Wednesday, February 29, 2012

Mobile Cyber Security In India

Mobile phones have become ubiquitous these days. They are used for multiple purposes ranging from personal use to mobile banking. Cyber criminals have also realised the importance of mobile phones for committing cyber crimes and financial frauds. This is also the reason why malware writers are also writing mobile phone specific malware to steal confidential and sensitive information.

Mobile cyber security in India has become a cause of concern these days. Mobile phones are now proposed to be used for mobile banking and mobile governance in India. Naturally, we must ensure robust mobile cyber security in India. An electronic authentication policy of India can help in more active and secure mobile usages in India. Mobile governance and e-authentication in India are also closely related and with the proposed electronic delivery of services in India this is also a must have requirement.

For the time being we have no implementable electronic delivery of services policy of India though it may be in pipeline. Indian government is working in the direction of ensuring electronic delivery of services in India. In fact a legal framework titled electronic delivery of services bill 2011 (EDS Bill 2011) has also been proposed by Indian government.

Once the EDS Bill 2011 becomes an applicable law, governments across the India would provide electronic services through various modes, including mobile phones. This requires putting a robust and reliable mobile security infrastructure in India.

However, using of mobile phones for commercial and personal transactions in India is also risky. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India. Similarly, we do not have a well developed e-governance infrastructure in India. As a result India is still not ready for m-governance.

We at Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that the biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India. Absence of encryption laws in India has further made the mobile security very weak in India.

The ever evolving mobile malware are further increasing the woes of mobile users’ world wide. Recently 50 applications within Google’s official Android Market were found to be contaminated with DroidDream malware. The malware stole sensitive information like phone’s International Mobile Equipment Identity (IMEI) Number and the SIM card’s International Mobile Subscriber Identity (IMSI) number. It then sent it to a command-and-control server. Similarly, other spyware and bugs are also infecting mobile phones worldwide.

It is high time for India to seriously work upon mobile cyber security aspects as soon as possible. The policy decisions in this regard must be taken urgently and must be implemented as soon as possible.

Tuesday, February 28, 2012

E-Commerce Regulations And Laws In India

Electronic commerce in India is witnessing a good growth due to progressive policies and liberal foreign direct investments (FDIs). E-commerce uses information and communication technology (ICT) to operate. Although many technological aspects are also taken care of by an e-commerce platform, yet establishment and running of an e-commerce website is the most important requirement.

Internet is boundary less and a website hosted in a particular country can be accessed from any part of the world. Further, there may be cases where a websites located in a particular country may attract legal jurisdictions of multiple countries. Thus, compliance with the laws of the principal country as well as those countries where such e-commerce websites targets audience and customers is of prime importance.

There have been instances where e-commerce websites located in India failed to observe cyber law due diligence in India. Criminal trials and criminal liabilities have been imposed by Indian legal system upon such websites. The bazee.com case and the criminal and civil trials against companies like Google, Yahoo, Facebook, Microsoft, etc are few examples of the same. Such cases against e-commerce websites and foreign companies would further increase and e-commerce players must appoint nodal officers in India to comply with Indian laws.

Thus, not only legal requirements for undertaking e-commerce in India are stringent but even Internet intermediaries liability in India must be taken seriously by companies engaged in online transactions and businesses. We have no dedicated e-commerce laws in India but the information technology act 2000 (IT Act 2000) covers basic level e-commerce legal framework in India. The IT Act 2000 also prescribes cyber due diligence for foreign websites in India.

E-commerce due diligence in India is a much needed requirement that all e-commerce players, whether Indians or foreign, must undertake as soon as possible. Non observation of local and foreign laws can tarnish the image and brand of a company that cannot be regained again. It is better to err on the side of precaution rather than caught on the wrong side of the law.

Monday, February 27, 2012

National Cyber Coordination Centre (NCCC) Of India

Cyber law issues, cyber security and national security are on agenda of Indian government these days. However, till now cyber security in India is not upto the mark and cyber law of India requires an urgent repeal. This is because the entire approach and attitude of India government is defective.

