Tuesday, February 8, 2011

Draft Electronic Delivery Of Services Bill 2011

By
Praveen Dalal

The Draft Electronic Delivery of Services Bill 2011 (EDS Bill 2011) is a recent legislative exercise by the Central Government of India. The EDS Bill 2011 intends to provide delivery of Government services to all citizens by electronic means by phasing out of manual delivery of services delivered by the Government including matters connected therewith or incidental thereto.

It applies to whole of India and save as provided in this Bill, it applies to any contravention or offence thereunder committed outside India by any person. The Bill, if passed, would become an applicable law in India the moment Central Government notifies it in Official Gazette.

The EDS Bill 2011 defines “Electronic Delivery of Services” as the delivery of public services in the form of receipt of forms and applications, issue or grant of any license, permit, certificate, sanction or approval and the receipt or payment of money by electronic means by following the procedure specified hereunder.

The EDS Bill 2011 provides that where any law provides for –

(a) the delivery of services in the form of receipt of forms, application or any other document by any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner;

(b) the delivery of any licence, permit, sanction or approval by whatever name called in a particular manner;

(c) the receipt or payment of money in a particular manner,

then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such delivery of services, receipt or payment, as the case may be, is effected by means of such electronic mode as may be prescribed by the appropriate Government.

Every office, authority, body or agency owned or controlled by the appropriate Government for electronic delivery of service shall within one hundred and eighty days from the enactment of this EDS Bill 2011 –

(a) identify the service or type of service;

(b) plan the manner and format of such service or type of service;

(c) provide a cut-off date, wherever possible, for rendering any such service or type of service;

(d) prescribe the manner or procedure which facilitates such service or type of service;

(e) devise processes and procedures to ensure adequate integrity, security and confidentiality of information or data thus collected, preserved and retained; and

(f) create appropriate framework which is necessary to give legal effect to such service or type of service.

The appropriate Government may, for above mentioned purposes, shall prescribe for all its agencies etc a framework for –

(a) computerisation of records,

(b) web presence or enablement;

(c) use of shared technology infrastructure; and

(d) electronic authentication.

Notwithstanding anything contained in any other law for the time being in force, subject to provisions of this Bill, all citizens shall have the right to electronic delivery of services. The appropriate Government for this purpose has to provide electronic delivery of services as per prescribed manner and format.

Central Commissioner and State Commissioners would be appointed to manage electronic delivery of services. The obligation and accountability to implement the provisions of this Bill rests with the appropriate Government. EDS Bill 2011 also provides punishment for various offences and contraventions.

This includes punishment for impersonation, unauthorised access, cyber contraventions, cyber crimes, etc with imprisonment for a term which may extend to three years and with fine. The residuary penalty take cares of other contraventions and offences with a punishable with imprisonment for a term which may extend to three years or with a fine which may extend to twenty-five thousand rupees or both. Offences by companies are also covered by the EDS Bill 2011.

The EDS Bill 2011 also applies to offence or contravention committed outside India as well. Further, no officer below the rank of Inspector can investigate any contravention or offence under the EDS Bill 2011. The penalty imposed under the EDS Bill 2011 would be additional to any penalty imposable under any other law for the time being in force.

No court shall take cognisance of any offence punishable under the EDS Bill 2011, except upon a complaint made by the Central Commissioner or State Commissioner or any officer or person authorised by it. Further, no court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate shall try any offence punishable under the EDS Bill 2011. The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Every notification or rule made by the Central Government shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that notification or rule.

The Central Commissioner also has power to make regulations under the EDS Bill 2011 subject to certain conditions. Even State governments are entitled to make rules under the EDS Bill 2011 subject to certain conditions.

Sunday, January 30, 2011

Internet Kill Switch Is A Misnomer

Of late lots of people are using the term “Internet Kill Switch”. But is it possible to kill Internet altogether or is it possible to completely turn off Internet in a big country that is highly dependent upon computers and Internet?

While Egypt has proved that a complete shut off of a national portion of Internet is possible but this does not mean that a single country, even United States of America, can shut off the entire Internet. So Internet kill switch seems to be a “Misnomer” to me. No body has a complete and centralised control over Internet at the International level.

If it is a simple case of restriction of access to certain sites, use of proxy server can circumvent the same. But when there is no Internet at all, proxies cannot work and online communication comes to a halt.

So how does a regional or national Internet segment is shut off? The technical requirements to shut off a portion of Internet are not complicated at all. All the authority in control need to do is to make a simple change to the instructions for the companies' networking equipment. The router configuration file is changed by this command and upon executing the command, the relevant portion of Internet is shut down.

