are already facing a criminal trial in India for posting of objectionable contents by third parties on their platforms. Cloud companies are also required to follow the cyber law of India before they establish their businesses in India. This seems to be missing for the time being.

In fact, many legal experts in India have opined that India must not use software as a service (SaaS), cloud computing, m-governance, etc till proper legal frameworks and procedural safeguards are at place. This has also been accepted by the CIOs community and it is now for the Indian government to do the needful.

Huawei And ZTE In Telecom Security Tangle Of India

With the proposal to establish National Telecom Network Security Coordination Board (NTNSCB) of India, the issues of cyber security and telecom security in India have arisen once again. Even the national telecom policy of India 2011 reflects these concerns.

The issues pertaining to telecom security policy in India and telecom equipments security framework in India are not new. The home ministry of India and ministry of information and communication technology have been raising security concerns regarding telecom hardware manufactured by foreign dealers. Concerns regarding possible existence of backdoors in such hardware are frequently raised in India.

There is no mechanism in India through which telecom hardware and software can be analysed for backdoors and malware. Indian government has declared that telecom equipments must be certified by TEC before use in India. A proposal to store call data records has also been given. The norms for import of telecom equipments in India would also be formulated very soon (may be already formulated).

At present, India has two separate policy guidelines for import of telecom gear. Chinese vendors such as Huawei and ZTE follow the July 2010 guidelines while Western telecom equipment manufacturers were given the option of following the policy issued in late 2009, after they refused to operate in India under the July rules.

According to latest news, in an internal report, the security unit of the department of telecommunication (DoT) has raised fresh concerns about Chinese equipment vendors - Huawei and ZTE. The report adds that India must also be on the guard against equipment from the West, including US and Europe. It has been reported that the new security norms had brought all these vendors under a common security framework.

To counter the possible threats from foreign hardware vendors, India is encouraging to develop indigenous hardware manufacturing capabilities. In fact, India has announced to give preferences, including tax cuts, to indigenously manufactured telecoms equipment, despite concerns raised by the United States and the European Union, which had said that such concessions would violate WTO commitments.

There is an urgent need to provide reasonable and sufficient regulatory norms regarding telecom security in India. The sooner they are formulated the better it would be for all the telecom stakeholders in India.

National Telecom Network Security Coordination Board (NTNSCB) Of India

Announcement pertaining to telecom security and cyber security in India have been made from time to time. Even a new national telecom policy of India 2011/2012 has also been suggested by Department of Telecommunication (DoT), India.

DoT has also suggested the creation of the Telecoms Security Council of India (TSCI) that would look into security related aspects of hardware and network equipments. In the past proposals for the establishment of Telecom Security Regulatory Authority of India (TSRAI) were also mooted.

However, till now we have no telecom security policy in India and telecom equipments security framework in India. There is no mechanism in India through which telecom hardware and software can be analysed for backdoors and malware. Now Indian government has declared that telecom equipments must be certified by TEC before use in India. A proposal to store call data records has also been given. The norms for import of telecom equipments in India would also be formulated very soon. Similarly, a telecom security policy of India may also be drafted.

In the past news regarding establishment of various authorities to safeguard telecom security in India have also surfaced. These proposed authorities include Authority for Telecom Security in India, Telecom Security Council of India, etc. Further legal framework to streamline telecom related issues in India have also bee suggested. The National Spectrum Act of India is also in pipeline.

Now as per the latest news, Indian government is planning to form a new body to supervise telecom and cyber security in India. This may be a good step in right direction or just another declaration with no actual implementation, just like the past declarations.

The proposed body plans to oversee telecom and cyber security to avoid overlap between various ministries and intelligence agencies that are currently handling this issue. The proposed body has been given the name National Telecom Network Security Coordination Board (NTNSCB) of India.

It has been proposed to establish the same at Department of Information technology (DIT) and it may be headed by the telecom secretary. The NTNSCB will have representatives from the defence and home ministries, intelligence agencies, IT department, intelligence bureau, National Security Advisor and NTRO, among others reports Economic Times.

