Indo US Cyber Security Relationship Needs Improvements

United States is presently engaged in serious cyber security initiatives at national and international levels. At the national level, the Cyber Intelligence Sharing and Protection Act (CISPA) has been proposed to be enacted. It is claimed that CISPA would boost the cyber security capabilities of US.

However, the US White House has issued a dissenting Statement of Administration Policy on Cyber Intelligence Sharing and Protection Act (CISPA). After reading various media reports and dissenting opinion, one may ponder whether CISPA really a remedy or a bad idea.

Meanwhile, India has its own share of problems. Unable to deal with the technology and foreign technology companies, Facebook, Google, etc may be forced to install servers in India. Even the foreign direct investment (FDI) issues have also been impacted by the national security concerns. FDI in telecom sector of India may be modified by the national security requirements of India.

In the recent past, the India US cyber security cooperation agreement was signed. It was a part of broader India US homeland security dialogue to boost counter terrorism and cyber security capabilities. Similarly, US has already made clear its international strategy for cyberspace. Even the White House is mulling federal cyber security law.

However, international organisations must play a more direct and pro active role to fight cyber crimes. This is more so when we have no universally acceptable international cyber law treaty and international cyber security treaty. This is resulting in conflict of laws in cyberspace and India is getting impatient in this regard.

If US India cyber security cooperation has to be successful, both India and US must sort out many crucial differences. The sooner it is done the better it would be for the interests of both countries.

Statement Of Administration Policy On Cyber Intelligence Sharing and Protection Act (CISPA)

This is the statement issued by the Obama Administration (PDF) regarding proposed Cyber Intelligence Sharing and Protection Act (CISPA). Perry4Law and Perry4Law Techno Legal Base (PTLB) wish to share the same with all the stakeholders.

The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation's vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.

H.R. 3523 fails to provide authorities to ensure that the Nation's core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards. For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information. Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.

The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes. Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately. The Government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes.

In addition, H.R. 3523 would inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life. This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our Nation's economic, national security, and public safety interests.

H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres. The Administration believes that a civilian agency – the Department of Homeland Security – must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information with the private sector and with sector-specific Federal agencies.

The American people expect their Government to enhance security without undermining their privacy and civil liberties. Without clear legal protections and independent oversight, information sharing legislation will undermine the public's trust in the Government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections. The Administration's draft legislation, submitted last May, provided for information sharing with clear privacy protections and strong oversight by the independent Privacy and Civil Liberties Oversight Board.

The Administration's proposal also provided authority for the Federal Government to ensure that the Nation's critical infrastructure operators are taking the steps necessary to protect the American people. The Congress must also include authorities to ensure our Nation's most vital critical infrastructure assets are properly protected by meeting minimum cybersecurity performance standards. Industry would develop these standards collaboratively with the Department of Homeland Security. Voluntary measures alone are insufficient responses to the growing danger of cyber threats.

Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security. The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues. However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill

Facebook, Google, Etc May Be Forced To Install Servers In India

Should foreign websites and social media websites establish servers in India? This is a very crucial question that has to be answered immediately. Till now social media websites and foreign companies and websites are governed by a combination of self regulation and governmental regulations.

However, the recent events have shaken up Indian government completely and it is planning to demand that companies like Google, Facebook, etc must establish servers in India. Further, conflict of laws in Indian cyberspace may also require establishment of servers of Google, Facebook, etc in India.

In these circumstances, Indian government can consider enactment of more stringent norms to regulate social media websites in India. In fact, many US based companies and websites are already facing legal proceedings in India. Additionally, Indian government can mandatorily require US companies and websites to install servers in India so that objectionable contents can be regulated, monitored and deleted at Indian soil itself. 

This step is in addition to the establishment of central monitoring system project of India by Indian government under which a centralised mechanism would be put in place to analyse telecommunications and Internet communications. The real problem for the CMS Project of India is that we have no dedicated privacy laws in India, data security laws in India and data protection laws in India. Further, the CMS Project of India is also beyond the “parliamentary scrutiny”.

Another related project in this regard is National Cyber Coordination Centre (NCCC) of India. The NCCC would provide actionable alerts to government departments in cases of perceived security threats. It is hoped that this would help in fighting terrorists and other cyber criminals. The NCCC will scan whole cyber traffic flowing at the point of entry and exit at India's international Internet gateways.