But is it possible to shut down Internet absolutely even within a small area or country? I do not think so. We can cut off almost all International connectivity, but there are lots of ways to get out onto the Internet: satellite phones, obscure ISPs in Canada and Mexico, long-distance phone calls to Asia, says Bruce Schneier.

Even in Egypt people have turned to landline phones, fax machines and ham radio in order to communicate messages out of the country. Similarly, people can call a number to reach a modem available in another country which directs them with access to the outside world. In fact, satellite modems and phones are entering Egypt in order to bypass Government controlled telecommunication companies to connect with the United States or Europe.

Meanwhile, USA has decided to enact a law that empowers the President of America to use Internet kill switch. However, the bigger question remains whether USA can actually use this kill switch with thousands of internet service providers (ISPs). Egypt was able to shut down the internet because there were very few ISPs that are closely regulated by the Government. The same is not possible for USA even for commercial, technical, Constitutional and Other Reasons.

As a matter of fact, even if all the countries of the World decide to shut off the Internet, people would form their own Internet and communicate through the same. Instead of wasting resources upon initiatives like kill switch, countries must concentrate more upon securing critical infrastructure and sound cyber security and this applies to India as well.

Wednesday, November 24, 2010

India Is Blind Towards Cyber Law, Cyber Security And Cyber Forensics

Information Technology Act 2000 (IT Act 2000) of India deals with E-governance, E-commerce, Cyber Contraventions and Cyber Crimes. However, it is a poorly drafted law and badly implemented legislation. It is weak and ineffective in dealing with growing Cyber Crimes in India as it is the most “Soft and Cyber Criminal Friendly Legislation” of the World.

Indian Cyber Law is the exclusive cyber law that has made cyber crimes “Bailable”. This means that if a person commits the offence of Cracking, he must be released on bail as a “Matter of Right”.

Department of Information Technology (DIT) India is the main department that was responsible for the enactment of IT Act 2000. However, its upgradation and amendment is the responsibility of Ministry of Law. Law Minister Veerappa Moily has not played a pro active role in the use of Information Technology for Legal and Judicial purposes.

Whether it is E-courts, Online Dispute Resolution (ODR), Cyber Law or Cyber Forensics, Law Minister has not paid enough attention to incorporate the same in Legal and Judicial System of India.

Similarly, the Home Ministry of India is also responsible for some of the aspects of Legal System of India. For instance Home Minister P. Chidambaram has not paid any attention towards Cyber Security and Cyber Forensics. The same is not only relevant for the Legal System of India but also for the National Security of India. Issues like Cyber War and Cyber Terrorism have also skipped the attention of Home Minister.

Instead of improving the situation, DIT India, Law Ministry and Home Ministry are stressing too much upon E-surveillance and illegal snooping powers that have no “Procedural Safeguards and Guidelines” under the IT Act 2000.

With so many Government Departments responsible for various aspects of Cyber Law, Cyber Security and Cyber Forensics, India is heading nowhere. It would be better if a “Single Department” is entrusted with the responsibilities of Cyber Law, Cyber Security and Cyber Forensics so that India can have “Guided and Committed” actions in these crucial directions.

Sunday, July 11, 2010

Reverse Engineer Malware Through REMnux

Dennis Fisher has written a story on a tool known as REMnux. According to the story malware reverse engineering expert Lenny Zeltser has released a stripped-down Ubuntu distribution in the form of REMnux so that malware can be analysed by reverse engineering process. The tool carries many popular malware-analysis, network monitoring and memory forensics tools for analysing the malware and reaching to the malicious code.

The traditional approach of malware analysis is limited in nature and unless we engage in memory analysis many crucial details would go unreported. It is claimed that REMnux is designed to remove this limitation. It can be booted via several VMware products, or through X-Windows.

REMNux has three separate tools for analysing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analysing malicious PDFs, including Didier Stevens' analysis tools.

REMNux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder.

In addition to the JavaScript and Adobe analysis tools, Zeltser also included a small Web server, and IRC server and a pseudo-DNS server. He also included Honeyd, the virtual honeypot server. There also is a customised shellcode analyser that will take malicious shellcode, create a Windows executable from it and then run it so you can observe its behavior.

In short, REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. It is also useful for analysing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tool for analysing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics.

At the moment, REMnux is only available as a virtual machine. Nothing is better than converting it into an ISO image of a Live CD/DVD. We will wait for its ISO version.

