Mobile Banking Cyber Security In India

Cyber security in India is facing many challenges and problems. One of the major problems of cyber security in India is that various stakeholders are not at all interested in ensuring cyber security for their respective organisations. However, the worst part of Indian cyber security initiatives is that Indian government is pushing hard initiatives like mobile banking, mobile commerce, etc without effective and robust cyber security capabilities at place.

For instance, although the Reserve Bank of India (RBI) has mandated for strict cyber security requirements for banks of India yet most of the Indian banks have done nothing in this regard. RBI has also insisted upon ensuring of cyber security of banks in India. In fact, recently RBI warned Indian banks for inadequate cyber security as well. This is resulting in increased financial crimes and cyber crimes in India.

The cyber laws and cyber security trends in India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) also proved this point. Even the mobile cyber security in India is missing. In these circumstances, mobile banking in India has become really risky. In fact, mobile banking cyber security in India is almost missing and this has put the customers at grave risks. Mobile banking cyber security is required in India on a priority basis before any mobile banking scheme is launched in India.

Although Internet banking guidelines in India by RBI have been issued yet no such guidelines have been issued by RBI regarding mobile banking so far. Further, it is also not clear who would bear the loss arising out of a banking transaction that is a direct result of a financial or cyber crime. Banks are passing the buck to consumers even when they are at fault by not ensuring sufficient cyber security.

Banks of India are not realising that they are under a legal obligation to ensure cyber law due diligence for their banking transactions. In the absence of cyber law due diligence, it is the responsibility of banks of India to bear any loss arising out of any financial or cyber crime.

Perry4Law and PTLB recommend that banks in India must not only ensure cyber security for their transactions but also adhere to the cyber law due diligence requirements as are mandatory in India. 

Privacy Laws In India And Privacy Rights In India

We have no dedicated statutory or constitutional privacy laws In India. However, the Supreme Court of India has interpreted Article 21 of Indian Constitution as the source of constitutional right to privacy in India. For some strange reasons, privacy rights and laws in India have always been ignored by Indian government. Even the proposed draft right to privacy bill 2011 of India remained another assurance till now.

Similar is the case regarding data protection laws in India. Till now we have no dedicated data protection laws in India. Clearly, data protection laws in India and privacy rights in India are urgently required to be formulated. Indian government must pay urgent attention to privacy rights, privacy laws and data protection laws in India.

The Supreme Court of India in Kharak Singh v. State of U.P. (AIR 1963 SC 1295) recognised the Right to Privacy as an integral part of the Right to Life and Personal Liberty which is a fundamental right guaranteed to every individual.

In the case of R. Rajgopal v. State of Tamil Nadu (1994 (6) SCC 632) the Supreme Court laid down that personal information may not be published without consent whether truthful or otherwise and whether laudatory or critical, unless they are part of public records.

Similarly, Section 21 of the Juvenile Justice Act, 2000 Prohibits the publication of names and other particulars of children which may lead to identification of the child involved in proceedings under the Act.

The cyber law of India incorporated in the Information Technology Act, 2000 (IT Act 2000) provides few provisions regarding data protection and privacy aspects. The Act defines Data as any information, knowledge, facts, concepts or instructions being processed (or intended to be processed) in a computer system or network. The disclosure of personal data is prohibited and there are stringent provisions for protection of sensitive personal data.

The IT Act 2000 was amended by the Information Technology Amendment Act 2008 (IT Act 2008). The IT Act 2008 introduced Section 72A that confers protection against disclosure of personal information in breach of a lawful contract.

Section 72A mandates that if any person or intermediary has become privy to any personal information of another, while providing services under the terms of a lawful contract, any disclosure of such information to a third party, without the consent of the person concerned and with the intention to cause or with knowledge that he is likely to cause wrongful loss or wrongful gain, or in breach of the contract is punishable with upto three years imprisonment or fine upto five lakh rupees or both. The term “intermediary” means a person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record.

Further, section 43A of the IT Act 2000 provides for compensation by way of damages in case a body corporate handling any sensitive personal data or information in a computer resource is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person.

Reasonable security practices and procedures have been defined in the Section as those which are designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment to protect such information from unauthorized access, damage, use, modification, disclosure or impairment.

In April 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were notified. These new rules regulate the collection, disclosure, transfer and storage of sensitive personal data and widen the scope of the regulation provided in Section 43A.

Sensitive personal data is defined under the Rules as information relating to a data subject’s:

(i) Password;

(ii) Financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) Physical, physiological and mental health condition;
(iv) Sexual orientation;
(v) Medical records and history;
(vi) Biometric information;

(vii) Any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise

Information that is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law in force, is not regarded as sensitive personal data.

With regard to consent the said rules provide that the consent has to be obtained from the provider of sensitive personal data in writing through letter, fax or email regarding purpose of usage before collection of such data. The information is to be collected for a lawful purpose and only where it is necessary to do so.