In addition to suggesting measures to address network security related issues, NTNSCB will also set up objectives and targets to the various departments and agencies handling telecom and cyber security related issues. The NTNSCB may also facilitate the Central Monitoring system (CMS) Project of India. This is a good step and its implementation is urgently required.

Saturday, January 21, 2012

Legal Actions Against Offending Foreign Websites In India

Websites based in foreign jurisdictions are engaging in various forms of illegal activities that are offences under Indian laws. For instance, they are openly violating intellectual property rights (IPRs) like copyright of Indian nationals. When these foreign websites are contacted to remove the offending contents, they simply ask you to follow foreign law procedures that are neither practical nor effective for an Indian national.

Take another example. A foreign website is openly hosting defamatory remarks as per Indian laws against you. You request the website to remove the same and the same are still not removed.

Another common example is hosting and publication of pornographic and obscene contents upon a platform or website. Even worst is the case when a morphed photograph of a female member of your family is posted on such platform. You contact the website to remove the same but they never listen to you.

Even worst case is the illegal sales of drugs and medicines online without a prescription slip. Many prohibited medicines are sold in countries through websites in clear disregard of local laws.

Another example may be of offering illegal sex determination tests through websites. Many countries of the world prohibit such testing and India is one of them.

These are some of the examples where day to day lives are affected by culpable conducts in an online environment. Many believe that no effective actions can be taken against such foreign websites in India. However, this is not true.

Under the cyber law of India, appropriate legal actions can be taken against such foreign websites if they have sufficient connection or nexus with Indian jurisdiction. Although an international cyber law treaty is required to being uniformity in legal frameworks yet till such time local laws of India and foreign laws can be invoked to get appropriate remedy.

Further, if nothing works, blocking of such offending websites in India can be undertaken. It would be wrong to suggest that such websites cannot be blocked in India by a court order or through an order of department of information technology, India.

India must formulate appropriate laws or regulations to make such offending foreign websites liable under Indian laws. Further, special regulations for their subsidiaries operating in India must be made so that they cannot do more business than as mentioned in such regulations. A sound tax framework for such subsidiaries must be formulated so that there cannot be any case of tax evasion and tax manipulations by such subsidiaries.

Monday, January 16, 2012

Cyber Law Trends Of India 2012

The cyber law trends of India 2011 were provided by Perry4Law and Perry4Law Techno Legal Base (PTLB). This trend covered many techno legal issues that are of tremendous importance to various stakeholders. However, it seems various stakeholders have still not taken issues like cyber law, cyber security, cyber due diligence, e-discovery, social media due diligence, etc seriously.

The year 2012 would be even more challenging for various stakeholders in India and world wide. This is more so for US based companies and websites that are increasingly involved in various conflict of laws issues with India. Some of the issues that may be challenging of various stakeholders in 2012 include legal issues of cyber security, privacy and data protection requirements, cloud computing security and privacy issues, e-surveillance and Internet censorship issues, cyber due diligence requirements, social media due diligence, data privacy laws, online IP violations including copyright violations issues, etc.

The cyber law due diligence in India struck the first blow in the year 2012. Companies like Google, Yahoo, Microsoft, Facebook, etc are already facing criminal prosecution under the cyber law of India and other criminal laws. So serious is the situation that the executives of parent companies of these companies have been summoned to personally appear before Indian court.

Further, online copyright violations by US websites are also testing the effectiveness of US laws vis-à-vis foreign IP rights enforcement. Many websites in US are talking advantage of the conflict of laws and hide behind US laws to escape copyright violation liabilities. In fact, the US copyright office is trying to streamline the Digital Millennium Copyright Act (DMCA) 1998 requirements pertaining to DMCA agents so that safe harbour protection cannot be misused by US based websites.

