Thursday, April 26, 2012

Indo US Cyber Security Relationship Needs Improvements

United States is presently engaged in serious cyber security initiatives at national and international levels. At the national level, the Cyber Intelligence Sharing and Protection Act (CISPA) has been proposed to be enacted. It is claimed that CISPA would boost the cyber security capabilities of US.

However, the US White House has issued a dissenting Statement of Administration Policy on Cyber Intelligence Sharing and Protection Act (CISPA). After reading various media reports and dissenting opinion, one may ponder whether CISPA really a remedy or a bad idea.

Meanwhile, India has its own share of problems. Unable to deal with the technology and foreign technology companies, Facebook, Google, etc may be forced to install servers in India. Even the foreign direct investment (FDI) issues have also been impacted by the national security concerns. FDI in telecom sector of India may be modified by the national security requirements of India.

In the recent past, the India US cyber security cooperation agreement was signed. It was a part of broader India US homeland security dialogue to boost counter terrorism and cyber security capabilities. Similarly, US has already made clear its international strategy for cyberspace. Even the White House is mulling federal cyber security law.

However, international organisations must play a more direct and pro active role to fight cyber crimes. This is more so when we have no universally acceptable international cyber law treaty and international cyber security treaty. This is resulting in conflict of laws in cyberspace and India is getting impatient in this regard.

If US India cyber security cooperation has to be successful, both India and US must sort out many crucial differences. The sooner it is done the better it would be for the interests of both countries.

Statement Of Administration Policy On Cyber Intelligence Sharing and Protection Act (CISPA)

This is the statement issued by the Obama Administration (PDF) regarding proposed Cyber Intelligence Sharing and Protection Act (CISPA). Perry4Law and Perry4Law Techno Legal Base (PTLB) wish to share the same with all the stakeholders.

The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation's vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.

H.R. 3523 fails to provide authorities to ensure that the Nation's core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards. For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information. Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.

The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes. Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately. The Government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes.

In addition, H.R. 3523 would inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life. This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our Nation's economic, national security, and public safety interests.

H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres. The Administration believes that a civilian agency – the Department of Homeland Security – must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information with the private sector and with sector-specific Federal agencies.

The American people expect their Government to enhance security without undermining their privacy and civil liberties. Without clear legal protections and independent oversight, information sharing legislation will undermine the public's trust in the Government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections. The Administration's draft legislation, submitted last May, provided for information sharing with clear privacy protections and strong oversight by the independent Privacy and Civil Liberties Oversight Board.

The Administration's proposal also provided authority for the Federal Government to ensure that the Nation's critical infrastructure operators are taking the steps necessary to protect the American people. The Congress must also include authorities to ensure our Nation's most vital critical infrastructure assets are properly protected by meeting minimum cybersecurity performance standards. Industry would develop these standards collaboratively with the Department of Homeland Security. Voluntary measures alone are insufficient responses to the growing danger of cyber threats.

Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security. The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues. However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill

Sunday, April 22, 2012

Facebook, Google, Etc May Be Forced To Install Servers In India

Should foreign websites and social media websites establish servers in India? This is a very crucial question that has to be answered immediately. Till now social media websites and foreign companies and websites are governed by a combination of self regulation and governmental regulations.

However, the recent events have shaken up Indian government completely and it is planning to demand that companies like Google, Facebook, etc must establish servers in India. Further, conflict of laws in Indian cyberspace may also require establishment of servers of Google, Facebook, etc in India.

In these circumstances, Indian government can consider enactment of more stringent norms to regulate social media websites in India. In fact, many US based companies and websites are already facing legal proceedings in India. Additionally, Indian government can mandatorily require US companies and websites to install servers in India so that objectionable contents can be regulated, monitored and deleted at Indian soil itself. 

This step is in addition to the establishment of central monitoring system project of India by Indian government under which a centralised mechanism would be put in place to analyse telecommunications and Internet communications. The real problem for the CMS Project of India is that we have no dedicated privacy laws in India, data security laws in India and data protection laws in India. Further, the CMS Project of India is also beyond the “parliamentary scrutiny”.

Another related project in this regard is National Cyber Coordination Centre (NCCC) of India. The NCCC would provide actionable alerts to government departments in cases of perceived security threats. It is hoped that this would help in fighting terrorists and other cyber criminals. The NCCC will scan whole cyber traffic flowing at the point of entry and exit at India's international Internet gateways.

All tweets, messages, emails, status updates and even email drafts will now pass through the new scanning centre. The centre may probe further into any email or social media account if it finds a perceived threat.