Privacy related provisions are also incorporated in other Indian statutes as well. These include Indian Telegraph Act, 1885, Indian Contract Act, 1872, Specific Relief Act, 1963, Public Financial Institution Act, 1983, Consumer Protection Act, 1986, Credit Information Companies (Regulations) Act, 2005, etc. We would discuss this issue more in our subsequent posts.

Critical Infrastructure Protection In India

Critical infrastructures like power utilities, transportation, banking systems, stock markets, medical institutions, etc are essential part of our day to day lives. There disruption for even few hours can cause great loss and discomfort. At times this may also result in casualties of human lives.

In these circumstances, critical infrastructure protection in India is needed. To achieve this we need a critical ICT infrastructure protection policy of India that must be formulated and implemented as soon as possible. Although a national critical information infrastructure protection centre (NCIPC) of India has been proposed by India yet no action has been taken in this regard so far.

It is high time that critical infrastructure protection (CIP) and homeland security (HS) in India must be taken seriously and effective steps in this direction must be taken.  The best way to achieve this is to formulate a suitable techno legal cyber security policy of India that must include CIP aspect as well.

Some areas that requires special attention in this regard are cyber security of Indian satellites and critical infrastructure, cyber espionage against India and its challenges, solutions and defences, cyber warfare against India and its defenses, cyber terrorism against India and its defences and solutions, etc.

Cyber security in India and its challenges and problems cannot be effectively managed till we have robust and techno legal cyber security capabilities in India. We need a skilled cyber security workforce in India that can tackle present as well as future cyber security challenges. Cyber security skills development in India must be ensured to meet this objective.

Perry4Law and Perry4Law Techno Legal Base (PTLB) recommend that Indian government must urgently formulate cyber security policy and critical infrastructure protection policy for India.

Importance Of Cyber Forensics For India

Cyber forensics in India is one of the most important fields for effective legal and judicial system of India. Indian Approach towards cyber forensics has been lukewarm so far. It is only now that India has started paying attention to cyber forensics.

There are very few cyber forensics firms and companies operating in India. Cyber forensics is a dynamic field that requires continuous updates and modifications. Thus, cyber forensics companies and firms in India must innovate.

Further, cyber forensics research centers in India must be established to meet the research and development needs of India in the field of cyber forensics. The distance learning courses for computer forensics in India must be encouraged to develop cyber forensics skills in India. The cyber forensic investigation solutions in India are needed to establish cyber forensics procedures and best practices in India.

World over stakeholders are planning to use technology to fight drugs, human trafficking and illicit networks. Cyber forensics can play a crucial role in order to achieve this objective.

Cyber forensics professionals must be aware of the basics of Internet protocol (IP) address system as that is the starting point for all cyber forensics and cyber security related exercises. IP address tracking methods and techniques for e-mails must also be well understood. A special care must be taken of IP address spoofing and its defenses.

There are certain challenges that cyber forensics professionals may face in their day to day affairs. For instance, cyber forensics of hidden Internet is a challenging and daunting task.  Cyber forensics professionals must be well prepared to tackle new and unexplored challenges from cyberspace.

Further, legal and judicial fraternity of India needs scientific knowledge. Police, lawyers and judges must be aware about the basic level knowledge of cyber forensics. Technology laws like cyber law must also be well known to legal and judicial fraternity in India.  While undertaking a trial, the judges in India must realise that IP address should not be the sole criteria for arrest and conviction.

Perry4Law and Perry4Law Techno Legal Base (PTLB) hope that India would consider these aspects and various stakeholders would work collectively in this crucial and much needed direction.

Cyber Crimes Trends In India 2012

Perry4Law and Perry4Law Techno Legal Base (PTLB) have been providing ICT trends in India since 2005-06. The ICT trends in India 2009 and subsequent trends have discussed both the positive and negative aspects of Indian ICT policies and strategies.

We have also been providing cyber law trends in India and cyber security trends in India for long. The cyber law trends of India 2012 and cyber laws and cyber security trends in India 2011 are the latest in this regard.

In this work, Perry4Law and PTLB are discussing the existing and potential cyber crimes trends in India 2012 and onwards. In India cyber crimes are mostly confined to identity thefts, obscene fake profiles at networking sites, threatening e-mails, websites defacement, cracking incidences, etc.

These cases are mostly crimes committed by novice and script kiddies. However, India has been facing growing cases of cyber attacks against its critical infrastructure and strategic computers. Further, the abuse of Hidden Internet is also going to increase in India in future.

Perry4Law and PTLB believe that we need to pay a special attention to critical infrastructure protection in India, homeland security of India, cyber security of India, etc. Similarly, critical ICT infrastructure protection policy of India and cyber security policy of India are also required to be formulated as soon as possible.