Perry4Law and PTLB believe that the year 2012 would bring many techno legal challenges in the fields like cyber law, cyber security, e-discovery, cyber law due diligence, online IP enforcements, etc. Further, new fields like e-legal due diligence and technological legal due diligence in India would also assume significance. It would be a good idea to formulate suitable policies in this regard by various stakeholders.

US Companies, India, Conflict Of Laws And Criminal Liabilities

Companies like Google, Microsoft, Yahoo, etc and social media websites like Facebook, etc are currently facing criminal trail in India for not removing objectionable contents from their respective websites.

According to cyber law of India and laws of other jurisdiction, the safe harbour protection of Internet intermediaries is lost the moment they are notified of the offending act or omission. However, till they are notified regarding offending contents, they are not liable for violations committed by their users.

However, US companies are not following Indian laws and they are insisting upon following of US laws even if Indian laws are clearly violated. For instance, websites located in US are openly violating the copyright of Indian websites and when they are contacted in this regard to remove the copyright violating posts they ask Indians to use US laws like Digital Millennium Copyright Act (DMCA) 1998.

Surprisingly, even if these US companies are informed in writing and with relevant information like weblinks of copyright violating posts and copyright subsisting posts, they still insist upon following of DMCA procedure. What is more frustrating is that a majority of these US websites and companies are themselves not following the requirements of DMCA and hence are not entitled to its safe harbour protection.

Even in the case of cyber laws, US companies are applying US standards and are not following Indian standards. This is a classic situation that is occurring due to conflict of laws. This is also the reason why an international cyber law treaty is required to being harmonious application of cyber law principles.

US need to change its policy regarding enforcement of foreign IP rights and cyber laws. By not respecting the laws of other countries, US websites and companies are imposing laws like SOPA and PIPA upon themselves. Further, companies like Google must pay special attention as they are deriving revenue out of online advertisements placed upon such copyright violating posts. This makes them not only a beneficiary but also liable for damages in appropriate cases.

Companies like Microsoft, Yahoo, Google and Facebook are facing prosecution under the Indian cyber law. Further, if we analyse the cyber law trends in India of 2012 and cyber security trends of India 2012, such prosecutions are going to increase further in future. Insisting upon following of US laws to take action against offenders and websites located in US would not serve any purpose if branches or subsidiaries of such companies are located in India. Further, if such websites and companies fail to comply with Indian laws, Indian government can block such foreign websites in India.

The present litigation before Indian courts is just a beginning and US companies and websites must start respecting Indian laws. If cyber crimes are committed with great disregard to Indian laws and the copyright and other IP rights are openly violated by such companies and websites, their prosecution in India is inevitable. Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that such foreign companies and websites must ensure cyber due diligence in India to escape various civil, criminal and financial obligations.

Why Vinay Rai Did Not Contact The Concerned Websites?

Vinay Rai, the person behind criminal complaint against social media websites and companies like Facebook and Google, has become instrumental in testing the internet intermediary law of India. Presently, Google and Facebook are gripped in the Indian cyber law tangle.

To make the matter worst, not only the executives of parent companies have been personally summoned by the trial court but it has also been proved that Google and Facebook are beneficiaries of the revenue arising out of offending contents. This may make even the subsidiary companies of Google and Facebook liable for violation of Indian laws.

It is not the case that these companies have not protested in the past against the provisions of the Indian laws. For instance, Yahoo had filed a petition raising the questions regarding the right to privacy of a company that stores sensitive data of its customers and users and to what extent Indian authorities can coerce it to part with the information considered necessary to either track terror perpetrators or thwart future attacks.

The Google’s outcry for lack of Internet intermediary law in India is another example of growing dissatisfaction towards Indian cyber laws, especially Internet intermediary laws and social media laws of India. But the same has come too late and is too insignificant at this stage.

However, in this entire episode one thing is simply not understandable. Why Vinay Rai did not contact the concerned websites and brought to their knowledge about the offending contents? As per Vinay he did not deem it appropriate to approach foreign companies himself. Rather he thought it fit to invoke the governmental machinery to get appropriate remedy.

