Wednesday, July 27, 2011

Is Electronic Service Delivery Bill Worth Considering?

The Electronic Service Delivery Bill 2011(ESDB 2011) started at a very positive note but just like other laws of India, it ended up miserably. Electronic services cannot be effective till it is claimed as a matter of right against the government and its departments. If citizens cannot have mandatory e-services delivery there is no sense in doing the entire exercise.

Take the example of the cyber law of India incorporated in the information technology act 2000. Even after more than 10 years of its enactment till now citizens do not have a mandatory right to e-governance in India.

This happened because of a disabling provisions incorporated as section 9 of the IT Act 2000 that make providing of e-governance services in India discretionary. This has failed the entire purpose of e-governance in India.

Now a similar approach has been adopted regarding the ESDB 2011. If States are not bound to provide “compulsory” e-services delivery, there is no sense in making it a law. Even if it is enacted as a law, not much purpose would be served. Instead, it is better if we streamline public services through administrative reforms in India.

Further, ESDB 2011 would also face problems on the fronts of data protection, data security, privacy rights, cyber security, etc. India has not done enough on any of these fronts and legal framework for all above mentioned areas is still a big problem.

Finally, on the front of digital preservation and pubic records management as well India has to cover a long gap. Let us hope that the proposed ESDB 2011 would cover all these aspects.

Monday, July 25, 2011

CMS Would Tap Phones In Real Time In India

Till now it is clear that the central monitoring system project of India would be launched in all probabilities. Initially, an Indian centre for communication security research and monitoring (CCSRM) was proposed by the Union Cabinet. However, department of telecommunication came up with its own pet project of CMS and now DoT is trying its level best to make it operational.

In the past phone companies of India used private individuals who tapped phones even without an authorisation order in this regard by Indian government. Further, there is a considerable delay on the part of phone companies while arranging phone tapping on government requests.

Thus, Indian government has decided to bypass them and enable themselves with real time phone tapping capabilities. The government is planning to spend Rs. 500 crores to establish CMS in India.

With this system, Indian government and its agencies would be abled to tap any call, real-time chat and data without help from the telecom operators. The Cabinet Committee on Economic Affairs recently approved the funding for CMS and a testing facility at Indian Institute of Science, Bangalore.

The first meeting on CMS was held last week. It was attended by officials from DoT and the National Technical Research Organisation, among others. DoT is also looking at all encryption-based services, divided into 14 categories, to see if it is possible to provide an interception solution to security agencies. The services include different kinds of mail and messaging services, network mobile email, VPN tunneling and various proprietary services.

A committee of officials from DoT, the department of information technology, service providers and security agencies has been set up for this.

Thursday, July 21, 2011

National Data Access and Sharing Policy Of India

The news of establishment of “Data Access Platform” by India in collaboration with US is welcome move. However, this is not a “Positive Policy Decision” as India is doing nothing more than as required under various Laws of India.

For instance, the “Current Public Records” are required to be made available to the general public in an electronic form as per the mandates of Right to Information Act 2005. Similarly, the “Non Current Records” are required to be made available to the public at large in an electronic form under the Public Records Act, 1993. Add to this the limited mandates of E-Governance as per the Information Technology Act 2000.

If at all India was not doing the proposed action that was due to the wide spread corruption and lack of transparency and accountability in India. So what India is proposing to do now is not a step taken to “Empower” the Indian citizens as a “Policy Matter” but under the “Obligations of various Laws” that Indian Government was not following.

However, at least Indian Government has accepted its obligations of “Electronic Services Delivery” to the extent of providing information relevant to general public in an electronic form and this is a good step in the right direction.

In the past, the Department of Science and Technology had shown its willingness to frame a “National Data Access and Sharing Policy”. The aim of such intended Policy was to change the way the Government maintains and shares information. However, the Policy faced criticism from several Agencies and Ministries, including Ministries of Defence and Home Affairs. Now the Policy is pending review before the Cabinet.

