Saturday, September 8, 2012

Privacy Rights In India

Enforcement of privacy right in the ICT era is an important part of protection of human rights in cyberspace. Privacy rights must be analysed along with some allied rights like data protection rights, data security rights, right to information, etc.

As far as India is concerned, we have no dedicated privacy laws in India and privacy rights in India, data protection laws in India, data security laws in India, cyber security laws in India, etc.  Privacy rights and laws in India are required for protecting human rights in cyberspace that are presently missing in India.

The matter is already pending in Supreme Court of India. The Supreme Court of India must expand privacy rights in India as Indian Parliament has failed to provide privacy laws in India despite pressing needs. Further, the Supreme Court of India must also clear the relationship between national security and right to information in India.  

Instead of providing privacy rights to Indian citizens, the Indian parliament has curtailed the same through bringing amendments in the information technology act, 2000 (IT Act 2000) of India. The IT Act, 2000 is the sole cyber law of India that urgently requires to be repealed.

Indian government is suppressing privacy rights in India for its own purposes. Even the right to information act has been diluted to a great extent to keep many governmental functions out of its ambit. Intelligence agencies of India are operating without any parliamentary oversight and diluting right to information in such a situation is complete endorsement to growing e-surveillance in India.

It is high time for Supreme Court of India to prevent further mutilations of almost non existing privacy rights in India.

Tuesday, September 4, 2012

Electronic Delivery Of Services In India

Electronic Delivery of Services in India has been in news for years but its actual implementation is still to happen. Despite many rounds of legislative drafting and governmental discussions, the Indian electronic delivery of services bill 2011 could not see the light of the day. The natural result is that e-delivery of services in India is missing.

While rejecting the latest draft of the EDS bill, the parliamentary standing committee on information and technology gave few reasons like lack of resources, amendments must be made to the information technology act, 2000 to accommodate electronic delivery of services, inadequate time to ensure electronic delivery of services by states, etc. All these apprehensions have no merit and they deserve to be ignored.

However, the rejection of the EDS bill by the committee is also blessing in disguise as the proposed bill was highly deficient on many counts. Even the committee has given some very good suggestions that can strengthen the new EDS bill that can be passed by the Indian parliament.

It would be a good idea to involve techno legal experts while formulating the next EDS bill so that various deficiencies can be taken care of. A holistic EDS bill must be formulated that takes care of all the aspects pertaining to electronic delivery of services in India.

E-Delivery Of Services In India Missing

Electronic delivery of services in India (e-delivery of services in India) is in really bad shape thanks to the myopic attitude of our Indian government and its committees. As on date we have no mandatory framework for e-governance services in India.

This is a clear case of denial of digital empowerment of Indian citizens by the Indian government. The information technology act 2000 (IT Act 2000), which is the sole cyber law of India, carries few provisions pertaining to e-governance in India. However, the IT Act 2000 expressly put an embargo upon mandatory e-governance services in India.

It is really surprising that after more than 12 years of enactment of IT Act, 2000 the parliamentary standing committee on information and technology still believes that states would not be able to meet the e-governance needs of India. If a country cannot put in place e-governance services for 12 years and is still insisting upon more years, it puts a question mark upon the capabilities of that nation.

No doubt India is really poor at e-readiness and e-governance in India is dying. Indian government is presently facing a “technology bankruptcy” and “ICT emergency” vis-à-vis cyber crimes, cyber attacks, cyber security and other related issues.

There is nothing wrong in enacting a good law in this regard but there is everything wrong when we make excuses for not enactment of such law at all. We need time bound enactment exercises and by allowing unlimited time to enact such laws, we are doing no good to India. It is high time for us to ensure e-delivery of services in India.

Sunday, August 19, 2012

Skills Development In India And The Vocational Education And Training System Of India

We are facing a very serious situation in the fields of employment and education in India. A vast majority of our educated youths are still unemployed. The primary reason for this is the defective education system of India that is primarily academic in nature.

We do not pay much attention to professional, vocational and training based education in India. All we do is teaching of age old academic concepts which have no significance in real life. The natural result is that the already strained employment sector is further constrained to employ the ill trained and ill equipped young generation.

This is a serious issue as unemployed young generation is not producing any productive results for our economy and they are also engaging in illegal and unsocial methods to survive. If the situation continues for long, we may face a serious law and order problem in India.