Surprisingly, he has been pursuing this matter with the information technology ministry for over a year now. The ministry took no action despite constant reminders and follow ups from his end. It was only two to three months ago that the ministry held an internal meeting on the issue and ordered enquiry.

It seems both Vinay Rai and our IT ministry are guilty of not taking appropriate steps in this regard. Clearly, Vinay Rai did not approach these companies and informed them about the offending contents. Now the only question that remains to be seen is whether the IT ministry has also not contacted these companies in this regard?

If even the IT ministry has not intimated these companies “appropriately”, then this may be as serious lapse on the part of Indian government. In such a situation companies like Google, Facebook, etc cannot be held liable for offensive contents posted by the users. Only time would tell what was communicated and what was not and who is responsible and who is not.

Corruption And Technology Related Due Diligences In India

The recent spate of corruption related disclosures in India has sent a strong message to Indian and foreign companies to ensure that their business are strictly in compliance with Indian and foreign laws. Naturally, companies that have entered into merger and acquisitions (M&A) in the past are now looking forward to ensure that nothing fishy happened during such M & A transactions.

These Indian and foreign companies are worried about the potential legal and tax liabilities arising out of various scams and corporate frauds and they are engaging law firms to do a due diligence analysis on the M&As or foreign direct investments (FDIs) they’ve made in India. Law firms are carrying out legal due diligence exercises to detect any loopholes that could result in liabilities on behalf of their clients to avoid litigation possibilities arising out of deals done in the past.

Some multinational companies are also doing legal due diligence to ensure that the Indian subsidiaries and companies they are about to invest or have already invested in are complying with the foreign laws like Foreign Corrupt Practices Act (FCPA) 1977 of the US and the UK Bribery Act 2010.

Even companies that are now exploring the possibility of M&A are taking precautions before entering into such partnerships. While there is no particular department for dealing with all the aspects of corporate business at a single place (Ministry of Corporate Affairs deals with corporate matters) yet department of information technology (DIT) is the chief department that deals with technology related issues. These include cyber law, cyber security, e-commerce, e-governance, spectrum allocation, telecom licensing, etc.

However, till now companies were not very cautious in their dealings in cyberspace and technology related fields. The information technology act 2000 (IT Act 2000) is the cyber law of India that prescribes various cyber law due diligence in India for areas like e-commerce, e-governance, Internet intermediary liability in India, social media due diligence in India, etc.

However, companies are in controversy these days in India. For instance, doubts have been raised regarding the manner in which Reliance and Airtel blocked websites in India. Similarly, some have even suggested that DIT must investigate the case of blocking of websites in India by Reliance, Airtel and other Internet service providers (ISPs).

Similarly, companies like Google, Facebook, etc are already in cyber law legal tangle in India. Indian government is claiming that these companies failed to comply with Indian laws, including cyber law of India. While the guilt or innocence of these companies is still to be established yet this episode has shown the importance of cyber due diligence for Indian companies.

Cyber crimes at social media websites in India are increasing and these social media platforms cannot ignore the same especially once they are made aware of the same. The social media websites investigation in India is going to increase and more and more e-discovery for social media in India would be conducted. Even cyber law due diligence for banks in India is going to increase.

Another area that requires a special mention is the contemporary practice known as e-legal due diligence in India. This requires domain specific techno legal expertise and a sound knowledge of both technical and legal aspects. It is an advanced and improved form of traditional legal due diligence in India that is done in an offline environment. With companies now shifting their data and information to data centers and virtual data rooms (VDRs), e-legal due diligence in India and abroad would be the norm.

Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that Indian and foreign companies must conduct a thorough corruption and technology related due diligence analysis in India as soon as possible.

Thursday, January 12, 2012

India Must Stress Upon International Cyber Law Treaty

United States (US) has been working in the direction of making laws that are primarily targeted towards foreign websites. This means that foreign websites that are indulging in unethical behaviours like cyber crimes, intellectual property rights (IPRs) violations, etc can be forced to be taken down or blocked in US by US government.