All tweets, messages, emails, status updates and even email drafts will now pass through the new scanning centre. The centre may probe further into any email or social media account if it finds a perceived threat.

The main problem with this entire scenario is that we have no e-surveillance policy in India. The phone tapping in India is done in an “unconstitutional manner” and even by private individuals with or without governmental approval.  Further, the cyber law of India, incorporated in the Information Technology Act 2000, must be repealed as soon as possible as it is clearly not in conformity with the Constitution of India and civil liberties protection in cyberspace.

If foreign websites fail to comply with Indian laws, there is nothing wrong to ask them to establish servers in India. However, big brother must not overstep the limits and must act within the constitutional limits that it is presently transgressing openly and in an uncontrolled manner.

Should Foreign Websites And Social Media Platform Establish Servers In India?

Foreign companies like Google, Yahoo, Microsoft, etc and social media websites like Facebook, Twitter, etc are continuously made parties to various civil and criminal proceeding world over. Even in India, foreign websites and companies have been constantly prosecuted for violation of various Indian laws.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that India must take urgent steps so that companies and websites like Google, Facebook, etc and social networking websites comply with legal demands as per Indian laws as well.

We have no dedicated social media laws in India. Even social media websites investigation in India is not up to the mark. Further, social media due diligence in India is also required to be taken seriously by social media platforms. Now legal actions against foreign websites can be taken in India. Further, cyber litigations against such foreign websites would increase in India in the near future.

The cyber laws due diligence requirements for companies in India are strenuous in nature and Internet intermediaries in India need to take care of the same to avoid legal troubles. Companies like Google, Facebook, etc must appoint nodal officers in India that can be served with notices and communication pertaining to Internet intermediary obligations in India.

Internet intermediary law in India is incorporated in the Information Technology Act 2000 (IT Act 2000) and the Rules made there under. Internet intermediaries’ liability in India is now well established and foreign companies and websites must duly comply with the same to avoid civil, criminal, administrative and financial penalties. In short, these foreign companies and their Indian subsidiaries must ensure that they comply with the cyber law due diligence in India. This is more so after the passing of Information Technology (Intermediaries Guidelines) Rules 2011 of India.  

Foreign companies and social media websites must comply with Indian laws in true letter and spirit. Otherwise, India may adopt more stringent and drastic steps to make them comply with Indian laws.

Conflicts of laws in Indian cyberspace have further complicated the situation. For instance, Google is presently facing conflict of laws problem with US and Indian laws. What would happen if foreign companies and social media websites refuse to comply with Indian laws and insist for complying with US or other foreign laws? This is a possible situation for which a readymade solution must exist.

We suggest the following in this regard:

(1) All subsidiary/Joint ventures companies in India, especially those dealing in information technology and online environment, must mandatorily establish a server in India. Otherwise, such companies and their websites should not be allowed to operate in India.

(2) A stringent liability for Indian subsidiaries dealing in information technology and online environment must be established by laws of India.

(3) More stringent online advertisement and e-commerce laws in India must be formulated for Indian subsidiary companies and their websites.

If still Indian intellectual property and cyber laws are not respected, there is no other option but to choose a harsh stand of foreign websites blocking in India.

We at Perry4Law and PTLB believe that any attempt by Internet intermediaries to pre screen contents uploaded by users in India is not practical and feasible. However, we believe that cyber law due diligence by Internet intermediaries operating in India cannot be taken casually and with great disregard to India laws as is presently happening in India. If companies are not willing to follow either foreign laws like DMCA or Indian laws, they clearly lack the intention to comply with various legal frameworks.

In any case, companies and websites that have Indian existence and are deriving financial gains from India must adhere to India’s laws that they are currently flouting. The Telecom Regulatory Authority of India (TRAI) has recently suggested the National Telecom Policy 2012 of India. It has suggested many important reforms and changes some of them can apply to foreign websites and social media websites.

Some of the suggestions of Perry4Law and PTLB have been accepted by TRAI and one of them pertains to establishment of servers in India by foreign companies. It has been recommended that all servers on which sensitive data are hosted must be located within India and ensure that all local content is hosted on servers located within the country.

It is high time that foreign companies, websites and social media platforms must fall in line with Indian laws. Otherwise, stringent regulations may follow that would not be beneficial for any individual and organisation.