Indian government has also realised the perils of this situation. The Indian government is planning to sanction around Rs 40,000 crore in over five years to provide skill to around 3 crore people during the period. The government will also partner with private sector to implement the ambitious scheme. This is a good step in the right direction and Perry4Law and Perry4Law Techno Legal Base (PTLB) welcome this move of Indian government.

As a matter of fact, skills development in India is urgently needed to manage these issues. A special emphasis must be given techno legal skills development in India that is presently missing. Till our educational systems are able to cope up with these qualitative demands, we must stress upon use of distance learning for skills development in India.

Further, virtual campuses in India can also fill the skill gaps that we are currently facing. PTLB e-learning platform is providing techno legal courses and trainings in India that aims at inculcating skills among the masses.

Some of the areas where PTLB is providing techno legal trainings and courses include cyber law, cyber security, cyber forensics, ethical hacking, clod computing, malware analysis, etc.

We hope that Indian government would do the best to strengthen the professional, vocational and training based education in India as soon as possible.  

Friday, August 17, 2012

BackTrack 5 R3 Released For Download

Backtrack is one of the highest rated and acclaimed Linux security distribution of the world. It is used by numerous security professionals and companies to perform various security and penetration testing related tasks.

The best part about Backtrack is that you can install it on a DVD, USB drive or any other media of your choice that supports Backtrack installation. Once installed, backtrack can be booted from the media and there is no requirement to install it on the hard disk of your computer. Of course, you can also install it on the hard drive of your computer if you wish to do so.

If you are using a Backtrack 5R2 version you can also upgrade it to Backtrack 5R3 as BackTrack 5 R3 has been released on 13th of August, 2012 for download.

Perry4Law Techno Legal Base (PTLB) strongly recommend you to download a copy of backtrack 5R3 for your pen testing and cyber security arsenal.

Backtrack versions are also part of techno legal software repositories of Perry4Law and PTLB that are used to provide various techno legal trainings in India and abroad. These include skills development in India in the fields of cyber law, cyber security, cyber forensics, penetration testing, malware analysis, etc.

We thank the Backtrack community in general and Linux community and open source community in particular for their hard work and commitment to strengthen cyber security, cyber forensics, pen testing, malware analysis and such similar capabilities.

Saturday, August 11, 2012

Establishment Of E-Courts In India And Their Implementation

Indian judicial and legal systems are very slow to adopt information and communication technology (ICT). Although some steps have been taken to computerise the Indian courts yet by and large they are insufficient and not relevant.

Electronic delivery of justice in India is urgently needed. E-courts and ODR in India are essential part of electronic delivery of justice in India. Despite the pressing need for establishment of e-courts in India we are still waiting for the establishment of first e-court of India. Till august 2012 we do not have even a single e-court in India.

The e-courts project of India has failed to materialise in India and establishment of e-courts in India is still a distant dream. We need to expedite the constitution and opening of e-courts in India as soon as possible.  

There are many reasons for failure of e-courts in India but the chief among them is lack of expertise and judicial will to implement the e-court project. There is no dearth of funds for this project but its implementation is very poor. The e-court committee has so far failed to implement the e-court project effectively.

We at Perry4Law and PTLB have now taken very significant steps in this crucial direction. We have launched dedicated portals pertaining to electronic courts, e-judiciary, ODR India, online arbitration, etc. Further, Perry4Law and PTLB are also managing the exclusive techno legal e-courts training and consultancy centre of India.

To strengthen the initiatives and projects of Perry4Law and PTLB and to take these projects and initiatives to the next level of development, Perry4Law and PTLB are in the process of launching four crucial projects. These are:

(1) Electronic Courts: This initiative would provide e-courts services to national and international organisations, governments, companies, individuals, etc. At this platform you would be able to resolve your disputes through use of techno legal methods and procedures.

(2) E-Judiciary: This initiative would provide research, policy formulations, training, consultancy, project execution support, etc to various national and international stakeholders. It would cover areas like e-courts, e-judiciary, legal enablement of ICT in courts and judiciary, etc.

(3) ODR India: This is an India specific platform that would resolve various inter party disputes in an online environment. Techno legal methods and procedures would be used to resolve various disputes through Arbitration, Conciliation, Mediation and other similar methods.