While this is a policy decision of US that has been widely criticised yet very few have raised points regarding violations of IPRs by US companies of foreign nationals. For instance, if an Indian has to inform a US website of copyright violation, he has to essentially follow the provisions of Digital Millennium Copyright Act (DMCA) 1998. In fact, even those US websites that are themselves not following DMCA and are not entitled to “safe harbour” provisions are insisting upon DMCA notices.

Clearly, US policy towards IP violations of foreign nationals needs to be revised. On the contrary laws like Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PIPA) and the "Stop Online Piracy Act (SOPA) has also been proposed. They target foreign nationals and websites with almost no additional liabilities for US websites and citizens. Clearly, US websites and companies are forcing US and other nations to enact laws like SOPA and PIPA by not taking down IPRs violating materials.

If the attitude of US websites and companies is not changed other countries may also consider enacting draconian laws like SOPA and PIPA. In the absence of reciprocal arrangement between US and India, the least India can do to prevent cyber crimes against and IPRs violation of Indian citizens is to block websites that engage in such activities. This is more so for those websites and Internet intermediaries that deliberately ignore compliances of Indian laws.

While laws like SOPA and PIPA are targeting foreign websites including Indian websites yet the foreign websites, including US websites, are not complying with Indian cyber law and copyright law. The Indian Copyright Act, 1957 and Indian Information technology Act, 2000 prescribes various civil, criminal and administrative penalties that are presently not implantable against such foreign websites. India must seriously discuss this issue with US as this also amounts to non compliance of the provisions of Trade-Related Aspects of Intellectual Property Rights Agreement (TRIPS Agreement).

The real problem in this regard seems to be that there is no International cyber law treaty that is universally followed. Different countries have different cyber laws and this result in confusion and non enforcement. Even there is no international cyber security treaty that can be followed globally. International cyber law treaty and Indian role cannot be underestimated in this regard.

India must stress upon formulation of an international cyber law treaty to safeguard the interests of its own citizens as countries like US are doing in the absence of mutual cooperation.

Wednesday, January 11, 2012

Electronic Authentication Policy Of India

Electronic authentication (e-authentication) is a very useful service provided it is safe, secure and reliable. Similarly, e-authentication must also be supported by a sound legal framework that governs its uses and abuses.

We have no e-authentication policy in India. Even we have no legal framework for e-authentication in India. Although some efforts in this regard were made through the Aadhar project of India yet the very constitution and functioning of Aadhar project is unconstitutional. For some strange reasons, the unique identification authority of India (UIDAI), which is managing the Aadhar project, thinks that it is above constitution of India. This attitude of Aadhar and UIDAI has brought it to a stage where it is about to be scrapped.

So as on date we have no legal framework for e-authentication in India, no authority that can deal with e-authentication in India and no policy framework for e-authentication in India that has been implemented at the national level. If this is not enough, we have no encryption usage policy of India that can ensure cyber security of e-authentication in India.

If both cyber security in India and use of encryption in India are missing, the credibility of any e-authentication system is in great doubt. Possibility of data breaches and cyber attacks cannot be ruled out. Securing of critical national infrastructure of India from cyber attacks has still not achieved and introducing an e-authentication system without robust cyber security is not a wise move.

The cyber security trends in India 2011 by Perry4Law Techno Legal Base (PTLB) indicate that cyber security in India is still ignored by various stakeholders. Whether it is banks or strategic computers of Indian government, all of them have proved to be vulnerable to cyber attacks.

E-authentication is also useful for providing mobile banking services in India. Cyber security of Internet banking in India is still poor and e-banking risks in India are abundant. Mobile banking cyber security in India is still to be established before it can be explored in India.

E-authentication cannot succeed in India till we take care of various techno legal policy issues. Without removing various obstacle of e-authentication, using the same in India would create more problem than solutions providing.