The Policy, if implemented, may compel Departments and Publicly Funded Bodies to scan their records, review the kind of data they maintain, and release this for public consumption, provided such information doesn’t compromise security and strategic needs. If a Government Department doesn’t share information, it will have to give reasons why it isn’t doing so.

Besides “Legal Obligations”, the proposed Policy is also “Mandatorily Required” to comply with the “Conditions of Loan” recently granted by the World Bank to ensure Electronic Services Delivery in India. India has to “Prescribe” such a Policy as per the Terms and Conditions of such loan.

However, issues like Civil Liberties, Cyber Security, Digital Preservation, Privacy Protection, etc are still not addressed by India and this may hinder the proposed Policy. Let us see how this Policy may take a shape.

European Commission Sanctions EUR 7 Billion As FP7 Innovation Fund

Europe and India are working together on many important projects. These include Euro India ICT Cooperation Initiative, Euro India Joint ICT Research and Innovation Programmes, etc. Further, Euro India Foreign Trade Agreement (FTA) is also in pipeline that would increase mutual trade relationships between Europe and India.

At the Europe level, Research, Innovation and Science Commissioner Máire Geoghegan-Quinn has announced the release of nearly EUR 7 billion for stimulating European innovation through research funding.

The funding has been sanctioned under the banner of Seventh Framework Programme (FP7) of European Union. The objective is to ensure that Europe is well equipped and well place in the internationally competitive environment.

Máire Geoghegan-Quinn says that if they do not transform Europe into an Innovation Union, our economies will wither on the vine while ideas and talent go to waste. Innovation is the key to building sustainable growth and fairer and greener societies. A sea change in Europe's innovation performance is the only way to create lasting and well-paid jobs that withstand the pressures of globalisation.

This is a good step and an innovative Europe can transform the entire economy of European countries. Both National and International Partnerships in the form of Public Private Partnerships (PPP) is need of the hour.

United Nation’s Regional Economic Commissions like United Nation’s Economic Commission for Europe (UNECE), UN regional commission is Economic and Social Commission for Asia and the Pacific (UNESCAP), etc can foster effective and innovative PPP models all across the globe.

Saturday, July 16, 2011

Unaccountable Natgrid Is Not A Panacea For Intelligence Failures Of India

Intelligence Failures in India are in abundance. This is not necessarily due to the fault of Intelligence Agencies of India but in majority of cases this happen due to non sharing of intelligence information among themselves in a timely manner. Overall, Intelligence Infrastructure of India is in a bad shape.

This is the reason why Projects like National Intelligence Grid (NATGRID), National Counter Terrorism Centre (NCTC), etc assume significance. These are ambitious Projects that must be implemented in a Constitutional and Planned manner. Here lies the real problem.

While NCTC is out of picture for some more years yet NATGRID Project is based upon “Faulty Premises” and “Improper Management”.

Home Minister P. Chidambaram is pressing hard for the NATGRID Project upon the premises that it would solve all the Intelligence and Terrorism related problems. This is not true. NATGRID Project cannot and would not stop terrorist attacks and it would play almost no role in the absence of good Intelligence Gathering and Analysis Capabilities. It can supplement intelligence capabilities but never supplant the same.

Secondly, NATGRID Project of India is badly implemented. There is no sign of any sort of “Accountability and Transparency” in the dealing of NATGRID Project. Even Parliamentary Scrutiny is missing and in an environment where E-Surveillance has already gripped India, this is a bad news.

There is no “Public Information” about NATGRID Project nor are there any “Procedural Safeguards” that can prevent the possible misuse of this E-Surveillance Project. Civil Liberties are at stake as there is no protection of Human Rights in Cyberspace.

Home Minister P. Chidambaram must understand that NATGRID Project of India is “Not a Panacea” for all National Security problems in India. If at all NATGRID Project would work, it must be made more “Systematic and Planned”. Of course, it must also be “Constitutional”. Presently NATGRID Project is not meeting any of the abovementioned requirements.

