Huawei And ZTE In Telecom Security Tangle Of India

With the proposal to establish National Telecom Network Security Coordination Board (NTNSCB) of India, the issues of cyber security and telecom security in India have arisen once again. Even the national telecom policy of India 2011 reflects these concerns.

The issues pertaining to telecom security policy in India and telecom equipments security framework in India are not new. The home ministry of India and ministry of information and communication technology have been raising security concerns regarding telecom hardware manufactured by foreign dealers. Concerns regarding possible existence of backdoors in such hardware are frequently raised in India.

There is no mechanism in India through which telecom hardware and software can be analysed for backdoors and malware. Indian government has declared that telecom equipments must be certified by TEC before use in India. A proposal to store call data records has also been given. The norms for import of telecom equipments in India would also be formulated very soon (may be already formulated).

At present, India has two separate policy guidelines for import of telecom gear. Chinese vendors such as Huawei and ZTE follow the July 2010 guidelines while Western telecom equipment manufacturers were given the option of following the policy issued in late 2009, after they refused to operate in India under the July rules.

According to latest news, in an internal report, the security unit of the department of telecommunication (DoT) has raised fresh concerns about Chinese equipment vendors - Huawei and ZTE. The report adds that India must also be on the guard against equipment from the West, including US and Europe. It has been reported that the new security norms had brought all these vendors under a common security framework.

To counter the possible threats from foreign hardware vendors, India is encouraging to develop indigenous hardware manufacturing capabilities. In fact, India has announced to give preferences, including tax cuts, to indigenously manufactured telecoms equipment, despite concerns raised by the United States and the European Union, which had said that such concessions would violate WTO commitments.

There is an urgent need to provide reasonable and sufficient regulatory norms regarding telecom security in India. The sooner they are formulated the better it would be for all the telecom stakeholders in India.

National Telecom Network Security Coordination Board (NTNSCB) Of India

Announcement pertaining to telecom security and cyber security in India have been made from time to time. Even a new national telecom policy of India 2011/2012 has also been suggested by Department of Telecommunication (DoT), India.

DoT has also suggested the creation of the Telecoms Security Council of India (TSCI) that would look into security related aspects of hardware and network equipments. In the past proposals for the establishment of Telecom Security Regulatory Authority of India (TSRAI) were also mooted.

However, till now we have no telecom security policy in India and telecom equipments security framework in India. There is no mechanism in India through which telecom hardware and software can be analysed for backdoors and malware. Now Indian government has declared that telecom equipments must be certified by TEC before use in India. A proposal to store call data records has also been given. The norms for import of telecom equipments in India would also be formulated very soon. Similarly, a telecom security policy of India may also be drafted.

In the past news regarding establishment of various authorities to safeguard telecom security in India have also surfaced. These proposed authorities include Authority for Telecom Security in India, Telecom Security Council of India, etc. Further legal framework to streamline telecom related issues in India have also bee suggested. The National Spectrum Act of India is also in pipeline.

Now as per the latest news, Indian government is planning to form a new body to supervise telecom and cyber security in India. This may be a good step in right direction or just another declaration with no actual implementation, just like the past declarations.

The proposed body plans to oversee telecom and cyber security to avoid overlap between various ministries and intelligence agencies that are currently handling this issue. The proposed body has been given the name National Telecom Network Security Coordination Board (NTNSCB) of India.

It has been proposed to establish the same at Department of Information technology (DIT) and it may be headed by the telecom secretary. The NTNSCB will have representatives from the defence and home ministries, intelligence agencies, IT department, intelligence bureau, National Security Advisor and NTRO, among others reports Economic Times.

In addition to suggesting measures to address network security related issues, NTNSCB will also set up objectives and targets to the various departments and agencies handling telecom and cyber security related issues. The NTNSCB may also facilitate the Central Monitoring system (CMS) Project of India. This is a good step and its implementation is urgently required.

Legal Actions Against Offending Foreign Websites In India

Websites based in foreign jurisdictions are engaging in various forms of illegal activities that are offences under Indian laws. For instance, they are openly violating intellectual property rights (IPRs) like copyright of Indian nationals. When these foreign websites are contacted to remove the offending contents, they simply ask you to follow foreign law procedures that are neither practical nor effective for an Indian national.

