Google, Facebook, Microsoft, Etc Must Appoint Nodal Officers In India

The Information Technology (Intermediaries Guidelines) Rules, 2011 of India prescribe stringent provisions regarding Internet intermediary liability in India. However, till now foreign companies and websites have not followed the Guidelines and Rules issued by Indian government in this regard. In fact, they are avoiding compliance with Indian laws.

Legal liability of foreign websites in India is now well established after the matter has been brought to the attention of Indian judiciary. A criminal complaint has been filed against companies like Google, Facebook, Microsoft, Yahoo, etc before a Trail Court for non observation of cyber due diligence by them. Even the Delhi High Court has not quashed the criminal complaint against these companies so far and in the absence of the same the representatives of these foreign companies would now personally appear before the Trail Court on 13th March 2012.

Another related problem that has to be addressed is that foreign companies and websites have not established a procedure that can deal with complaints and notifications arising out of the Information Technology act, 2000 (IT Act 2000) and Rules made there under. This is so even though companies like Google, Microsoft, Yahoo, etc have subsidiary companies and offices in India.

When these foreign companies and websites and their subsidiaries are deriving financial gains out of Indian operations, non following of Indian laws seems to be a grave disregard to Indian laws and regulations. These foreign companies and websites must follow Indian laws and this is the right time to do so.

We at Perry4Law and Perry4Law Techno Legal Base (PTLB) suggest that the best method to do so is to appoint a nodal officer who is responsible for managing cyber law due diligence issues arising out of Indian transactions. By not doing so, companies like Google, Facebook, Microsoft, etc are heading towards a big trouble. The sooner these nodal officers are appointed the better it would be for the larger interest of Internet intermediaries in India.

Websites Blocking In India Is Mainly A Judicial Act

Blocking of websites in India is governed by the cyber law of India that is incorporated in the Information Technology Act 2000 (IT Act 2000). The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 prescribe the manner of blocking of websites in India.

In exercise of the powers conferred by sub-section (1) of Section 69A of the Information Technology Act, 2000 (21 of 2000) read with rule 3 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, the Central Government has authorised and designated the Group Coordinator (being an officer of the Central Government not below the rank of Joint Secretary), Cyber Law Division in the Department of Information Technology (DIT), Ministry of Communications and Information Technology (MCIT), Government of India, Electronics Niketan,6, Central Government Offices Complex, New Delhi-110003, as the Designated Officer for the purposes of the said rules.

A notification numbered S.0.117 (E), dated 20th January, 2010 has been issued in this regard. Dr. Gulshan Rai is the present Group Coordinator for the Cyber Law and E-Security Division of DIT. He is also the Director General of Indian Computer Emergency Response Team (CERT-In).

In a media interview, Dr. Gulshan Rai has revealed that websites blocking in India has been so far a judicial act and DIT has not blocked a single site without a court order. This is a good attitude that shows that freedom of speech and expression is respected in India. This is also setting a bad precedent as it would encourage websites and foreign websites to violate and defy Indian laws, especially intellectual property laws and cyber law.

In fact, judicial orders for blocking of websites in India are not always very sound. In fact, India judiciary, cyber law and websites blocking in India is still far from perfect. In such situations, the responsibility of Designated Officer Dr. Gulshan Rai becomes even more demanding and pro active.

The way companies like Google are deliberately avoiding compliances with Indian laws, it becomes very important for DIT in general and Dr. Gulshan Rai in particular to safeguard the interests of Indian individuals and companies. There is no doubt that companies like Google and Facebook must comply with Indian laws and Google and Facebook can be blocked in India.

We recently filed a DMCA complaint with Google Incorporation and a legal notice to Google India. However, both Google Incorporation and Google India are openly denying compliance with Indian laws. If DIT/CERT-In does not change its soft attitude towards companies like Google, Facebook, etc, and keep on insisting upon court cases and judicial orders, it would increase an unnecessary pressure upon Indian courts that are already overburdened.

Cyber litigations against foreign websites are going to increase in India. Even Google has anticipated this situation and Google’s blogspot platform has started giving country specific results for blogspot blogs. Clearly, hints of non compliance with Indian laws are visible but India is not doing enough in this regard. The least Indian can do in this regard is to develop alternative mechanisms to filing of DMCA complaints to Google, Facebook, Wordpress, etc each time offending contents appear on their websites.