Friday, July 15, 2011

44th Session Of UN Commission on International Trade Law Concludes in Vienna

United Nations Commission on International Trade Law (UNCITRAL) has recently held its 44th Session from 27 June to 8 July 2011. Various matters of international importance were discussed by UNCITRAL in this 41st meeting.

Among important decisions taken by UNCITRAL, it also adopted texts on procurement and insolvency, considered proposal to establish pilot regional centre, and confirmed its commitment to meet in Vienna and New York

During the session, the Commission adopted the UNCITRAL Model Law on Public Procurement, which updates the 1994 UNCITRAL Model Law on Procurement of Goods, Construction and Services.

The Commission also adopted "The UNCITRAL Model Law on Cross-Border Insolvency: the judicial perspective", a text designed to provide information and guidance for judges on cross-border related insolvency issues.

Work in the areas of transparency in treaty-based investor-State arbitration, online dispute resolution and cross-border insolvency will continue.

During this session, the Commission also decided to reconvene Working Group IV (Electronic Commerce), which has not met since 2004 and to task it with work in the field of electronic transferable records. The final product of this work is intended to complement existing UNCITRAL texts in the field of electronic commerce and will also be beneficial for the implementation of other UNCITRAL texts, such as the "Rotterdam Rules".

The Commission requested that the UNCITRAL Secretariat explore the possibility of establishing a presence in regions or specific countries by, for example, having dedicated project staff in United Nations field offices, collaborating with such existing field offices or establishing Commission country offices with a view to facilitating the provision of technical assistance with respect to the use and adoption of Commission texts.

In accordance with that request, the Secretariat invited Member States of the United Nations to express their interest in establishing UNCITRAL regional centres in different parts of the world, particularly in Africa, Asia and the Pacific, Eastern Europe and Latin America and the Caribbean.

Once established, UNCITRAL regional centres, envisaged as project-based offices, will enhance international trade and development by promoting certainty in international commercial transactions through the dissemination of international trade norms and standards, in particular those elaborated by UNCITRAL. Bearing in mind the limited availability of resources, the regional centres will also engage actively in fund-raising activities for their operation and activities.

As of 8 July 2011, Argentina, the Dominican Republic, El Salvador, Kenya, Malaysia, the Republic of Korea and Singapore have formally expressed an interest in hosting an UNCITRAL regional centre. During this session, the Commission was informed of a specific offer from the Government of the Republic of Korea for the establishment and operation of an UNCITRAL regional centre in Incheon, Republic of Korea. After expressing its gratitude to the Government of the Republic of Korea for its generous contribution to this pilot project, the Commission approved the establishment of an "UNCITRAL Regional Centre for Asia and the Pacific" in the Republic of Korea.

India should also consider establishing a regional chapter of UNCITRAL. Further, India must also play a more pro active role in the initiatives of UNCITRAL at both national and international level.

Sunday, July 10, 2011

US Plans To Use Fake Virtual People Botnet And Persona Management Software

Social Networking sites like Facebook, Twitter, LinkedIn, etc are used by billions of people around the World. These Platforms are professional, specific, focused and high influence makers. They can shape the opinion of any crucial issue, especially the controversial ones. After all “Public Opinion” is the most powerful tool of a Democratic Nation.

No country can afford to have “Negative Publicity” and “Adverse Public Opinion” in the Cyberspace. Brand Management Companies are regularly keeping an eye upon the “Reputation” and “Goodwill” of their client companies. Search Engine Optimisation (SEO) Companies are working hard to get their clients “Listed High” in Search Engine Results Page (SERPs) of Search Engines like Google, Yahoo, Bing, DuckDuckGo, etc.

As per a recent media report, US Military is planning to manipulate social media through the use of fake online "personas" managed by it. Raw Story recently reported that the US Air Force had solicited private sector vendors for something called "persona management software." Such a technology would allow single individuals to command virtual armies of fake, digital "people" across numerous social media portals.