Take another example. A foreign website is openly hosting defamatory remarks as per Indian laws against you. You request the website to remove the same and the same are still not removed.

Another common example is hosting and publication of pornographic and obscene contents upon a platform or website. Even worst is the case when a morphed photograph of a female member of your family is posted on such platform. You contact the website to remove the same but they never listen to you.

Even worst case is the illegal sales of drugs and medicines online without a prescription slip. Many prohibited medicines are sold in countries through websites in clear disregard of local laws.

Another example may be of offering illegal sex determination tests through websites. Many countries of the world prohibit such testing and India is one of them.

These are some of the examples where day to day lives are affected by culpable conducts in an online environment. Many believe that no effective actions can be taken against such foreign websites in India. However, this is not true.

Under the cyber law of India, appropriate legal actions can be taken against such foreign websites if they have sufficient connection or nexus with Indian jurisdiction. Although an international cyber law treaty is required to being uniformity in legal frameworks yet till such time local laws of India and foreign laws can be invoked to get appropriate remedy.

Further, if nothing works, blocking of such offending websites in India can be undertaken. It would be wrong to suggest that such websites cannot be blocked in India by a court order or through an order of department of information technology, India.

India must formulate appropriate laws or regulations to make such offending foreign websites liable under Indian laws. Further, special regulations for their subsidiaries operating in India must be made so that they cannot do more business than as mentioned in such regulations. A sound tax framework for such subsidiaries must be formulated so that there cannot be any case of tax evasion and tax manipulations by such subsidiaries.

Cyber Law Trends Of India 2012

The cyber law trends of India 2011 were provided by Perry4Law and Perry4Law Techno Legal Base (PTLB). This trend covered many techno legal issues that are of tremendous importance to various stakeholders. However, it seems various stakeholders have still not taken issues like cyber law, cyber security, cyber due diligence, e-discovery, social media due diligence, etc seriously.

The year 2012 would be even more challenging for various stakeholders in India and world wide. This is more so for US based companies and websites that are increasingly involved in various conflict of laws issues with India. Some of the issues that may be challenging of various stakeholders in 2012 include legal issues of cyber security, privacy and data protection requirements, cloud computing security and privacy issues, e-surveillance and Internet censorship issues, cyber due diligence requirements, social media due diligence, data privacy laws, online IP violations including copyright violations issues, etc.

The cyber law due diligence in India struck the first blow in the year 2012. Companies like Google, Yahoo, Microsoft, Facebook, etc are already facing criminal prosecution under the cyber law of India and other criminal laws. So serious is the situation that the executives of parent companies of these companies have been summoned to personally appear before Indian court.

Further, online copyright violations by US websites are also testing the effectiveness of US laws vis-à-vis foreign IP rights enforcement. Many websites in US are talking advantage of the conflict of laws and hide behind US laws to escape copyright violation liabilities. In fact, the US copyright office is trying to streamline the Digital Millennium Copyright Act (DMCA) 1998 requirements pertaining to DMCA agents so that safe harbour protection cannot be misused by US based websites.

Perry4Law and PTLB believe that the year 2012 would bring many techno legal challenges in the fields like cyber law, cyber security, e-discovery, cyber law due diligence, online IP enforcements, etc. Further, new fields like e-legal due diligence and technological legal due diligence in India would also assume significance. It would be a good idea to formulate suitable policies in this regard by various stakeholders.

US Companies, India, Conflict Of Laws And Criminal Liabilities

Companies like Google, Microsoft, Yahoo, etc and social media websites like Facebook, etc are currently facing criminal trail in India for not removing objectionable contents from their respective websites.

According to cyber law of India and laws of other jurisdiction, the safe harbour protection of Internet intermediaries is lost the moment they are notified of the offending act or omission. However, till they are notified regarding offending contents, they are not liable for violations committed by their users.

However, US companies are not following Indian laws and they are insisting upon following of US laws even if Indian laws are clearly violated. For instance, websites located in US are openly violating the copyright of Indian websites and when they are contacted in this regard to remove the copyright violating posts they ask Indians to use US laws like Digital Millennium Copyright Act (DMCA) 1998.