We also believe that technology can play a more direct and pro active role to fight against illicit networks, transnational crimes, white collor crimes, etc. Naturally, law enforcement technologies in India must be upgraded and law enforcement official must be imparted techno legal trainings so that they can tackle technology related crimes effectively and efficiently in India.

Modernisation of law enforcement agencies of India is need of the hour. In short, we need cyber police reforms in India where cyber skills of police personnel of India must be urgently developed. Further, cyber forensics skills developments of police in India also need to be taken seriously.

We would provide more detailed cyber crimes trends in India and worldwide subsequently. If you are part of an international organisation, law enforcement agency or any other organisation that is dealing and fighting with cyber crimes, feel free to contact us and have professional relationship with us in this regard.

Use Of Technology To Fight Cross Border, Transnational And White Collor Crimes

Technology has increasingly being used to commit cross border, transnational and white collor crimes. As law enforcement technologies evolved even cyber criminals devised novel and undetectable methods to indulge in their nefarious activities.

Use of Hidden Internet for committing cross border, transnational and white collor crimes has increased a lot. Since the activities are not available and accessible to ordinary search engines and net surfers, the Hidden Internet has become a breeding ground for cyber criminals.

Now it has been proposed to use technology to fight drugs, human trafficking and illicit networks. Technology is also been used to prevent and tackle cyber crimes and cyber attacks. Now even Google and Interpol have decided to use technology to fight these crimes.

We at Perry4Law and PTLB welcome this move of Google and Interpol. We also believe that Hidden Internet would post tremendous challenges before Google and Interpol in their drive against white color crimes and transborder crimes. It would be a good idea to explore methods to take care of crimes originating at Hidden Internet as well.

Natgrid Project Of India: The Do Or Die Stage

The National Intelligence Grid (Natgrid) Project of India is one of the most ambitious Projects of India. It has been passing through rough weathers in the past. The good news is that the Cabinet Committee on Security (CCS) has approved an Rs 1,100-crore allocation for the NATGRID and has also granted an extension to it. The CCS has also allowed NATGRID to acquire certain technological items mentioned in the Detailed Project Report (DPR).

The bad news is that till now we have no Accountability and Transparency about the NATGRID Project. Another major lacuna of NATGRID Project is that it is beyond the reach of Parliamentary Oversight in India. Similar problems are also plaguing the National Counter Terrorism Centre of India.

Recently the Department of Telecommunication (DOT) refused to allow the Home Ministry of India to intercept private communications disregarding individual Privacy under the pretext of National Security. Civil Liberties Issues have been raised from time to time in India vis-à-vis National Security Projects like NATGRID. They cannot be ignored in India any more.

I hope these “Shortcomings” of the NATGRID Project and NCTC would be removed very soon and NATGRID Project and NCTC would be a valuable tool for strengthening National Security of India. I also hope that Indian Government would maintain a “Balance” between National Security and Privacy Protection requirements in India while implementing Projects like NATGRID.

Now coming back to the recent new lease of life that has been given to NATGRID by CCS. The funds granted to NATGRID would be utilised for procuring equipment, technology and for building a data centre. We need to have High Security Infrastructure and Secured Communication Lines, opined NATGRID Chief Raghu Raman.

I also believe that this “Technological Upgradation” is a must for NATGRID Project to successfully complete the next stage. However, this is not an easy task especially keeping in mind the Red Tape that is hindering the successful implementation of NATGRID Project of India.

Law Enforcement Technologies In India

Law enforcement plays a crucial role in maintaining law and order situation in a region. In India, the law enforcement responsibility is managed by numerous law enforcement agencies. Indian Constitution has demarcated law enforcement subject as a matter of State List. This means that a majority of law enforcement functions in various States are performed by respective State.

There are some functions that are closely related to law enforcement responsibilities and that require a unified approach. To take care of such issues, the Union Ministry of Home Affairs acts in a centralised manner.

The Union Home Ministry of India has prescribed many intelligence and law enforcement related projects that rely upon information and communication technology (ICT). These include projects like national intelligence grid (Natgrid), crime and criminal tracking network and systems (CCTNS), national counter terrorism centre (NCTC), etc.

Besides, projects like central monitoring system, centre for communication security research and monitoring (CCSRM), Aadhar/UID, national cyber coordination centre (NCCC) of India, national critical information infrastructure protection centre (NCIPC) of India, etc are also in pipeline.

All these efforts are praiseworthy and deserve public support. However, all of these projects are suffering from a common constitutional problem. None of these projects are governed by any constitutionally sound legal framework. These projects must maintain a balance between civil liberties and national security requirements. This balance is presently missing and these projects are operating with great disregard to constitutional rights and freedoms and human rights.