Indian government has failed to understand that e-surveillance is not a substitute for cyber security capabilities. Instead of developing cyber security capabilities of India, the Indian government is stressing upon growing use of e-surveillance in India and Internet censorship in India.

All these exercises of India government have been done without any legal framework supporting these initiatives of Indian government. Phones are tapped in India without a constitutionally valid phone tapping laws in India. The central monitoring system project of India (CMS Project of India) is also not supported by any legal framework. Surveillance of Internet traffic in India is also another area that requires a sound legal framework. Various authorities with far reaching powers have been created without any legal backing.

Now the government has proposed setting up of National Cyber Coordination Centre (NCCC) of India. The NCCC would provide actionable alerts to government departments in cases of perceived security threats. It is hoped that this would help in fighting terrorists and other cyber criminals.

The NCCC will scan whole cyber traffic flowing at the point of entry and exit at India's international Internet gateways. The web scanning centre will provide actionable alerts for proactive actions to be taken by government departments. All government departments will now talk to the Internet Service Providers (ISPs) through NCCC for real time information and data on threats. Presently, the monitoring of web traffic is done by Centre for Development of Telematics (C-DoT) which has installed its equipments at the premises of ISPs and gateways.

All tweets, messages, emails, status updates and even email drafts will now pass through the new scanning centre. The centre may probe further into any email or social media account if it finds a perceived threat.

India's National Security Council Secretariat (NCSC) has asked various departments to assess their needs for officials, who will coordinate with the scanning agency. The National Security Council handles the political, nuclear, energy and strategic security concerns of the country.

This can be another agency without a legal framework. Creating agencies without legal framework is counter productive as it violates civil liberties and human rights. The Indian government must keep this in mind while creating NCCC.

Cell Phone Laws In India

Cell phone or mobile phone laws in India have still to evolve. Presently provisions pertaining to cell phones are scattered under various statues and governmental guidelines and rules. However, we have no dedicated cell phone laws in India.

Cell phones are playing important role in day to day activities of Indians. They are used for multiple purposes that cover both personal and commercial transactions. We cannot ignore the commercial, contractual and legal significance and consequences of cell phone transactions in India. This necessities enactment of dedicated cell phone laws in India.

However, positive developments in this direction are not happening in India. On the contrary, negative development infringing civil liberties in cyberspace are taking place in India. Human rights protection in cyberspace cannot be ignored the way Indian government is doing presently.

For instance, the proposal to allow department of telecommunication (DoT) to monitor cell phone locations in India is one such controversial issue. Big brother must not overstep its limits in India. Even proposed cell site based e-surveillance in India has crossed this limit well beyond those permitted by Indian Constitution.

We must have well defined procedure and cell site data location laws in India. As we have no dedicated privacy laws, data protection laws, data security laws, anti telemarketing laws, anti spam laws, etc, cell phones monitoring in India is not legally sustainable.

Even the proposed central monitoring system (CMS) project of India is not legitimate and legally sustainable as there is no legal framework that justifies its operation in India. Currently there is no phone tapping law in India that is constitutionally sound and we urgently need a lawful interception law in India. Similarly, the colonial phone tapping laws of India must be repealed and new and constitutionally sound phone tapping laws in India must be formulated.

DoT is excessively favouring e-surveillance in India and surveillance of Internet traffic in India. We need a legally valid e-surveillance policy of India to address these issues. Internet censorship in India has greatly increased and now the intelligence agencies of India want to ensure monitoring of cell phone usages in India as well. This is troublesome as parliamentary oversight of intelligence agencies of India is missing and this clearly violated the constitutional safeguards.

It is high time that Indian government must enact constitutionally sound cell phone laws in India so that civil liberties and law enforcement requirements can be reconciled.

Mobile Phone Laws In India Required

Mobile phones are increasingly being used for multi purpose in India. However, legal framework for mobile phones in India is still missing. Some provisions can be made applicable to mobiles in India through the information technology act 2000 (IT Act 2000) but we still do not have a dedicated mobile phone laws in India.

The Department of Telecommunication (DoT) has proposed a new national telecom policy of India 2011 that would be operational very soon. The new telecom policies as well as other projects of Indian government and DoT are excessively favouring e-surveillance in India and surveillance of Internet traffic in India. We need a legally valid e-surveillance policy of India to address these issues. Otherwise, it would violate human rights protection in cyberspace.