Surprisingly, even if these US companies are informed in writing and with relevant information like weblinks of copyright violating posts and copyright subsisting posts, they still insist upon following of DMCA procedure. What is more frustrating is that a majority of these US websites and companies are themselves not following the requirements of DMCA and hence are not entitled to its safe harbour protection.

Even in the case of cyber laws, US companies are applying US standards and are not following Indian standards. This is a classic situation that is occurring due to conflict of laws. This is also the reason why an international cyber law treaty is required to being harmonious application of cyber law principles.

US need to change its policy regarding enforcement of foreign IP rights and cyber laws. By not respecting the laws of other countries, US websites and companies are imposing laws like SOPA and PIPA upon themselves. Further, companies like Google must pay special attention as they are deriving revenue out of online advertisements placed upon such copyright violating posts. This makes them not only a beneficiary but also liable for damages in appropriate cases.

Companies like Microsoft, Yahoo, Google and Facebook are facing prosecution under the Indian cyber law. Further, if we analyse the cyber law trends in India of 2012 and cyber security trends of India 2012, such prosecutions are going to increase further in future. Insisting upon following of US laws to take action against offenders and websites located in US would not serve any purpose if branches or subsidiaries of such companies are located in India. Further, if such websites and companies fail to comply with Indian laws, Indian government can block such foreign websites in India.

The present litigation before Indian courts is just a beginning and US companies and websites must start respecting Indian laws. If cyber crimes are committed with great disregard to Indian laws and the copyright and other IP rights are openly violated by such companies and websites, their prosecution in India is inevitable. Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that such foreign companies and websites must ensure cyber due diligence in India to escape various civil, criminal and financial obligations.

Why Vinay Rai Did Not Contact The Concerned Websites?

Vinay Rai, the person behind criminal complaint against social media websites and companies like Facebook and Google, has become instrumental in testing the internet intermediary law of India. Presently, Google and Facebook are gripped in the Indian cyber law tangle.

To make the matter worst, not only the executives of parent companies have been personally summoned by the trial court but it has also been proved that Google and Facebook are beneficiaries of the revenue arising out of offending contents. This may make even the subsidiary companies of Google and Facebook liable for violation of Indian laws.

It is not the case that these companies have not protested in the past against the provisions of the Indian laws. For instance, Yahoo had filed a petition raising the questions regarding the right to privacy of a company that stores sensitive data of its customers and users and to what extent Indian authorities can coerce it to part with the information considered necessary to either track terror perpetrators or thwart future attacks.

The Google’s outcry for lack of Internet intermediary law in India is another example of growing dissatisfaction towards Indian cyber laws, especially Internet intermediary laws and social media laws of India. But the same has come too late and is too insignificant at this stage.

However, in this entire episode one thing is simply not understandable. Why Vinay Rai did not contact the concerned websites and brought to their knowledge about the offending contents? As per Vinay he did not deem it appropriate to approach foreign companies himself. Rather he thought it fit to invoke the governmental machinery to get appropriate remedy.

Surprisingly, he has been pursuing this matter with the information technology ministry for over a year now. The ministry took no action despite constant reminders and follow ups from his end. It was only two to three months ago that the ministry held an internal meeting on the issue and ordered enquiry.

It seems both Vinay Rai and our IT ministry are guilty of not taking appropriate steps in this regard. Clearly, Vinay Rai did not approach these companies and informed them about the offending contents. Now the only question that remains to be seen is whether the IT ministry has also not contacted these companies in this regard?

If even the IT ministry has not intimated these companies “appropriately”, then this may be as serious lapse on the part of Indian government. In such a situation companies like Google, Facebook, etc cannot be held liable for offensive contents posted by the users. Only time would tell what was communicated and what was not and who is responsible and who is not.

Corruption And Technology Related Due Diligences In India

The recent spate of corruption related disclosures in India has sent a strong message to Indian and foreign companies to ensure that their business are strictly in compliance with Indian and foreign laws. Naturally, companies that have entered into merger and acquisitions (M&A) in the past are now looking forward to ensure that nothing fishy happened during such M & A transactions.