Similarly, we have no constitutionally sound legal framework for law enforcement and intelligence agencies of India. Parliamentary oversight of intelligence and law enforcement agencies of India is missing. After all intelligence gathering is not above right to privacy in all circumstances.

Take the example of the central bureau of investigation (CBI) and intelligence agencies like intelligence bureau (IB) of India. The Indian government is not willing to bring transparency and accountability regarding law enforcement and intelligence agencies of India.

The recent private bill titled intelligence services (powers and regulation) bill, 2011 was shelved out by none other than the Indian Prime Minister Dr. Manmohan Singh who announced that law on intelligence agencies would be formulated soon. However, it proved nothing but a “time gaining tactics” and so far intelligence agencies of India are not governed by any legal framework and parliamentary oversight. Interestingly, even the central bureau of investigation (CBI) is riding the same boat. The draft central bureau of investigation act, 2010 is another example where the Indian government is just interested in making “declaration” with no actual “intention” to implement the same. It is high time to show political will to tackle these crucial and controversial issues as they cannot be ignored any more.

In our subsequent posts, we would cover the techno legal aspects of intelligence and law enforcement agencies of India.

Lawful Interception In India Missing

Lawful interception of Internet, mobile and other technology related communications is a big challenge for Indian government. Indian government is trying to do the same that can best serve its interests. However, in its zest to ensure technology communication interceptions in India, Indian government is landing up in doing “unlawful interceptions”.

The lawful interception law is needed in India and the same is still missing despite contrary governmental claims. Till now, phone tapping in India is not constitutionally performed. The truth is that big brother in India is violating Indian constitution and even courts are silent on this aspect.

Indian government has been taking many steps that are strengthening its e-surveillance and censorship capabilities without meeting the constitutional requirements. For instance, the central monitoring system project of India,  national cyber coordination centre (NCCC) of India, national intelligence grid (Natgrid), national counter terrorism centre (NCTC) of India, Aadhar project of India, etc are all proposed without any legal framework supervising and justifying their functioning.

On the one hand the home ministry is mulling lawful interception law of India and on the other hand it has forced Blackberry messenger service to be an e- surveillance tool in India.  Telenor’s security clearance was blocked by home ministry recently and even the FIPB rejected Telenor’s joint venture proposal as pre mature. 

Civil liberties in India and technological revolution are considered mutually exhaustive in India. Initiatives like surveillance of Internet traffic in India are executed without any procedural safeguards and constitutional rights. E-surveillance in India is presently done with virtually no legal framework. Whatever rules that have been framed in this regard by Indian government, they are clearly violating the constitutional freedoms and rights.

As a matter of fact, civil liberties protection in cyberspace in India have been totally ignored and false claims of national security are raised to suppress civil liberties in India. ICT policies and strategies of India are grossly defective and clearly violating human rights in cyberspace. In fact, there is a dedicated resource titled websites, blogs and news censorship by Google and Indian government that is making a database of various censorship and results manipulation activities in India.

Indian government must ensure civil liberties protection in Indian cyberspace as that is its constitutional as well as human right obligation. Further, parliamentary oversight of intelligence agencies of India is needed. Till now there is no parliamentary scrutiny of the intelligence agencies in India. The sooner these initiatives would be taken the better it would be for the larger interest of India.

US India Cyber Security Relationship Needs Rejuvenation

International community is taking cyber security very seriously. Even NATO had requested cyber security cooperation from India. Indian cyber security and international cooperation must be rejuvenated in the context of contemporary developments. Keeping this is mind, the Indo US cyber security relationship needs improvements.  

United States is presently engaged in serious cyber security initiatives at national and international levels. At the national level, the Cyber Intelligence Sharing and Protection Act (CISPA) has been proposed to be enacted. It is claimed that CISPA would boost the cyber security capabilities of US.

However, the US White House has issued a dissenting Statement of Administration Policy on Cyber Intelligence Sharing and Protection Act (CISPA). After reading various media reports and dissenting opinion, one may ponder whether CISPA really a remedy or a bad idea.

Meanwhile, India has its own share of problems. Unable to deal with the technology and foreign technology companies, Facebook, Google, etc may be forced to install servers in India. Even the foreign direct investment (FDI) issues have also been impacted by the national security concerns. FDI in telecom sector of India may be modified by the national security requirements of India.

In the recent past, the India US cyber security cooperation agreement was signed. It was a part of broader India US homeland security dialogue to boost counter terrorism and cyber security capabilities. Similarly, US has already made clear its international strategy for cyberspace. Even the White House is mulling federal cyber security law.

However, international organisations must play a more direct and pro active role to fight cyber crimes. This is more so when we have no universally acceptable international cyber law treaty and international cyber security treaty. This is resulting in conflict of laws in cyberspace and India is getting impatient in this regard.

If US India cyber security cooperation has to be successful, both India and US must sort out many crucial differences. The sooner it is done the better it would be for the interests of both countries.