These "personas" were to have detailed, fictionalised backgrounds, to make them believable to outside observers, and a sophisticated identity protection service was to back them up, preventing suspicious readers from uncovering the real person behind the account. They even worked out ways to game geolocating services, so these "personas" could be virtually inserted anywhere in the world, providing ostensibly live commentary on real events, even while the operator was not really present.

A fake virtual army of people could be used to help create the impression of consensus opinion in online comment threads, or manipulate social media to the point where valuable stories are suppressed.

This proposal supports classified social media activities outside the U.S., intended to counter violent extremist ideology and enemy propaganda. The Air Force has even other classified uses for social media. Let us see how things would take shape in the future in this regard.

Saturday, July 9, 2011

Internet Access Is A Fundamental Human Right In Cyberspace

A few years back talking about human rights in cyberspace generated skeptic reactions. Things have not changed much even today but at least now we know that human rights can be extended to cyberspace.

At Perry4Law Techno Legal Base (PTLB) we have been supporting the efforts that can ensure recognition of human rights in cyberspace at both national and international level. At the national level, India is still not ready and willing to recognise human rights in cyberspace. At the international level, part of human rights in cyberspace has started gaining importance.

For instance, the United Nations (UN) has declared that right to access to Internet is a human right. Similarly, Organisation for Security and Cooperation in Europe (OSCE) has also supported this stand of UN through a recently released report.

The report has analysed the first ever of state regulations on Internet access within the 56-member OSCE. Finland and Estonia have already declared access to Internet as a human right and this is a good step in right direction. PTLB welcomes these reformative actions of Finland and Estonia.

Countries around the world are restricting human rights in cyberspace by citing national security, sovereignty, law and order and many such grounds. While none can doubt that national security is an important function of a sovereign state yet there must be a harmony between national security and human rights.

Giving a blind and absolute primacy to national security even if clearly means violating basic human rights is not a wise approach for a welfare state like India. We hope Indian government would consider empowering Indian netizens by recognising and strengthening their human rights in cyberspace.

Thursday, July 7, 2011

22 Nations Supports A Resolution To Pre-Empt Cyber Attacks

22 nations, including Russia and US are co-sponsoring a resolution to pre-empt cyber attacks that Organisation for Security and Cooperation in Europe (OSCE) is expected to adopt this week. The proposal calls for member nations to exchange information about the way they intend to deploy cyber technology during military conflicts. A decree to this effect has been introduced by a Belgium parliamentary member.

OSCE parliamentarians are gathering this week in Serbia to select provisions for inclusion in the Belgrade Declaration, an annual statement that guides OSCE decisions. The organisation, which represents North America, Europe and Central Asia, provides a venue for negotiations on conflict prevention and post-war rehabilitation.

This is a significant regional cyber security initiative that can help in the formulation of a dedicated international regulatory regime for cyber security. However, the ideal forum for worldwide discussion of cyber security threats is the United Nations (UN).

Regional cyber security cooperations can help in consolidation of international cyber security initiative. Last month, defense ministers at NATO, which does not include Russia, approved a new policy on cyber defense to help allies protect their communications systems and deter cyber attacks. This way cyber security is in the process of being consolidation in stages.

If the OSCE succeeds in conducting dialogues between states on norms in cyber security it would be a major step toward a more global approach, which may be promoted by the United Nations. The UN and OSCE do not share a budget but coordinate closely on field operations.

A proposal to establish a cyber security unit within the OSCE secretariat is also in process. Separately, the White House in May distributed a voluntary international strategy for cyber security that, like the OSCE proposal, urges cooperation in developing standards for acceptable conduct on the Internet.

Tuesday, July 5, 2011

Indian Cyber Security And International Cooperation

It has been long felt that we need to strengthen the cyber security of India. As more and more cyber crimes are committed against India and severe cyber attacks launched against India this requirement has become even more demanding.