Monday, June 28, 2010

Law Enforcement Intelligence In India

Law enforcement intelligence is an area largely unexplored in India. Till not the law enforcement agencies of India are predominantly relying upon traditional methods of intelligence gathering and investigations. There is no doubt that these traditional methods would always remain useful; and nothing can substitute them. However, information and communication technology (ICT) can further strengthen these traditional methods and can fine tune them to achieve greater results.

Although many ambitious projects have been proposed in India regarding use of ICT for law enforcement purposes, yet they have to take a good start in order to bring them into mainstream. There are many blockages that are hindering their actual use and implementation. The biggest obstacle seems to be lack of safeguards to prevent abuse of civil liberties of Indians.

India has neither a dedicated privacy law nor any data protection legislation. Even the basic legal framework for law enforcement machinery is missing and India is managing it through colonial and outdates laws that date backs even before the Constitution of India came into force.

In this background, we have to plan the launch and implementation of Crime and Criminal Tracking Network and Systems (CCTNS) Project of India (CCTNS Project). Presently, the CCTNS Project of India has not been properly planned and implemented.

At Perry4Law Techno-Legal Base (PTLB) we are in the process of developing a techno-legal strategy that can accommodate both technological as well as legal mandates. On the technology side, we are building a software database that has almost all the necessary software and utilities necessary for the successful implementation of the CCTNS project and similar projects.

On the legal side we have already suggested a 10 point legal framework for law enforcement and intelligence agencies of India. We are in the process of detailed analysis of these points as well as incorporating new and contemporary ideas and suggestion in the same.

The law enforcement intelligence in India cannot succeed till it is techno-legal in nature. The real problem is that the police is not much aware about the technological issues. Similarly, the technology providers are not aware about the police work. So we have to make partial and piece meal efforts to make a larger picture.

At PTLB we are trying to provide both technological as well as legal solutions at a single place. This would avoid unnecessary wastage of time, energy and money as the most effective solution can be proceeded with immediately. Any person, institution, agency, organisation, etc wishing to work in association with us, may contact us with his/its proposal and we would be happy to extend out techno-legal expertise for the same.

Friday, June 25, 2010

Crime And Criminal Tracking Network and Systems (CCTNS) Project Of India

Crime and Criminal Tracking Network and Systems (CCTNS) Project Of India (CCTNS Project) is a very ambitious project of Indian government. It is the most comprehensive modernisation and reformative initiative of government of India to streamline law enforcement in India till date. The project is in its initial stage and it may face both technical as well as legal challenges and civil liberties issues.

CCTNS is a plan scheme conceived in the light of experience of a non-plan scheme namely - Common Integrated Police Application (CIPA). CCTNS is a Mission Mode Project under the National e-Governance Pan of Govt of India. CCTNS aims at creating a comprehensive and integrated system for enhancing the efficiency and effectiveness of policing through adopting of principle of e-Governance and creation of a nationwide networking infrastructure for evolution of IT-enabled-state-of-the-art tracking system around 'Investigation of crime and detection of criminals'.

The objectives of the Scheme can broadly be listed as follows:

1. Make the Police functioning citizen friendly and more transparent by automating the functioning of Police Stations.

2. Improve delivery of citizen-centric services through effective usage of ICT.

3. Provide the Investigating Officers of the Civil Police with tools, technology and information to facilitate investigation of crime and detection of criminals.

4. Improve Police functioning in various other areas such as Law and Order, Traffic Management etc.

5. Facilitate Interaction and sharing of Information among Police Stations, Districts, State/UT headquarters and other Police Agencies.

6. Assist senior Police Officers in better management of Police Force.

7. Keep track of the progress of Cases, including in Courts

8. Reduce manual and redundant Records keeping

Under the CCTNS Project, approx. 14,000 Police Stations throughout the country has been proposed to be automated.

The modernisation of police force in India cannot be successfully achieved till India acquires a techno-legal expertise. However, at least a good beginning has been made by Indian government and it would go a long way in modernisation of law enforcement in India. The government must, however, enact a suitable legal framework that can protect civil liberties of Indians from excessive police acts.

Law Enforcement In India Needs Techno-Legal Solutions

Modernisation of police force and establishing the supporting infrastructure for better policing and quicker responses to crimes, cyber crimes and national crises like terror attacks requires a techno-legal approach. Neither technology nor legal framework alone is sufficient to tackle these issues. However, absence of either law or technology would also fail any initiative that intends to modernise law enforcement in India. Take the example of National Intelligence Grid (NATGRID) that has been stalled due to absence of adequate safeguards and legal framework. None can doubt about the utility of NATGRID still it is in doldrums as it is not a techno-legal initiative but merely a technological initiative. This shows the importance of a techno-legal solution.