Companies like Google, Facebook, etc are already facing a criminal trail in India for non removal of objectionable contents. A trial court has also asked the representatives of the parent companies like Google, Facebook, etc to appear before it and face the trial. If these companies continue to flout Indian laws, Indian government can and should block the websites of such companies in India.

While the Indian government is armed with discretionary powers to block any website carrying malicious or offensive content, it has never exercised these powers so far. This is giving a bad signal to Internet intermediaries and something must be done in this regard.

What is more surprising is the revelation of Dr. Gulshan Rai that if the police find a problem, they come to CERT-In/DIT and ask to block some websites; CERT-In/DIT tells them that it/they cannot do this and ask them to go to court and get an order. This is abdication of duties by CERT-In/DIT that they are duty bound to follow. By insisting upon blocking of an offending website with a court order alone, both CERT-In and DIT are violating the provisions of IT Act 2000 and various Rules under the same.

So far CERT-In/DIT has blocked some 20-25 websites after taking orders from the court but CERT-In/DIT have not used their discretionary power to block an offending website in a single case. In fact, they have refused to use their discretionary power. Clearly not exercising the discretionary power even where there is a clear case for the exercise of the same is violating the mandates of IT Act 2000 and corresponding Rules.

It is not the case that a website should be blocked at the drop of a hat. But when a clear case is made out, insisting upon a court order to block the offending website is definitely a bad policy and erroneous exercise of discretion. It is high time to think seriously about this issue.

Cyber Litigations Against Foreign Websites Would Increase In India

Foreign companies and websites are increasingly facing civil and criminal litigations in India. The main problem seems to be application of foreign laws and standards to Indian conditions that is not desirable. These foreign companies and websites apply standards and norms that are well beyond Indian laws and norms.

There are mainly two reasons for this increase in civil and criminal litigations against such foreign companies and websites. Firstly, many individuals and companies in India are neither aware of foreign laws like Digital Millennium Copyright Act (DMCA) 1998 or/and Online Copyright Infringement Liability Limitation Act (OCILLA) nor they prefer to apply the same in derogation of Indian laws, though rightly.

Secondly, even if some individuals and companies invoke foreign laws procedures like DMCA notices and complaints, foreign websites may or may not comply with the same. We have filed a DMCA notice with Google Incorporation and a legal notice to Google India regarding copyright, trademark and impersonation issues. We are still waiting Google’s action in this regard and this shows that even DMCA compliances are not followed by foreign companies and websites.

These are the reasons why filing of civil and criminal cases in India against such foreign companies and websites is increasing. For instance, companies like Google, Facebook, etc are facing a criminal trial in India for not removing objectionable contents from their sites. In other cases, it appear that these companies are deliberately ignoring and violating Indian laws like copyright law, trademarks law and cyber law of India.

There is no doubt that companies like Google, Facebook, Wordpress, etc must comply with Indian laws. These companies cannot claim that they would keep on deriving financial and other benefits from India and would not respect India’s laws and legal procedures.

We believe that India must take urgent steps so that companies and websites like Google, Facebook, WordPress, etc comply with legal demands as per Indian laws as well. We suggest the following in this regard:

(1) All subsidiary/Joint ventures companies operating in India that deal in information technology and online environment, must mandatorily establish a server in India. Otherwise, such companies and their websites should not be allowed to operate in India.

(2) A stringent liability for Indian subsidiaries dealing in information technology and online environment must be established by laws of India.

(3) More stringent online advertisement and e-commerce provisions must be formulated for Indian subsidiary companies and their websites.

India must formulate alternatives to DMCA notices to Google, Facebook, WordPress, etc so that these companies and websites comply with Indian laws and legal procedures. These companies and websites should not be allowed to hide behind the façade of being subsidiary company and citing conflict of laws.

Legal action against offending foreign websites can be taken in India if they fail to exercise cyber due diligence. In fact, Google, Facebook, Microsoft, Yahoo, etc have already been summoned to personally appear before a criminal court in New Delhi on March 13, 2012. Further, as a measure of last resort, these foreign websites can be blocked in India for not complying with Indian laws.