Conflict Of Laws, Indian Cyberspace And Google

Cyberspace and Internet has made it possible to access single information from multiple jurisdictions. It is also possible that for a single transaction, multiple countries may exercise jurisdiction. In other words, the conflict of law in cyberspace is most complicated in nature and very difficult to resolve.

The validity of electronic legal notices in India and DMCA notice from India to other jurisdictions through e-mails is now well established. This makes it very easier to engage in legal proceedings from India to multiple jurisdictions. Similarly, Indian citizens and companies may also be involved at multiple jurisdictions in various civil and criminal proceedings.

As on date there is no globally acceptable international cyber law treaty.  In its own interest, India must stress upon an international cyber law treaty.  Till then India is free to apply its own laws even though it may result in conflict of laws.

Further, the position of US companies, India, conflict of laws and criminal liabilities has also become clear these days. Even in the case of cyber laws, US companies and courts are applying US standards and are not following Indian standards. This is a classic situation that is occurring due to conflict of laws. This is also the reason why an international cyber law treaty is required to bring harmonious application of cyber law principles.

Google is one company that can found itself deeply involved world over. Google incorporation’s Indian strategy to counter legal disputes must be formulated to avoid any inconvenience in India. Whether it is copyright violation, trademark violation, cyber law infringements or any similar legal issue, Google has been facing many regulatory and legal hurdles in India and US.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that Google has been doing its level best to resolve disputes of various parties though many times disputes are not resolved as per desired expectations. However, Google needs to do something more to avoid future cyber litigations and disputes that are going to increase in India.

In order to avoid unnecessary troubles, Google must appoint a nodal officer in India. Further, Google must also keep in mind the privacy rights and laws in India, data protection laws of India, Internet intermediary liability in India and many more such issues.

FDI In Telecom Sector Of India And National Security Issues

The consolidated foreign direct investment (FDI) policy of India 2012 has been announced by India and it has brought many far reaching changes and reforms. Perry4Law and Perry4Law Techno Legal Base (PTLB) have been discussing consolidated FDI policy of India and FDI in telecom sector of India is a part of the same.

The FDI limits in telecom services, ISPs and telecom infrastructure providing sectors of India under consolidated FDI policy of India 2012 has been totally revamped. Many national security related issues have been made part of the same.

FDI in the licensee company/Indian promoters/investment companies including their holding companies shall require approval of the Foreign Investment Promotion Board (FIPB) if it has a bearing on the overall ceiling of 74 percent. While approving the investment proposals, FIPB shall take note that investment is not coming from countries of concern and/or unfriendly entities.

Recently, the Home Ministry of India blocked Telenor’s FIPB application on certain grounds, including absence of resident directors, and this condition has made the license conditions even more stringent.

It has also been cleared that FDI shall be subject to laws of India and not the laws of the foreign country/countries. This would avoid agitating of all possible future telecom disputes at international level through arbitration proceedings or other modes.

Let us see how telecom sector of India reacts to the present FDI in telecom sector of India.

Mobile Banking In India: Risks And Challenges

The stage is all set for mobile banking in India. The Reserve Bank of India (RBI) has already issued notification regarding mobile banking transactions in India. The Telecom Regulatory Authority of India (TRAI) has also issued the mobile banking (quality of service) regulations, 2012.

The merger and acquisition trends in India 2011 provided by Perry4Law and Perry4Law Techno Legal Base (PTLB) have also predicted an increase in banking related mergers and acquisitions (M&As) in India.

However, India is still not ready for mobile banking and e-banking. In fact, e-banking in India is not safe. Even the RBI has warned Indian banks for inadequate cyber security. In the absence of mobile cyber security in India even the mobile banking cyber security in India missing.

Not only mobile banking cyber security is required in India but even an electronic authentication policy of India is urgently required. However, mobile governance and e-authentication in India should not be based upon Aadhar project of India. This is so because Aadhar project in its current form is not only illegal but also unconstitutional. Basing banking in general and mobile banking in particular upon Aadhar/UID would be a big mistake at this time.

Although the banking, financial and regulatory environment in India improving yet without an integrated modern banking law in India things would not improve. Similarly, mobile banking cyber security is required in India to make mobile banking in India a success. The same can be achieved by formulating as techno legal mobile governance policy of India.

Perry4Law and PTLB recommend that before switching to mobile banking, we must make it techno legal compliant. Otherwise, mobile banking in India can be more trouble than solution.