Perry4Law Techno-Legal Base (PTLB) is the premier, rather exclusive, institution of India that is providing techno-legal solutions for law enforcement and intelligence agencies of India. It is also providing techno-legal solutions for protecting national security of India. Some of the areas that it covers include cyber security, cyber terrorism, cyber forensics, cyber law, telecom security issues, etc.

Since any technological measure used for law enforcement and intelligence agencies purposes essentially involves civil liberties violations potential, we have also launched a Human Rights Centre of India (HRPCI). The Centre serves a “dual purpose”. On the one hand it provides techno-legal solutions to nations and organisations regarding cyber security threats, cyber terrorism, threats to the critical ICT infrastructure, cyber war, cyber espionage, crisis management plan, etc. On the other hand, it keeps a close watch over human rights violations by an overzealous and over cautious e-police State. In short, we provide techno-legal solutions that are not only technically sound but also constitutionally and legally valid.

At PTLB we believe that we cannot superimpose foreign models to Indian conditions. We have to “localise” our solutions so that they may suit Indian requirements. That is why we endorse a techno-legal training of police force as per Indian requirements. To meet this objective we have a techno-legal training centre for police forces of India at place.

Presently, PTLB is preparing a techno-legal strategy for modernisation of police force in India and world wide. Its world renowned techno-legal expertise would cater the law enforcement, legal and judicial and technological needs of crime fighting in India. We hope our initiative would prove useful for all concerned.

Saturday, June 12, 2010

Use Of ICT For Legal And Judicial Reforms In India

By
Praveen Dalal

The Bar Council of India (BCI) and Law Minister Mr. Veerappa Moily are all set to bring legal and judicial reforms in India. Although the steps taken by both BCI and Moily are great yet they are clearly shying away from use of information and communication technology (ICT) for legal and judicial purposes.

The BCI failed to provide an online platform where legal education and exams can be conducted. Similarly, Moily failed to bring even a single e-court in India. After almost seven years of deliberation, e-courts project of India seems to have been scrapped. Realising that both online legal education and e-courts require expertise (especially the e-court) it would be prudent to expect one more year before any action is taken by BCI and Moily in this regard.

Meanwhile, both BCI and Moily must concentrate upon another crucial project that is relevant for both Bar and Bench. It pertains to use of online dispute resolution (ODR) for legal and judicial purposes. Even the alternative dispute resolution (ADR) regime in India needs an upgradation as it has failed to provide the desired results. Since the arbitration law of India is in the process of reformulation, it is high time for Moily to incorporate necessary provisions regarding ODR in it as well. Even suitable provisions regarding e-courts can be incorporated in the same.

Techno-Legal expertise and assistance of Perry4Law Techno Legal Base (PTLB) can be taken in this regard as it is managing all the above mentioned areas of legal and judicial reforms.

PTLB is managing an online platform that caters the techno-legal training, education, coaching and skill development requirements regarding bar examinations in India, Indian legal services exams, training of lawyers in India, cyber law courses, cyber law trainings for lawyers and judges, etc. The main purpose of this platform is not to provide empty academic education but to develop skill of lawyers, judges, professionals, law students, etc.

PTLB is also managing e-courts training and consultancy centre of India. This is the exclusive centre in the World that provides valuable training and consultancy regarding e-courts, digital evidencing, cyber law training to judges, ODR, etc. This is one of the most important projects that can bring long term and robust legal and judicial reforms in India. Both BCI and Moily must consider replicating this model as soon as possible.

PTLB is also managing the exclusive techno-legal ODR Center of the World. It manages both technical as well as legal issues of dispute resolution. This can be a valuable addition in the legal and judicial reforms arsenal of BCI and Moily.

Above all PTLB is willing to replicate and establish these models for BCI and Law Ministry if they deem it necessary for India.

Thursday, June 10, 2010

India Should Not Use SaaS For Crucial Governmental Functions

Software as a Service (SaaS) is in media reports for long. SaaS is a web-based version of proprietary software that performs computing on its servers on behalf of the client. Cloud computing is one of the most famous forms of SaaS. It is projected as a panacea for many infrastructure related problems and cost saving. While cloud computing has considerable cost benefits but it has drawbacks as well.