The main problem with this entire scenario is that we have no e-surveillance policy in India. The phone tapping in India is done in an “unconstitutional manner” and even by private individuals with or without governmental approval.  Further, the cyber law of India, incorporated in the Information Technology Act 2000, must be repealed as soon as possible as it is clearly not in conformity with the Constitution of India and civil liberties protection in cyberspace.

If foreign websites fail to comply with Indian laws, there is nothing wrong to ask them to establish servers in India. However, big brother must not overstep the limits and must act within the constitutional limits that it is presently transgressing openly and in an uncontrolled manner.

Should Foreign Websites And Social Media Platform Establish Servers In India?

Foreign companies like Google, Yahoo, Microsoft, etc and social media websites like Facebook, Twitter, etc are continuously made parties to various civil and criminal proceeding world over. Even in India, foreign websites and companies have been constantly prosecuted for violation of various Indian laws.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that India must take urgent steps so that companies and websites like Google, Facebook, etc and social networking websites comply with legal demands as per Indian laws as well.

We have no dedicated social media laws in India. Even social media websites investigation in India is not up to the mark. Further, social media due diligence in India is also required to be taken seriously by social media platforms. Now legal actions against foreign websites can be taken in India. Further, cyber litigations against such foreign websites would increase in India in the near future.

The cyber laws due diligence requirements for companies in India are strenuous in nature and Internet intermediaries in India need to take care of the same to avoid legal troubles. Companies like Google, Facebook, etc must appoint nodal officers in India that can be served with notices and communication pertaining to Internet intermediary obligations in India.

Internet intermediary law in India is incorporated in the Information Technology Act 2000 (IT Act 2000) and the Rules made there under. Internet intermediaries’ liability in India is now well established and foreign companies and websites must duly comply with the same to avoid civil, criminal, administrative and financial penalties. In short, these foreign companies and their Indian subsidiaries must ensure that they comply with the cyber law due diligence in India. This is more so after the passing of Information Technology (Intermediaries Guidelines) Rules 2011 of India.  

Foreign companies and social media websites must comply with Indian laws in true letter and spirit. Otherwise, India may adopt more stringent and drastic steps to make them comply with Indian laws.

Conflicts of laws in Indian cyberspace have further complicated the situation. For instance, Google is presently facing conflict of laws problem with US and Indian laws. What would happen if foreign companies and social media websites refuse to comply with Indian laws and insist for complying with US or other foreign laws? This is a possible situation for which a readymade solution must exist.

We suggest the following in this regard:

(1) All subsidiary/Joint ventures companies in India, especially those dealing in information technology and online environment, must mandatorily establish a server in India. Otherwise, such companies and their websites should not be allowed to operate in India.

(2) A stringent liability for Indian subsidiaries dealing in information technology and online environment must be established by laws of India.

(3) More stringent online advertisement and e-commerce laws in India must be formulated for Indian subsidiary companies and their websites.

If still Indian intellectual property and cyber laws are not respected, there is no other option but to choose a harsh stand of foreign websites blocking in India.

We at Perry4Law and PTLB believe that any attempt by Internet intermediaries to pre screen contents uploaded by users in India is not practical and feasible. However, we believe that cyber law due diligence by Internet intermediaries operating in India cannot be taken casually and with great disregard to India laws as is presently happening in India. If companies are not willing to follow either foreign laws like DMCA or Indian laws, they clearly lack the intention to comply with various legal frameworks.

In any case, companies and websites that have Indian existence and are deriving financial gains from India must adhere to India’s laws that they are currently flouting. The Telecom Regulatory Authority of India (TRAI) has recently suggested the National Telecom Policy 2012 of India. It has suggested many important reforms and changes some of them can apply to foreign websites and social media websites.

Some of the suggestions of Perry4Law and PTLB have been accepted by TRAI and one of them pertains to establishment of servers in India by foreign companies. It has been recommended that all servers on which sensitive data are hosted must be located within India and ensure that all local content is hosted on servers located within the country.

It is high time that foreign companies, websites and social media platforms must fall in line with Indian laws. Otherwise, stringent regulations may follow that would not be beneficial for any individual and organisation.

Conflict Of Laws, Indian Cyberspace And Google

Cyberspace and Internet has made it possible to access single information from multiple jurisdictions. It is also possible that for a single transaction, multiple countries may exercise jurisdiction. In other words, the conflict of law in cyberspace is most complicated in nature and very difficult to resolve.