India needs to intensify its focus on cyber security issues at both national and international level and must promote more international cooperation regarding cyber security.

India must also develop and adopt existing best practices in cyber security area. Similarly, India must develop a more efficient cyber incident response mechanism to tackle cyber attacks.

Public private partnerships (PPP) on cyber security must be given more importance in India. Presently, PPP in India in the field of cyber security is in infancy stage. Similarly, there are very few international cooperations between India and foreign players regarding cyber security.

Perry4Law and Perry4Law Techno Legal Base (PTLB) suggest that to start with, we must urgently formulate a techno legal cyber security policy of India. The cyber security policy of India must cover issues like legal framework for cyber security, PPP model for cyber security, international cooperation for cyber security, cyber crisis management plan of India, human rights protection in cyberspace, etc.

Once the cyber security policy of India is at place, we must work in the direction of implementing the same in true letter and spirit. The growing incidences of cyber crimes, cyber attacks against India, cyber espionage against India, websites defacement and cracking, etc show that India has still not taken cyber security seriously.

While absolute cyber security is next to impossible to achieve yet a basic level cyber security audit of Indian government’s websites, computers and computer systems would show that they are vulnerable to cyber attacks.

Perry4Law and PTLB believe that we must at least start securing our websites, servers and government computers. Further, computers located at sensitive government departments and ministries must have a well defined cyber security policy and usage. We hope these suggestions of Perry4Law and PTLB would be useful for Indian government.

Cloud Computing Due Diligence In India

Cloud computing in India is still at the infancy stage. The primary reasons for this situation is absence of legal framework for cloud computing in India, missing privacy laws, absence of data protection laws in India, inadequate data security in India, etc. Even the basic level cloud computing regulations in India are missing.

Many legal experts in India have opined that India must not use software as a service (SaaS), cloud computing, m-governance, etc till proper legal frameworks and procedural safeguards are at place. Even the CEOs of many companies are apprehensive of using cloud computing for their companies businesses.

Even if a company or individual offers cloud computing services in India, it/he has to comply with many legal provisions and cyber due diligence requirements. The information technology act 2000 (IT Act 2000) has prescribed due diligence requirements for various business organisations and stakeholders. These due diligence requirements equally apply to cloud computing service providers in India.

These due diligence requirements are very stringent and cloud computing providers can find themselves in legal hassles if they ignore the same. Managing sensitive and personal data and information in India is no more a causal approach but it has become very stringent.

With the proposal to codify law of torts in India, more and more civil proceeding for violation of privacy rights may be initiated against the cloud computing service providers. It would be a wise option to establish best practices and cloud computing policy by all stakeholders in their own larger interests.

M-Governance Policy Of India

Mobile governance (m-governance) is an innovative method of using mobile technologies for effective governance and public services delivery. M-governance facilitates many public services in almost real time and without hassles. However, along with the benefits of m-governance it has many drawbacks as well.

Firstly, we have no implementable m-governance policy in India. In the absence of proper planning and a sound m-governance policy it is not a wise option to utilise m-governance services in India.

Secondly, we have no dedicated legal framework for m-governance in India. This may create problems in cases of mobile banking, m-governance, m-commerce, etc. Of course, we have information technology act 2000 (IT Act 2000) as the cyber law of India yet it is far from perfect for even e-governance purposes and it is not at all applicable to m-governance environment.

Another issue pertains to the exercises of e-surveillance and phone tapping by Indian government and its agencies. Till now we have no lawful interception law in India. Phone tapping is done under the colonial and outdated Indian telegraph act 1885 and e-surveillance is done under the IT Act 2000. Both these acts are violating the letter and spirit of Indian constitution and have incorporated many unconstitutional provisions that are well beyond the parliamentary and judicial scrutiny.

Recently, the ministry of communication and information technology (MCIT) has launched the central monitoring system project of India. It has the capabilities to monitor all sorts of telecommunication and electronic communications. However, it is a pure executive exercise with no legal framework, civil liberty safeguards and parliamentary and judicial scrutiny.