(4) Online Arbitration: This initiative would provide ODR services to world at large. Individuals, organisations, companies, etc may resolve their disputes through this platform by using our techno legal dispute resolution services.

Indian judiciary in general and e-court committee in particular has to play a more pro active role for the establishment of e-courts in India. In the absence of institutional expertise, e-court committee must also include other members that have actual expertise to manage the project.

Tuesday, August 7, 2012

Cyber Security Challenges For The Smart Grids In India

These days most of the public utilities are managed and coordinated by information and communication technology (ICT). In many cases, these utilities are managed through remote administration as well. This is also the stage and process that makes these utilities vulnerable to cyber attacks.

Keeping this fact in mind, critical infrastructure protection in India in general and cyber security of automated power grids of India in particular must be ensured with latest technology and international best practices.

Cyber security issues in India are emerging day by day. Similarly, the cyber security awareness in India is also increasing. However, cyber security capabilities of India are still not up to the mark. Cyber security skills developments in India are urgently required.

There would be many cyber security challenges for future smart grids of India. The evolution of SCADA system, deficiencies and shortcomings of existing power devices and vulnerabilities of software managing SCADA systems are areas of special concern for India.

These days power grids are centrally connected and integrated in nature from the stage of power generation to it transmission and distribution. A compromise of such power grids   can lead to power outages/blackout or even damage to power system devices and thereby huge loss to the utilities.

Further, renewable energy/distributed generation demands are the added feature of smart grid and due to networked control future power system will be much more vulnerable to cyber terrorism attacks, cyber warfare activities and cyber espionage attempts. Therefore, before switching to smart grids, India must consider cyber security challenges for them as well.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are in the process of drafting of cyber security best practices for smart grids in India. We invite professional collaborations and cooperation in this regard from various smart grid stakeholders. If interested, kindly send your proposals while communicating with us so that we can consider collaborative aspects of such proposals.

Sunday, August 5, 2012

Mobile Banking Cyber Security In India

Cyber security in India is facing many challenges and problems. One of the major problems of cyber security in India is that various stakeholders are not at all interested in ensuring cyber security for their respective organisations. However, the worst part of Indian cyber security initiatives is that Indian government is pushing hard initiatives like mobile banking, mobile commerce, etc without effective and robust cyber security capabilities at place.

For instance, although the Reserve Bank of India (RBI) has mandated for strict cyber security requirements for banks of India yet most of the Indian banks have done nothing in this regard. RBI has also insisted upon ensuring of cyber security of banks in India. In fact, recently RBI warned Indian banks for inadequate cyber security as well. This is resulting in increased financial crimes and cyber crimes in India.

The cyber laws and cyber security trends in India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) also proved this point. Even the mobile cyber security in India is missing. In these circumstances, mobile banking in India has become really risky. In fact, mobile banking cyber security in India is almost missing and this has put the customers at grave risks. Mobile banking cyber security is required in India on a priority basis before any mobile banking scheme is launched in India.

Although Internet banking guidelines in India by RBI have been issued yet no such guidelines have been issued by RBI regarding mobile banking so far. Further, it is also not clear who would bear the loss arising out of a banking transaction that is a direct result of a financial or cyber crime. Banks are passing the buck to consumers even when they are at fault by not ensuring sufficient cyber security.

Banks of India are not realising that they are under a legal obligation to ensure cyber law due diligence for their banking transactions. In the absence of cyber law due diligence, it is the responsibility of banks of India to bear any loss arising out of any financial or cyber crime.

Perry4Law and PTLB recommend that banks in India must not only ensure cyber security for their transactions but also adhere to the cyber law due diligence requirements as are mandatory in India. 

Privacy Laws In India And Privacy Rights In India

We have no dedicated statutory or constitutional privacy laws In India. However, the Supreme Court of India has interpreted Article 21 of Indian Constitution as the source of constitutional right to privacy in India. For some strange reasons, privacy rights and laws in India have always been ignored by Indian government. Even the proposed draft right to privacy bill 2011 of India remained another assurance till now.

Similar is the case regarding data protection laws in India. Till now we have no dedicated data protection laws in India. Clearly, data protection laws in India and privacy rights in India are urgently required to be formulated. Indian government must pay urgent attention to privacy rights, privacy laws and data protection laws in India.