Richard Stallman, the founder of Free Software Foundation, says that on the Internet, proprietary software isn't the only way to lose your freedom. SaaS is another way to let someone else has power over your computing. He totally rejects the idea of cloud computing and opines that the real meaning of “cloud computing” is to suggest a devil-may-care approach towards your computing. It says, “Don't ask questions, just trust every business without hesitation. Don't worry about who controls your computing or who holds your data. Don't check for a hook hidden inside our service before you swallow it.” In other words, cloud computing means think like a moron.

There are many security and regulatory factors that must be complied with by SaaS and cloud computing before their deployment in India. Out of these I would presently like to stress upon three aspects alone. These are Security and Privacy, Compliance, and Legal or Contractual Issues.

As far as Security and Privacy is concerned, India has a very weak cyber security and no dedicated privacy law. Even there is no dedicated data protection law in India. The data of end users and governmental agencies is not safe in the absence of these essential regulations that the government of India is willingly not interested in enacting.

As far as Compliance aspect is concerned, that is an alien concept in India. For instance, the Aadhar project of India/UID project, National Intelligence Grid (NATGRID) project of India, etc all are running in India even in the absence of any legislation ensuring proper safeguards. When there is no legislation even for the most basic projects like Aadhar and Natgrid, there is no question of compliance in India. Outsourcers and foreign clients, keep this in mind while sending your crucial details and data to India.

Finally, the Legal and Contractual issues also cannot provide much protection against illegal and negligent data sharing and data thefts in India. The sole cyber law of India is enacted in the form of Information Technology Act, 2000 (IT Act 2000). Cyber crimes like cracking, data theft, privacy violation, etc are all bailable leaving much room for commission of these crimes.

India should not use SaaS and Cloud Computing for governmental purposes in the absence of strong cyber law and cyber security. As Stallman says, in the meantime, if a company invites you to use its server to do your own computing tasks, don't yield; don't use SaaS. Use a real computer and keep your data there. Do your work with your own copy of a free program, for your freedom's sake.

Saturday, June 5, 2010

The Extra Steps That TOR Users Must Take

By
Praveen Dalal

The “Decloaking Engine” invented by HD Moore was one of the most effective ways of showing how exit nodes of TOR system can sniff the unencrypted, plain text and insecure information and data passing through it. A malicious or e-surveillance capable exit node is the weakest link of the privacy and security chain of a TOR user. However, the problem is not with the TOR’s system as this is the way TOR works. The real problem lies with the end user’s perception regarding TOR’s use in general and anonymity and privacy in particular.

There are various media reports that suggest that Wikileaks acquired its whistle blowing ammunition by sniffing or intercepting the traffic flowing through TOR networks. Whether this is true or not is not the real question here. The real question is what TOR is actually offering to the end users?

Interestingly, TOR is very clearly and openly explaining the scope of anonymity and privacy offered by it to the end users. Actually TOR is great for anonymity but average at privacy protection and poor at data security. This is because although the entry node encrypts the data and forwards it to the next node, the exit node sees it in clear text and unencrypted form. This means that although the ultimate site that you wish to access would see the IP address of the exit node and not your original IP address yet the exit node itself is very sure about the data you are sending to the website.

Think about a malicious exit node as a man-in-the middle attacker (MITM).that can sniff your traffic that you are sending to the ultimate website. It may include confidential information like bank accounts, passwords, governmental secret documents, etc. All of these travel in a plain text form and can be sniffed easily by the exit node. To some extent a malicious exit node is also a form of “Extended MITM” attack as the normal MITM attack occurs either at the local network or local wireless network/access point. But in case of MITM attack occurring at the exit node of TOR system, this is happening at a place far beyond your network(s) and jurisdiction. This scary fact must be kept in mind while sending unencrypted and unprotected data across TOR network.

The real problem is that an averageTOR user cannot differentiate between a trusted and untrusted exit node. This differentiation is not within his direct control. But he has something great that can reduce his risks of exit node attacks. The TOR users must use great services like OpenSSH or PuTTY while sending confidential information. They may also use their own preferred end to end encryption software and systems but the main idea remains the same. TOR provides the anonymity and a secured connection provides additional privacy and security.

Using Firefox after disabling Add-ons, Active X Controls, Java Scripts, Cookies, etc can also bring additional anonymity and privacy. If you need all these functionalities, you can use two different browsers with different setting i.e. Firefox for TOR and other browser for your other tasks. These steps may not make you absolutely anonymous but would definitely solve the problem of malicious exit nodes sniffing to a great extent.