The validity of electronic legal notices in India and DMCA notice from India to other jurisdictions through e-mails is now well established. This makes it very easier to engage in legal proceedings from India to multiple jurisdictions. Similarly, Indian citizens and companies may also be involved at multiple jurisdictions in various civil and criminal proceedings.

As on date there is no globally acceptable international cyber law treaty.  In its own interest, India must stress upon an international cyber law treaty.  Till then India is free to apply its own laws even though it may result in conflict of laws.

Further, the position of US companies, India, conflict of laws and criminal liabilities has also become clear these days. Even in the case of cyber laws, US companies and courts are applying US standards and are not following Indian standards. This is a classic situation that is occurring due to conflict of laws. This is also the reason why an international cyber law treaty is required to bring harmonious application of cyber law principles.

Google is one company that can found itself deeply involved world over. Google incorporation’s Indian strategy to counter legal disputes must be formulated to avoid any inconvenience in India. Whether it is copyright violation, trademark violation, cyber law infringements or any similar legal issue, Google has been facing many regulatory and legal hurdles in India and US.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that Google has been doing its level best to resolve disputes of various parties though many times disputes are not resolved as per desired expectations. However, Google needs to do something more to avoid future cyber litigations and disputes that are going to increase in India.

Thursday, April 19, 2012

FDI In Telecom Sector Of India And National Security Issues

The consolidated foreign direct investment (FDI) policy of India 2012 has been announced by India and it has brought many far reaching changes and reforms. Perry4Law and Perry4Law Techno Legal Base (PTLB) have been discussing consolidated FDI policy of India and FDI in telecom sector of India is a part of the same.

The FDI limits in telecom services, ISPs and telecom infrastructure providing sectors of India under consolidated FDI policy of India 2012 has been totally revamped. Many national security related issues have been made part of the same.

FDI in the licensee company/Indian promoters/investment companies including their holding companies shall require approval of the Foreign Investment Promotion Board (FIPB) if it has a bearing on the overall ceiling of 74 percent. While approving the investment proposals, FIPB shall take note that investment is not coming from countries of concern and/or unfriendly entities.

Recently, the Home Ministry of India blocked Telenor’s FIPB application on certain grounds, including absence of resident directors, and this condition has made the license conditions even more stringent.

It has also been cleared that FDI shall be subject to laws of India and not the laws of the foreign country/countries. This would avoid agitating of all possible future telecom disputes at international level through arbitration proceedings or other modes.

Let us see how telecom sector of India reacts to the present FDI in telecom sector of India.

Wednesday, April 18, 2012

Mobile Banking In India: Risks And Challenges

The stage is all set for mobile banking in India. The Reserve Bank of India (RBI) has already issued notification regarding mobile banking transactions in India. The Telecom Regulatory Authority of India (TRAI) has also issued the mobile banking (quality of service) regulations, 2012.

The merger and acquisition trends in India 2011 provided by Perry4Law and Perry4Law Techno Legal Base (PTLB) have also predicted an increase in banking related mergers and acquisitions (M&As) in India.

However, India is still not ready for mobile banking and e-banking. In fact, e-banking in India is not safe. Even the RBI has warned Indian banks for inadequate cyber security. In the absence of mobile cyber security in India even the mobile banking cyber security in India missing.

Not only mobile banking cyber security is required in India but even an electronic authentication policy of India is urgently required. However, mobile governance and e-authentication in India should not be based upon Aadhar project of India. This is so because Aadhar project in its current form is not only illegal but also unconstitutional. Basing banking in general and mobile banking in particular upon Aadhar/UID would be a big mistake at this time.

Although the banking, financial and regulatory environment in India improving yet without an integrated modern banking law in India things would not improve. Similarly, mobile banking cyber security is required in India to make mobile banking in India a success. The same can be achieved by formulating as techno legal mobile governance policy of India.

Perry4Law and PTLB recommend that before switching to mobile banking, we must make it techno legal compliant. Otherwise, mobile banking in India can be more trouble than solution.

Wednesday, April 11, 2012

Smart Meters Becoming Headache For Power Companies

Crackers and cyber criminals are increasingly targeting power and energy companies for their nefarious activities. One of their favourite targets is the smart meter that can be manipulated to show wrong readings.

Cyber criminals are reprogramming smart meters so that they report less power consumption than actual one. To do so they are charging fees from the people who desire to get their smart meters tempered with to reflect low power bills.

The intended purpose of use of smart meters is to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility's ability to remotely read meters to determine electric usage.

Indian government has been planning to use smart meters that would allow remote analysis of power consumption and their billings. However, Indian government has not considered the cyber security aspects of these smart meters in India so far.