We hope the Delhi High Court would consider these suggestions while deciding the fate of companies like Google, Facebook, etc on the forthcoming hearing.

Cyber Laws And Cyber Security Trends In India 2011

Cyber law in India and cyber security in India was all over the news in the year 2011. However, they were in the news for the wrong reasons. Incidences of increased cyber crimes and cyber attacks were reported from time to time in India. The cyber law trends in India 2011 and cyber security trends in India 2011 were not promising at all but we can expect better results in the year 2012.

Many crucial issues pertaining to cyber law, cyber security, Internet censorship, websites blocking, social media control, cyber law due diligence, social media due diligence, corporate cyber law due diligence, enhanced banking due diligence, Internet intermediaries liability, phone tapping, etc took place in India in 2011. Collectively they pointed towards a negative approach on the part of Indian government.

Similarly, initiative towards strengthening of information and communication technology (ICT) usages in India also proved lack of insight and proper management. For instance, the proposed electronic delivery of services bill 2011 (EDS Bill 2011) failed to address the crucial issues like mandatory e-governance services in India.

Crucial issues like electronic discovery (e-discovery) in India, use of cyber forensics in India, establishment of e-courts in India, use of online disputes resolution (ODR) in India, formulation of critical ICT infrastructure protection policy in India, formulating implementable cyberspace crisis management plan of India, formulating dedicated and suitable e-commerce laws in India, enacting whistleblowers protection laws in India, etc have still to be addressed by Indian government.

On the positive side, the Reserve Bank of India (RBI) tried to streamline the cyber security infrastructure of Indian banks. It made appointment of chief information officers (CIOs) mandatory in banks of India. But all such initiatives of RBI proved futile as cyber security in Indian banking sector is still missing. For instance, online banking systems in India are still insecure. Internet banking cyber security in India is still missing. ATM frauds in India are still in abundance.

An integrated modern banking law of India is in pipeline and that may establish the cyber law and cyber security due diligence for banks in India. In fact, mobile banking transactions in India have already been liberalised. However, mobile governance policy of India is still missing.

On the corporate front, financial frauds and cyber crimes in Indian companies are increasing. However, corporate IT frauds and cyber crimes investigations in India are still maturing. Although attempts to strengthen the corporate laws of India were made in the form of introduction of Indian companies bill 2011 in the Parliament yet the same could not see the light of the day. Also, the bill gave statutory recognition to the Serious Fraud Investigation Office (SFIO) that was expected to give wider powers to investigate corporate frauds and white color crimes. This proposal is also postponed for the time being.

Reports of violation of human rights in cyberspace by Internet intermediaries like Google, Facebook, etc were also made. Concerns regarding Facebook emerging as the worst e-surveillance serving platform also expressed. Reports of Facebook engaging in censorship of its users account were also surfaced.

Incidences of manipulation of Blogspot blogs by negative SEO and competitors were also reported. Similarly, apprehensions regarding manual action penalty and censorship by Google were also raised.

Research in motion’s (RIM) Blackberry messenger services in India have now become an e-surveillance tool. However, this arrangement does not extend to the enterprise Virtual Private Network (VPN) solution, provided through the Blackberry Enterprise Server (BES) product.

Overall the year 2010 saw the cyber law, cyber security and civil liberties protection in Indian cyberspace in bad light. Perry4Law and Perry4Law Techno Legal Base (PTLB) hope the year 2012 would bring positive and reformative changes in this regard.

Circumventing Web Malware Detection Through IP Cloaking

When you surf the Internet through search engines, you must have noted that Google labels certain sites as dangerous as they are infected with Malware. This has alerted many users and they refrain from clicking upon such sites.

Now Malware writers have developed a new technique where they are feeding security systems of intermediaries like Google with clean pages and targeting the users with pages that are Malware infected.

Since Google is seeing and analysing clean pages, there is no question of labeling such Malware ridden sites as dangerous and users are not cautioned by any warning by Google or other security vendors.

This technique and modus operendi is known as Internet protocol cloaking (IP cloaking) that has been successful so far. This fact came to the knowledge of Google and it released a report in this regard titled Trends in Circumventing Web-Malware Detection (PDF).