These Indian and foreign companies are worried about the potential legal and tax liabilities arising out of various scams and corporate frauds and they are engaging law firms to do a due diligence analysis on the M&As or foreign direct investments (FDIs) they’ve made in India. Law firms are carrying out legal due diligence exercises to detect any loopholes that could result in liabilities on behalf of their clients to avoid litigation possibilities arising out of deals done in the past.

Some multinational companies are also doing legal due diligence to ensure that the Indian subsidiaries and companies they are about to invest or have already invested in are complying with the foreign laws like Foreign Corrupt Practices Act (FCPA) 1977 of the US and the UK Bribery Act 2010.

Even companies that are now exploring the possibility of M&A are taking precautions before entering into such partnerships. While there is no particular department for dealing with all the aspects of corporate business at a single place (Ministry of Corporate Affairs deals with corporate matters) yet department of information technology (DIT) is the chief department that deals with technology related issues. These include cyber law, cyber security, e-commerce, e-governance, spectrum allocation, telecom licensing, etc.

However, till now companies were not very cautious in their dealings in cyberspace and technology related fields. The information technology act 2000 (IT Act 2000) is the cyber law of India that prescribes various cyber law due diligence in India for areas like e-commerce, e-governance, Internet intermediary liability in India, social media due diligence in India, etc.

However, companies are in controversy these days in India. For instance, doubts have been raised regarding the manner in which Reliance and Airtel blocked websites in India. Similarly, some have even suggested that DIT must investigate the case of blocking of websites in India by Reliance, Airtel and other Internet service providers (ISPs).

Similarly, companies like Google, Facebook, etc are already in cyber law legal tangle in India. Indian government is claiming that these companies failed to comply with Indian laws, including cyber law of India. While the guilt or innocence of these companies is still to be established yet this episode has shown the importance of cyber due diligence for Indian companies.

Cyber crimes at social media websites in India are increasing and these social media platforms cannot ignore the same especially once they are made aware of the same. The social media websites investigation in India is going to increase and more and more e-discovery for social media in India would be conducted. Even cyber law due diligence for banks in India is going to increase.

Another area that requires a special mention is the contemporary practice known as e-legal due diligence in India. This requires domain specific techno legal expertise and a sound knowledge of both technical and legal aspects. It is an advanced and improved form of traditional legal due diligence in India that is done in an offline environment. With companies now shifting their data and information to data centers and virtual data rooms (VDRs), e-legal due diligence in India and abroad would be the norm.

Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that Indian and foreign companies must conduct a thorough corruption and technology related due diligence analysis in India as soon as possible.

India Must Stress Upon International Cyber Law Treaty

United States (US) has been working in the direction of making laws that are primarily targeted towards foreign websites. This means that foreign websites that are indulging in unethical behaviours like cyber crimes, intellectual property rights (IPRs) violations, etc can be forced to be taken down or blocked in US by US government.

While this is a policy decision of US that has been widely criticised yet very few have raised points regarding violations of IPRs by US companies of foreign nationals. For instance, if an Indian has to inform a US website of copyright violation, he has to essentially follow the provisions of Digital Millennium Copyright Act (DMCA) 1998. In fact, even those US websites that are themselves not following DMCA and are not entitled to “safe harbour” provisions are insisting upon DMCA notices.

Clearly, US policy towards IP violations of foreign nationals needs to be revised. On the contrary laws like Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PIPA) and the "Stop Online Piracy Act (SOPA) has also been proposed. They target foreign nationals and websites with almost no additional liabilities for US websites and citizens. Clearly, US websites and companies are forcing US and other nations to enact laws like SOPA and PIPA by not taking down IPRs violating materials.

If the attitude of US websites and companies is not changed other countries may also consider enacting draconian laws like SOPA and PIPA. In the absence of reciprocal arrangement between US and India, the least India can do to prevent cyber crimes against and IPRs violation of Indian citizens is to block websites that engage in such activities. This is more so for those websites and Internet intermediaries that deliberately ignore compliances of Indian laws.

While laws like SOPA and PIPA are targeting foreign websites including Indian websites yet the foreign websites, including US websites, are not complying with Indian cyber law and copyright law. The Indian Copyright Act, 1957 and Indian Information technology Act, 2000 prescribes various civil, criminal and administrative penalties that are presently not implantable against such foreign websites. India must seriously discuss this issue with US as this also amounts to non compliance of the provisions of Trade-Related Aspects of Intellectual Property Rights Agreement (TRIPS Agreement).