At the international level some development for safeguarding the human rights in cyberspace has been taking place. United Nations has declared that access to Internet is a human right. This shows that human rights protection in cyberspace cannot be ignored by nations in future.

Finally, m-governance cannot succeed till we ensure cyber security for m-governance in India. Till now even the basic level cyber security is missing in India and we have no cyber security policy in India. Further, the IT Act 2000 need to be suitably amended or a dedicated legislation for m-governance must be enacted in India.

All these issues are integral part of the m-governance policy of India. Before jumping upon the fancy idea of m-governance we must ensure that it can operate and flourish in India.

International Cyber Security Policy Framework, India And International Cooperation

Cyber Security is no more the requirement for IT Companies but it has become an indispensable need for Nationals at large. This is because Internet has connected the entire World and a Cyber Criminal in one Jurisdiction can launch Cyber Attacks in another Jurisdiction.

Regional Cyber Security Initiatives have gained speed to meet these challenges. For instance, the US Cyber Space Policy Review and Cyber Security Initiative intend to boost Cyber Security for America. Similarly, Organisation for Security and Cooperation in Europe (OSCE) is organising a Cyber Security Cooperation Talk. The Cyber Security Cooperation Talk of OSCE involves 56 participating Nations of the OSCE, including the United States, which will vote next week in Serbia on a resolution to improve Cyber Security Cooperation.

This shows that while International Cyber Security Organisations are not taking much interest in the field of Cyber Security and prevention of Cyber Crimes yet at the National level countries like US and Organisations like OSCE have laid down their International Strategy for Cyberspace.

The Government Departments in US have also shown an increased Cooperation in the field of Cyber Security. Now US Department of Defense (DOD) and Department of Homeland Security (DHS) would share their respective Cyber Security Expertise.

Further, US has also started strengthening its Cyber Security ties with other Nations and India US Homeland Security Dialogue was a part of the same. In fact, India and US have also signed a Cyber Security Cooperation Agreement. Meanwhile International Organisations have also shown their seriousness towards Cyber Crimes and they have started working in this direction.

However, Cyber Security in India is not upto the mark. We have no Cyber Security Strategy in India. Despite the importance of this issue, we have no “Effective and Implementable” Cyber Security Policy in India.

Further, we have no Cyber Warfare Policy of India, Critical ICT Infrastructure protection Policy in India, Data Protection Laws in India, Cloud Computing Policy in India, Cyber Security Laws in India, etc. Important issues like Cyber Crisis Management Plan of India, Cyber Forensics Laws in India, Legal Enablement of ICT Systems in India, etc are still not part of National Policies and Strategies of India.

At the International level we have no International Cyber Law Treaty and International Cyber Security Treaty that are “Universally Acceptable”. Further, the United Nations and other countries have still to Protect Human Rights in Cyberspace that are blatantly violated World over.

Cyber Security is essentially an International Issue and regional efforts are not conducive for the long term security of Cyberspace. For instance, EU has set up a Cyber Crimes Fighter Team, Seoul has formulated its Cyber Security Plan, Scotland Yard established its own Cyber Flying Squad, EU formed CERT Group to fight Cyber Attacks, etc. While these initiatives are timely and praiseworthy yet they are “Regional” in nature and Cyberspace and Cyber Security are International in nature.

Recent Cyber Attacks on Multinational Firms and Institutions ranging from Google and Citigroup to the International Monetary Fund, have raised fears that Governments and the Private Sector are not well equipped to deal with Cyber Attacks. It is high time that we must ensure not only an “International Harmonised Legal Framework” but also a Robust and Effective International Cyber Security Cooperation that is presently missing. India must also prepare itself for the bigger and unforeseen challenges that are waiting for it.