The proposal to allow DoT to monitor cell phone locations in India is also a controversial issue. Big brother must not overstep its limits in India. The proposed cell site based e-surveillance in India has crossed this limit well beyond those permitted by Indian Constitution.

We must have well defined procedure and cell site data location laws in India. As we have no dedicated privacy laws, data protection laws, data security laws, anti telemarketing laws, anti spam laws, etc, mobile phones monitoring in India is not legally sustainable.

Even the proposed central monitoring system (CMS) project of India is not legitimate and legally sustainable as there is no legal framework that justifies its operation in India. Currently there is no phone tapping law in India that is constitutionally sound and we urgently need a lawful interception law in India. Similarly, the colonial phone tapping laws of India must be repealed and new and constitutionally sound phone tapping laws in India must be formulated.

The mobile phone laws of India must cover all these issues that are presently left unaddressed. In the absence of such laws, mobile phone data analysis, mobile phone location tracking, mobile phone tapping in India, etc are illegal and unconstitutional.

Friday, February 24, 2012

Phone Tapping Laws In India Required

Phone Tapping in India has never been a smooth ride. While Phone Tapping procedures essentially require a “Judicial Order” in most Jurisdictions of the World yet India preferred to keep Phone Tapping Procedure out of the reach of Indian Judiciary. The entire procedure of Phone Tapping is an “Executive Action” devoid of Judicial Interventions and Judicial Reviews.

Big Brother in India is Overstepping the Constitutional Limits. Neither there is a “Constitutionally Sound” Lawful Interception Law in India nor are the existing Laws like Indian Telegraph Act, 1885 strictly in compliance with Indian Constitution. Interestingly, Phone Tapping by “Private Individuals” in India is rampant and the Phone Tapping by Indian Government is “Practically Unaccountable”.

We have no Constitutionally Sound Lawful Interception Law in India. Even the Home Ministry of India has considered enactment of a Lawful Interception Law in India. A Constitutional Phone Tapping Law in India is needed to prevent Unconstitutional Phone Tapping in India.

However, the worst affected area seems to be Parliamentary Oversight of Intelligence Agencies of India and various E-Surveillance Projects of India. We have no E-Surveillance Policy in India as well. Further, the National Counter Terrorism Centre (NCTC) Project of India, National Intelligence Grid (Natgrid) Project of India, Aadhar Project of India, Crime and Criminal Tracking Network and System (CCTNS), etc are not governed by any Legal Framework and Parliamentary Oversight. Indian Government is not willing to understand and accept that Intelligence Work is not an excuse for Non Accountability.

The Central Monitoring System Project of India (CMS Project of India) is also not supported by any Legal Framework. Surveillance of Internet Traffic in India is also another area that requires a sound Legal Framework. The Phone Tapping Law proposed by the Home Ministry is a history now. Intelligence Services (Powers and Regulation) Bill, 2011 and Draft Central Bureau of Investigation Act, 2010 have long suggested and gone. The Constitutionality of the National Investigation Agency Act 2008 (NIAA 2008) is still doubtful. Even we have no dedicated Privacy Laws in India, Data Security Laws in India and Data Protection Laws in India.

In short, the Legal Regime in these crucial areas is in “Real Mess” and without these “Crucial Legislations”, the Projects and Initiatives of Indian Government cannot be considered to be Constitutional. Project s like Aadhar, NATGRID, NCTC, CCTNS, CMS, etc are “Violating Constitutional Safeguards” and are therefore “Unconstitutional”.

It is high time for the Parliament of India to interfere as the “Legislative Function” is about to be transferred to the “Executive Branch” of Indian Constitution and Indian Judiciary is looking at it in a helpless manner. The precious Human Rights in Cyberspace are under grave risks as there is none in India that can presently enforce Fundamental Rights and Human Rights in Indian Cyberspace. Perhaps, Proactive Self Defense in India Cyberspace must be exercised by Indian Citizens to “Safeguard” their Civil Liberties themselves as our own Executive, Legislature and Parliament have failed to do so.