The real problem in this regard seems to be that there is no International cyber law treaty that is universally followed. Different countries have different cyber laws and this result in confusion and non enforcement. Even there is no international cyber security treaty that can be followed globally. International cyber law treaty and Indian role cannot be underestimated in this regard.

India must stress upon formulation of an international cyber law treaty to safeguard the interests of its own citizens as countries like US are doing in the absence of mutual cooperation.

Electronic Authentication Policy Of India

Electronic authentication (e-authentication) is a very useful service provided it is safe, secure and reliable. Similarly, e-authentication must also be supported by a sound legal framework that governs its uses and abuses.

We have no e-authentication policy in India. Even we have no legal framework for e-authentication in India. Although some efforts in this regard were made through the Aadhar project of India yet the very constitution and functioning of Aadhar project is unconstitutional. For some strange reasons, the unique identification authority of India (UIDAI), which is managing the Aadhar project, thinks that it is above constitution of India. This attitude of Aadhar and UIDAI has brought it to a stage where it is about to be scrapped.

So as on date we have no legal framework for e-authentication in India, no authority that can deal with e-authentication in India and no policy framework for e-authentication in India that has been implemented at the national level. If this is not enough, we have no encryption usage policy of India that can ensure cyber security of e-authentication in India.

If both cyber security in India and use of encryption in India are missing, the credibility of any e-authentication system is in great doubt. Possibility of data breaches and cyber attacks cannot be ruled out. Securing of critical national infrastructure of India from cyber attacks has still not achieved and introducing an e-authentication system without robust cyber security is not a wise move.

The cyber security trends in India 2011 by Perry4Law Techno Legal Base (PTLB) indicate that cyber security in India is still ignored by various stakeholders. Whether it is banks or strategic computers of Indian government, all of them have proved to be vulnerable to cyber attacks.

E-authentication is also useful for providing mobile banking services in India. Cyber security of Internet banking in India is still poor and e-banking risks in India are abundant. Mobile banking cyber security in India is still to be established before it can be explored in India.

E-authentication cannot succeed in India till we take care of various techno legal policy issues. Without removing various obstacle of e-authentication, using the same in India would create more problem than solutions providing.

Mobile Banking Cyber Security In India

Mobile Banking is the buzz word these days. While the idea of mobile banking is promising yet it requires certain prerequisites to be successful in India. The chief among these requirements is the requirement to have a robust cyber security for mobile banking in India.

Cyber security in India in general and cyber security for online banking transactions in particular is not in good shape. The Cyber security trends in India 2011 also reflected this position. Mobile banking in India is still not popular due to various factors. For instance, e-banking in India is not safe, Internet banking cyber security in India is missing and online banking in India is not safe. In these circumstances, mobile banking in India is risky due to absence of mobile cyber security in India.

Even the Reserve Bank of India (RBI) is aware of this situation. RBI constituted a working group on information security to ensure cyber security among Indian banks. As per RBI’s recommendations, all banks should create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest.

However, banks of India have shown no willingness to incorporate cyber security into their day to day functions. Till now the directions of RBI to appoint CIOs and steering committee has not been followed by banks of India. The recommendations of the RBI have still not been implemented.

Naturally, Indian banks are poor at developing cyber security policies and implementing the same. Banks of India are also not providing positive confirmation to the originator of NEFT transactions. When basic level aspects are missing, incorporating cyber security in the day to day transactions of banks in India is really difficult. In these circumstances, the decision of RBI to remove financial limits from mobile banking transaction in India can be a trouble than facility. Hopefully, the proposed integrated banking law of India would address all these issues.

However, Indian banks cannot afford to ignore one aspect. The cyber law in India has prescribed cyber law due diligence for various stakeholders. Cyber due diligence for banks in India is just a part of the same. Cyber due diligence for Indian companies including banks operating in India is very stringent. If these due diligence requirements are not followed by Indian banks, civil, criminal and financial penalties can occur.

Cyber security for banking and financial sectors of India is urgently required as they perform very crucial functions. RBI must ensure the same by getting its directions strictly enforced as soon as possible.