Google defines IP cloaking as being able to serve benign content to detection systems, but serve malicious content to normal web page visitors. Like many security companies, Google monitors compromised web sites. In 2008 it discovered that those sites had stopped returning malicious results to its monitoring systems, but still served Malware to other site visitors.

The Malware authors had learned the IP addresses hosting the monitoring software, and so excluded them from their Malware dissemination practice, thereby making their sites appear clean. IP cloaking contributes significantly to the overall number of malicious web sites found by security systems.

The research also found that cyber criminals generally spend little time on any individual exploit, quickly switching focus to new vulnerabilities in order to stay ahead of detection by law enforcement and security specialists.

Spear Phishing Is A Potential Threat To Financial Institutions

Cyber security of banking and financial institutions has become very important these days. Recently the Citicorp confirmed the occurrence of cyber attack upon its bank’s network. In India as well ATM frauds, credit card frauds, online banking frauds, etc have increased a lot.

However, of all these cyber crimes, phishing is the most dangerous one for banking customers. If it is a case of spear phishing, it becomes deadly as the targeted person is specifically targeted for this purpose. The attack tactics are also specifically designed for the attack purposes.

The spear phishing cases appear so genuine that even tech savvy people are fooled into divulging sensitive information. Recently Reserve Bank of India (RBI) constituted a working group on information security that gave many good cyber security recommendations. However, the implementation of these recommendations has still not been achieved.

This gives lots of space for cyber crimes like spear phishing. Recent break-ins at high-profile targets like the International Monetary Fund (IMF) demonstrate just how proficient hackers have become at spear phishing.

Today's spear phishing is not only more prevalent but also much more technically proficient. They're not going for a password, anymore, they're getting people to install malware on their computers.

According to the reports the IMF suspected that a phishing attack against one of its workers planted malware on a machine, which was then presumably used to scout the network for data to steal. But the IMF incident was only the most recent in a series of specialized attacks this year aimed at targets from the Oak Ridge National Laboratory and the French foreign ministry to Google's Gmail.

Recent cyber attacks on multinational firms and institutions, from Google and Citigroup to the International Monetary Fund, have raised fears that governments and the private sector are ill-prepared to beat off hackers. The latest high-profile target was the U.S. Senate's website, which was hacked over the weekend.

However, as far as India is concerned, it has neither a good cyber security strategy nor a strong cyber law. Even cyber crisis management plan of India is practically missing. Indian banks must urgently revamp their cyber security so that interests of bank customers can be safeguarded.

Australia Plans Cyber Defence Strategy To Combat Hacking

Cyber Security Strategy is one of the most important Strategies of any Nation. This Strategy should not be mere words but an “Implementable Mechanism” that can ensure Robust Cyber Security. This Mechanism must also be supported by a Stringent and Strong Legal Framework in this regard.

In the Indian context, we have a poor Cyber Security in India. We have no implementable Cyber Security Strategy in India. We are still following “Achievements on Paper Theory” in India. We have no Cyber Warfare Policy in India and even Critical ICT Infrastructure Protection Policy of India is missing. Even the Cyber Law of India deserves to be repealed. These Policies do exist in “Form but not in Substance”. Hence for all practical purposes we can consider them as non existent.

Further, there is also no International Cyber Security Treaty as well. In fact, Developing Countries like US are against such International Treaty. This makes International Cooperation and Harmonisation next to impossible. The only viable option that remains is strengthening National Cyber Security and National Cyber Laws and Australia is doing exactly the same.

Australia will develop a Cyber Defence Strategy to combat Cracking and Cyber Espionage. Australian Government declared this after responding to what it sees as an increased threat after recent cyber attacks on global companies and government officials.

For instance, the news of attempt to steal the password of hundreds of Google email account holders, including those of senior U.S. government officials, Chinese activists and journalists is out. Google believes that Chinese hackers are behind this attempt once again. US is assessing whether security had been compromised by this attack.

Australia's Parliament came under cyber attack in February, with the computers of at least 10 federal ministers including Prime Minister Julia Gillard and Defence Minister Stephen Smith, targeted and confidential emails possibly accessed. Similarly, the European Parliament's computer networks were also breached by a cyber attack.