Monday, July 4, 2011

Cyber Security Cooperation Talks Of Organisation for Security and Cooperation in Europe

None can doubt that we need an international cyber security cooperation to meet the growing menace of cyber crimes and cyber attacks. Although regional initiatives regarding strengthening the cyber security are praiseworthy yet they are well short of the desired goals. This is the reason why we need an international cyber security policy framework.

Meanwhile some very important regional cyber security initiatives and events are taking place. For instance, the US cyberspace policy review and cyber security initiatives are aimed at strengthening US cyberspace from cyber crimes and cyber attacks.

Similarly, 56 participating nations of the Organisation for Security and Cooperation in Europe (OSCE), including the United States, will vote next week in Serbia on a resolution to improve cyber security cooperation.

The decree, if approved, would be included in an annual doctrine -- the Belgrade Declaration -- that represents the collective will of the regional organisation that coordinates with the United Nations, say OSCE officials.

The proposal, which OSCE officials say is co-sponsored by representatives from 22 countries, calls for participants to exchange information about the way they intend to deploy cyber technology during military conflicts. It also requests debates on international legal standards and codes of conduct for operating in cyberspace.

Cyber threats have emerged as a major cause of concern for national and international businesses and governments these days. In the absence of an internationally acceptable legal framework for ensuring cyber security at national levels, the need of international cyber security treaty or convention has become more apparent.

US Cyberspace Policy Review And Cyber Security

US President Barack Obama promised during his election campaign that he would streamline the Cyber Security Infrastructure of America. He did not disappoint America and he initiated the “Most Comprehensive” Cyber Security Initiatives of America.

He has also declared that Cyber Threats are serious Economical and National Security related challenges that US must urgently redress. He also believes that America's economic prosperity in the 21st century will depend on Cyber Security.

To achieve the abovementioned Cyber Security Objectives, Obama has directed a top-to-bottom review of the Federal Government's efforts to defend America’s information and Communications Infrastructure.

This resulted in the finalisation of a report titled the Cyberspace Policy Review. To implement the results of this review, the President has appointed Howard Schmidt to serve at the U.S. Cyber Security Coordinator and created the Cyber Security Office within the National Security Staff. The Office works closely with the Federal Chief Information Officer Vivek Kundra, the Federal Chief Technology Officer Aneesh Chopra and the National Economic Council.

America’s National Cyber Security Strategy intends to improve its resilience to cyber incidents and reduce the cyber threat. Improving the cyber resilience includes hardening the digital infrastructure to be more resistant to penetration and disruption, improving the ability to defend against sophisticated and agile cyber threats and recovering quickly from cyber incidents—whether caused by malicious activity, accident, or natural disaster.

On the front of tackling Cyber Threats, US intends to reduce threats by working with allies on International Cyber Security Cooperation, strengthening Law Enforcement Capabilities against Cyber Crime, and deterring potential adversaries from taking advantage of its remaining vulnerabilities.

Underlying all of these efforts is the need to acquire the best possible information about the State of America’s networks and the capabilities and intentions of its cyber adversaries. US must also make critical Cyber Security information available to and usable by everyone who needs it, including network operators and defenders, law enforcement and intelligence agencies, and emergency management officials in the Federal, State, local, and tribal governments, private industry, and allied Governments.

US has also recognised the importance of Protecting the Civil Liberties and Human Rights in Cyberspace. Similar commitment is also required from United Nations for the Protection of Human Rights in Cyberspace. US maintains that while securing its networks, it will do so in a manner that preserves and enhances our personal privacy and enables the exercise of our civil liberties and fundamental freedoms.

US believes that in the 21st Century, our digital networks are essential to our way of life around the World and are an engine for freedom. The increased security must be accompanied with an enhanced user privacy and keeping the Internet open and innovative.

The President’s Cyberspace Policy Review identifies 10 near term actions to support its Cyber Security strategy:

(1) Appoint a Cyber Security policy official responsible for coordinating the Nation’s Cyber Security policies and activities.

(2) Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure.

(3) Designate Cyber Security as one of the President’s key management priorities and establish performance metrics.