Thursday, February 9, 2012

National Critical Information Infrastructure Protection Centre (NCIPC) Of India

In the recent times, there is an increasing stress upon cyber security at the international level. This is so because cyber attacks are happening at the international level and all the countries are facing this threat.

Countries are trying to coordinate cyber security initiatives at national and international levels. However, cyber security in India is still not up to the mark. India is increasingly facing cyber attacks and cyber threats from foreign nationals.

The cyber laws and cyber security trends of India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) has clearly showed the cyber security vulnerabilities of India. The cyber law trends of India 2012 have also projected an increased rate of cyber crimes in India and cyber attacks against India in the year 2012.

For instance, cyber terrorism against India, cyber warfare against India, cyber espionage against India and cyber attacks against India have increased a lot. Presently, we do not have a strong cyber law to deter cyber attacks and cyber crimes. Further, we have no cyber security laws in India as well.

Cyber security is also crucial to protect critical infrastructure protection of India. Critical infrastructure protection in India requires a well formulated policy. Presently we have no critical infrastructure protection policy of India. Even critical ICT infrastructure protection in India is required.

A national critical information infrastructure protection centre (NCIPC) of India has been proposed. It intends to ensure critical infrastructure protection and critical ICT infrastructure protection in India.

There are few prerequisites that can make the NCIPC of India successful. Firstly, there must be a centralised ICT command centre of India that can coordinate various cyber security issues. Secondly, specialised agencies and authorities must be constituted for critical infrastructure areas like power, telecom, defense, etc. These agencies and authorities must coordinate with the centralised command centre for cyber security related issues.

Ministry of communication and information technology (MCIT) has already taken certain initiatives in this regard. For instance, a central monitoring system (CMS) project of India has been launched by MCIT to monitor and intercept electronic communications, messages and information. Further, a national telecom network security coordination board (NTNSCB) of India has also been proposed to strengthen the national telecom security of India.

Similarly, the home ministry of India has also launched national intelligence grid (Natgrid) project of India, crime and criminal tracking networks and systems (CCTNS) project of India, national counter terrorism centre (NCTC) of India, etc. These projects intend to strengthen the intelligence gathering and counter terrorism capabilities of India.

However, there is a big problem in the successful implementation of all the abovementioned projects and initiatives as well as the NCIPC of India. Indian government has been avoiding parliamentary oversight of these projects. This is a bad precedent that needs to be urgently taken care of. We need urgent parliamentary oversight for e-surveillance in India, Internet censorship in India, intelligence gathering in India, intelligence authorities of India, central bureau of Investigation, law enforcement agencies of India, Aadhar project of India, etc.

Even privacy laws in India, data security laws in India, data protection laws in India, etc are urgently required to be formulated. The cyber law of India must be suitably amended, perhaps repealed, to make a more robust and stringent cyber law of India. We need dedicated cyber security legal framework in India and cyber forensics laws in India.

For too long Indian parliament has been ignoring its crucial legislative business and it is high time for Indian parliament to do the needful in this regard. Contemporary techno legal issues cannot be left at the mercy and indifference of Indian parliament and Indian government as that may have serious adverse effects upon Indian economy and national security of India.

Friday, February 3, 2012

Google, Facebook, Microsoft, Etc Must Appoint Nodal Officers In India

The Information Technology (Intermediaries Guidelines) Rules, 2011 of India prescribe stringent provisions regarding Internet intermediary liability in India. However, till now foreign companies and websites have not followed the Guidelines and Rules issued by Indian government in this regard. In fact, they are avoiding compliance with Indian laws.

Legal liability of foreign websites in India is now well established after the matter has been brought to the attention of Indian judiciary. A criminal complaint has been filed against companies like Google, Facebook, Microsoft, Yahoo, etc before a Trail Court for non observation of cyber due diligence by them. Even the Delhi High Court has not quashed the criminal complaint against these companies so far and in the absence of the same the representatives of these foreign companies would now personally appear before the Trail Court on 13th March 2012.