The Supreme Court of India in Kharak Singh v. State of U.P. (AIR 1963 SC 1295) recognised the Right to Privacy as an integral part of the Right to Life and Personal Liberty which is a fundamental right guaranteed to every individual.

In the case of R. Rajgopal v. State of Tamil Nadu (1994 (6) SCC 632) the Supreme Court laid down that personal information may not be published without consent whether truthful or otherwise and whether laudatory or critical, unless they are part of public records.

Similarly, Section 21 of the Juvenile Justice Act, 2000 Prohibits the publication of names and other particulars of children which may lead to identification of the child involved in proceedings under the Act.

The cyber law of India incorporated in the Information Technology Act, 2000 (IT Act 2000) provides few provisions regarding data protection and privacy aspects. The Act defines Data as any information, knowledge, facts, concepts or instructions being processed (or intended to be processed) in a computer system or network. The disclosure of personal data is prohibited and there are stringent provisions for protection of sensitive personal data.

The IT Act 2000 was amended by the Information Technology Amendment Act 2008 (IT Act 2008). The IT Act 2008 introduced Section 72A that confers protection against disclosure of personal information in breach of a lawful contract.

Section 72A mandates that if any person or intermediary has become privy to any personal information of another, while providing services under the terms of a lawful contract, any disclosure of such information to a third party, without the consent of the person concerned and with the intention to cause or with knowledge that he is likely to cause wrongful loss or wrongful gain, or in breach of the contract is punishable with upto three years imprisonment or fine upto five lakh rupees or both. The term “intermediary” means a person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record.

Further, section 43A of the IT Act 2000 provides for compensation by way of damages in case a body corporate handling any sensitive personal data or information in a computer resource is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person.

Reasonable security practices and procedures have been defined in the Section as those which are designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment to protect such information from unauthorized access, damage, use, modification, disclosure or impairment.

In April 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were notified. These new rules regulate the collection, disclosure, transfer and storage of sensitive personal data and widen the scope of the regulation provided in Section 43A.

Sensitive personal data is defined under the Rules as information relating to a data subject’s:

(i) Password;
(ii) Financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) Physical, physiological and mental health condition;
(iv) Sexual orientation;
(v) Medical records and history;
(vi) Biometric information;
(vii) Any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise

Information that is freely available or accessible in the public domain, or furnished under the Right to Information Act 2005 or any other law in force, is not regarded as sensitive personal data.

With regard to consent the said rules provide that the consent has to be obtained from the provider of sensitive personal data in writing through letter, fax or email regarding purpose of usage before collection of such data. The information is to be collected for a lawful purpose and only where it is necessary to do so.

Privacy related provisions are also incorporated in other Indian statutes as well. These include Indian Telegraph Act, 1885, Indian Contract Act, 1872, Specific Relief Act, 1963, Public Financial Institution Act, 1983, Consumer Protection Act, 1986, Credit Information Companies (Regulations) Act, 2005, etc. We would discuss this issue more in our subsequent posts.

Saturday, August 4, 2012

Critical Infrastructure Protection In India

Critical infrastructures like power utilities, transportation, banking systems, stock markets, medical institutions, etc are essential part of our day to day lives. There disruption for even few hours can cause great loss and discomfort. At times this may also result in casualties of human lives.

In these circumstances, critical infrastructure protection in India is needed. To achieve this we need a critical ICT infrastructure protection policy of India that must be formulated and implemented as soon as possible. Although a national critical information infrastructure protection centre (NCIPC) of India has been proposed by India yet no action has been taken in this regard so far.

It is high time that critical infrastructure protection (CIP) and homeland security (HS) in India must be taken seriously and effective steps in this direction must be taken.  The best way to achieve this is to formulate a suitable techno legal cyber security policy of India that must include CIP aspect as well.

Cyber security in India and its challenges and problems cannot be effectively managed till we have robust and techno legal cyber security capabilities in India. We need a skilled cyber security workforce in India that can tackle present as well as future cyber security challenges. Cyber security skills development in India must be ensured to meet this objective.

Perry4Law and Perry4Law Techno Legal Base (PTLB) recommend that Indian government must urgently formulate cyber security policy and critical infrastructure protection policy for India.