Cyber criminals can manipulate the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the laptop. Once this connection is made, cyber criminals can change the settings for recording power consumption using software that are freely available on the Internet.

The manipulation of smart meters occurs by exploiting the optical port of the meter. The purpose of optical port is to enable the technicians to diagnose problems in the field without removal, alteration, or disassembly of the meter. However, this feature also allows crackers and cyber criminals to exploit the port.

Malware like Stuxnet and Duqu have already proved that critical infrastructures like power grids, nuclear facilities, satellites, defense networks, governmental informatics infrastructures, etc are vulnerable to sophisticated cyber attacks. This is a grave issue which Indian government must take very seriously before rolling the smart meters in India.

Sunday, April 1, 2012

Indian Parliament Is Not Comfortable With ICT Related Issues

Indian Parliament is not dealing with information and communication technology (ICT) related issues properly. This is more so regarding legal enablement of ICT systems in India. Since a dominant majority of members of Parliament are not aware of the technological aspects of laws, they never pay attention to crucial laws pertaining to cyber law, e-commerce, e-governance, e-health, etc.

Naturally, these technology driven laws are either not enacted at all or they are enacted without any deliberations or debates. For instance, the IT Amendment Bill, 2008 was passed by both Rajya Sabha and Lok Sabha without even a discussion or debate. This shows both indifference towards and lack of knowledge about technology laws on the part of members of Parliament.

There is an emergent need to streamline Indian Parliament through use of ICT for all purposes, including law making. Parliament of India has to be more technology enabled and technology guided.

For instance live telecasting of the proceedings of Parliament, maintaining of websites by Parliament, etc are some of the examples where ICT has been used by Indian Parliament. However, Indian Parliament has to cover a long gap before it can be safely called fully ICT compliant.

Perry4Law has been managing the exclusive techno legal Indian centre for ICT in Parliament. The main purpose of this Centre is to ensure ICT enablement of Indian Parliament.

Further, Perry4Law Techno Legal Base (PTLB) and Perry4Law Techno Legal ICT Training Centre (PTLITC) have also started various techno legal e-learning courses, education, research and trainings for staff, employees, committees, committee members, members of Parliament, etc. This includes techno legal courses and trainings for legislative drafting, legislative research, legislative education, public legal awareness trainings, etc.

Recently, a motion for annulment of intermediary guidelines was moved in Rajya Sabha. This shows that the member of Rajya Sabha/Parliament have now started showing interest in technology related legal issues. It would be in the interest of Indian Parliament if it starts taking ICT related legal issues seriously as soon as possible.

Standing Committee On Information Technology Pulled DOT Over Encryption Issues

Blackberry, Gmail, Skype, etc have been asked in the past by Indian government to provide their services in India in such a manner that intelligence agencies of India can snoop at will and without any problem.

Intelligence agencies of India have been insisting upon use of 40 bits encryption alone that is easy to crack in case a need arises. However, deploying a 40 bits encryption is risky for cyber security, Internet banking, e-commerce, e-governance, etc.

This position has also made the commercial use of encryption in India beyond 40 bits a legally risky initiative. Although India is waking up to encryption realities yet a good and complete solution in this regard may still take few years to implement. So virtualisation, cloud solutions and encryption usage in India must be undertaken only after ensuring cyber law due diligence in India.

There is no second opinion that an encryption policy of India is needed that clearly demarcates the legal as well as illegal uses of encryption in India. The information technology act 2000 (IT Act 2000) incorporates a single provision in this regard and even that provision has remained dormant for many years. The fact is that we have no dedicated encryption laws in India to address the growing requirements of encryption usages in India.

Now it has been reported that the Standing Committee on Information Technology has shown it displeasure with the Department of Telecommunication (DoT) for delay in resolving the BlackBerry encryption issue. This is despite the fact that the Indian government formed a committee to come up with mechanism to deal with encryption issues for providing data access to security agencies.

However, the Standing Committee has considered constitution of such committee as another delaying tactics and nothing more. The Standing Committee has asked DoT to analyse the position internationally in this regard and act upon it appropriately.

DoT has already declared its intentions to establish the central monitoring system project of India as well as a mechanism to tap phones in India. However, this entire exercised has failed to address the “constitutional issues” that have been ignored by both Standing Committee and DoT.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that the parliamentary oversight of intelligence agencies of India is needed but neither Standing Committee nor DoT has said a word about it. Similarly, we have no “constitutionally soundphone tapping law in India that is urgently required. These are the issues that both Standing Committee and DoT must also consider. We hope the Indian government in general and DoT in particular would also consider these issues on priority basis.