Another related problem that has to be addressed is that foreign companies and websites have not established a procedure that can deal with complaints and notifications arising out of the Information Technology act, 2000 (IT Act 2000) and Rules made there under. This is so even though companies like Google, Microsoft, Yahoo, etc have subsidiary companies and offices in India.

When these foreign companies and websites and their subsidiaries are deriving financial gains out of Indian operations, non following of Indian laws seems to be a grave disregard to Indian laws and regulations. These foreign companies and websites must follow Indian laws and this is the right time to do so.

We at Perry4Law and Perry4Law Techno Legal Base (PTLB) suggest that the best method to do so is to appoint a nodal officer who is responsible for managing cyber law due diligence issues arising out of Indian transactions. By not doing so, companies like Google, Facebook, Microsoft, etc are heading towards a big trouble. The sooner these nodal officers are appointed the better it would be for the larger interest of Internet intermediaries in India.

Information Technology (Intermediaries Guidelines) Rules 2011 Of India

Internet intermediary law in India is incorporated in the Information Technology Act 2000 (IT Act 2000) and the Rules made there under. Internet intermediaries’ liability in India is now well established and foreign companies and websites must duly comply with the same to avoid civil, criminal, administrative and financial penalties. In short, these foreign companies and their Indian subsidiaries must ensure that they comply with the cyber law due diligence in India.

The Gazette Notification numbered G.S.R. 314(E), dated 11-04-2011, formulated the Information Technology (Intermediaries Guidelines) Rules, 2011 of India. These rules provide the rights and responsibilities of internet intermediaries in India. If the Internet intermediaries follow these rules and exercise proper cyber due diligence, they are entitled to a “safe harbour protection”. Otherwise, they are liable for various acts or omission occurring at their respective platforms once the matter has been brought to their notice.

The legal actions against foreign websites can be taken in India. Further, cyber litigations against such foreign websites would increase in India in the near future. It is of utmost importance for these foreign companies and websites to follow Indian laws in true letter and spirit.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are providing the legal position regarding Internet intermediary liability in India under the IT Act 2000 in general and Information Technology (Intermediaries Guidelines) Rules, 2011 of India in particular. The salient features of the same are as follows:

(1) The Information Technology (Intermediaries Guidelines) Rules, 2011 of India have been formulated by the Central Government in exercise of its powers conferred by clause (zg) of subsection (2) of section 87 read with sub-section (2) of section 79 of the Information Technology Act, 2000 (21 of 2000).

(2) Definitions — (1) In these rules, unless the context otherwise requires,--

(a) "Act" means the Information Technology Act, 2000 (21 of 2000);

(b) "Communication link” means a connection between a hyperlink or graphical element (button, drawing, image) and one or more such items in the same or different electronic document wherein upon clicking on a hyperlinked item, the user is automatically transferred to the other end of the hyperlink which could be another document website or graphical element.

(c) "Computer resource” means computer resources as defined in clause (k) of sub-section (1) of section 2 of the Act;

(d) "Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthotrised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(f) "Electronic Signature" means electronic signature as defined in clause (ta) of sub- section (1) of section 2 of the Act;

(g) "Indian Computer Emergency Response Team” means the Indian Computer Emergency Response Team appointed under sub section (1) section 70 (B) of the Act;

(h) “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(i) “Intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(j) "User" means any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.

(3) Due diligence to be observed by intermediary — The intermediary shall observe following due diligence while discharging his duties, namely: —

(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access-or usage of the intermediary's computer resource by any person.

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that —

(a) Belongs to another person and to which the user does not have any right to;

(b) Is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c) Harm minors in any way;

(d) Infringes any patent, trademark, copyright or other proprietary rights;

(e) Violates any law for the time being in force;

(f) Deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(g) Impersonate another person;

(h) Contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(i) Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):

Provided that the following actions by an intermediary shall not amount to hosing, publishing, editing or storing of any such information as specified in sub-rule: (2) —

(a) Temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;

(b) Removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six (36) hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes,

(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information.

(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7) When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to "perform thereby circumventing any law for the time being in force:

Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

The cyber laws due diligence requirements for companies in India are strenuous in nature and Internet intermediaries in India need to take care of the same to avoid legal troubles.

Wednesday, February 1, 2012

Websites Blocking In India Is Mainly A Judicial Act

Blocking of websites in India is governed by the cyber law of India that is incorporated in the Information Technology Act 2000 (IT Act 2000). The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 prescribe the manner of blocking of websites in India.

In exercise of the powers conferred by sub-section (1) of Section 69A of the Information Technology Act, 2000 (21 of 2000) read with rule 3 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, the Central Government has authorised and designated the Group Coordinator (being an officer of the Central Government not below the rank of Joint Secretary), Cyber Law Division in the Department of Information Technology (DIT), Ministry of Communications and Information Technology (MCIT), Government of India, Electronics Niketan,6, Central Government Offices Complex, New Delhi-110003, as the Designated Officer for the purposes of the said rules.

A notification numbered S.0.117 (E), dated 20th January, 2010 has been issued in this regard. Dr. Gulshan Rai is the present Group Coordinator for the Cyber Law and E-Security Division of DIT. He is also the Director General of Indian Computer Emergency Response Team (CERT-In).

In a media interview, Dr. Gulshan Rai has revealed that websites blocking in India has been so far a judicial act and DIT has not blocked a single site without a court order. This is a good attitude that shows that freedom of speech and expression is respected in India. This is also setting a bad precedent as it would encourage websites and foreign websites to violate and defy Indian laws, especially intellectual property laws and cyber law.

In fact, judicial orders for blocking of websites in India are not always very sound. In fact, India judiciary, cyber law and websites blocking in India is still far from perfect. In such situations, the responsibility of Designated Officer Dr. Gulshan Rai becomes even more demanding and pro active.

The way companies like Google are deliberately avoiding compliances with Indian laws, it becomes very important for DIT in general and Dr. Gulshan Rai in particular to safeguard the interests of Indian individuals and companies. There is no doubt that companies like Google and Facebook must comply with Indian laws and Google and Facebook can be blocked in India.

We recently filed a DMCA complaint with Google Incorporation and a legal notice to Google India. However, both Google Incorporation and Google India are openly denying compliance with Indian laws. If DIT/CERT-In does not change its soft attitude towards companies like Google, Facebook, etc, and keep on insisting upon court cases and judicial orders, it would increase an unnecessary pressure upon Indian courts that are already overburdened.

Cyber litigations against foreign websites are going to increase in India. Even Google has anticipated this situation and Google’s blogspot platform has started giving country specific results for blogspot blogs. Clearly, hints of non compliance with Indian laws are visible but India is not doing enough in this regard. The least Indian can do in this regard is to develop alternative mechanisms to filing of DMCA complaints to Google, Facebook, Wordpress, etc each time offending contents appear on their websites.

Companies like Google, Facebook, etc are already facing a criminal trail in India for non removal of objectionable contents. A trial court has also asked the representatives of the parent companies like Google, Facebook, etc to appear before it and face the trial. If these companies continue to flout Indian laws, Indian government can and should block the websites of such companies in India.

While the Indian government is armed with discretionary powers to block any website carrying malicious or offensive content, it has never exercised these powers so far. This is giving a bad signal to Internet intermediaries and something must be done in this regard.

What is more surprising is the revelation of Dr. Gulshan Rai that if the police find a problem, they come to CERT-In/DIT and ask to block some websites; CERT-In/DIT tells them that it/they cannot do this and ask them to go to court and get an order. This is abdication of duties by CERT-In/DIT that they are duty bound to follow. By insisting upon blocking of an offending website with a court order alone, both CERT-In and DIT are violating the provisions of IT Act 2000 and various Rules under the same.

So far CERT-In/DIT has blocked some 20-25 websites after taking orders from the court but CERT-In/DIT have not used their discretionary power to block an offending website in a single case. In fact, they have refused to use their discretionary power. Clearly not exercising the discretionary power even where there is a clear case for the exercise of the same is violating the mandates of IT Act 2000 and corresponding Rules.

It is not the case that a website should be blocked at the drop of a hat. But when a clear case is made out, insisting upon a court order to block the offending website is definitely a bad policy and erroneous exercise of discretion. It is high time to think seriously about this issue.