(4) Designate a Privacy and Civil Liberties official to the NSC Cyber Security directorate.

(5) Conduct interagency-cleared legal analysis of priority Cyber Security-related issues.

(6) Initiate a national awareness and education campaign to promote Cyber Security.

(7) Develop an International Cyber Security Policy Framework and strengthen our International Partnerships.

(8) Prepare a Cyber Security Incident Response Plan and initiate a dialog to enhance public-private partnerships.

(9) Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure.

(10) Build a Cyber Security-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.

We at Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that these are far reaching and Reformative Cyber Security Initiatives suggested by US. If implemented in a Timely and Planned manner they can reduce the Cyber Threat against US Cyberspace to a great extent.

Right To Information Act 2005 And Public Records Act 1993

This is another Document of the Series of Research Reports Published by Perry4Law and Perry4Law Techno Legal Base (PTLB) that establishes the relationship of National Archives of India (NAI), Public Records Act 1993 and other Departments, Initiatives and Legislations of India. Perry4Law and PTLB have already provided Research Reports pertaining to Information Technology Act 2000, Electronic Services Delivery Bill 2011, Digital Preservation In India, etc.

The Right to Information Act, 2005 (RTI Act, 2005) has provided for certain obligations that every “Public Authority” is required to fulfill. All Government Departments, including NAI, are Public Authorities within the meaning of Section 2(h) of the RTI Act, 2005.

Section 2(h) of the RTI Act, 2005 provides that "Public Authority" means any authority or body or institution of self-government established or constituted- (a) by or under the Constitution; (b) by any other law made by Parliament; (c) by any other law made by State Legislature; (d) by notification issued or order made by the appropriate Government, and includes any- (i) body owned, controlled or substantially financed or (ii) non-Government organisation substantially financed, directly or indirectly by funds provided by the appropriate Government.

This “Research Report” briefly outlines those responsibilities of NAI vis-à vis RTI Act, 2005.

Section 2 of the RTI Act, 2005 provides that unless the context otherwise requires-

(i) "Information" means any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force.

NAI would be required to provide “Information” to the information seekers who have made an RTI Application.

(ii) "Record" includes-

(a) Any document, manuscript and file;
(b) Any microfilm, microfiche and facsimile copy of a document;
(c) Any reproduction of image or images embodied in such microfilm (whether enlarged or not); and
(d) Any other material produced by a computer or any other device.

The definition of “Public Records” U/S 2(e) of Public Records Act, 1993 (PRA 1993) is almost identical with the definition of Records under the RTI Act 2005. These Records can be sough under the RTI Act, 2005 as “Information” through RTI Application.

(iii) "Right to information" means the right to information accessible under this Act which is held by or under the control of any public authority and includes the right to-

(i) Inspection of work, documents, records;
(ii) Taking notes, extracts or certified copies of documents or records;
(iii) Taking certified samples of material;
(iv) Obtaining information in the form of diskettes, floppies, tapes, video cassettes or in any other electronic mode or through printouts where such information is stored in a computer or in any other device.

(iv) "Third party" means a person other than the citizen making a request for information and includes a public authority.

Section 3 of the RTI Act, 2005 provides that subject to the provisions of this Act, all citizens shall have the right to information.

Section 4(1) of the RTI Act, 2005 provides that every public authority shall-

(a) Maintain all its records duly catalogued and indexed in a manner and the form which facilitates the right to information under this Act and ensure that all records that are appropriate to be computerised are, within a reasonable time and subject to availability of resources, computerised and connected through a network all over the country on different systems so that access to such records is facilitated;

With laws like the proposed Electronic Services Delivery Bill, 2011 the requirements to computerise Records and Public Records of NAI would become almost mandatory. We at Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend initiation of Digitilisation and Digital Preservation Initiatives by NAI as soon as possible.

The provisions of Information Technology Act, 2000 would also apply to the initiatives of NAI. Further, provisions regarding Digitilisation and Digital Preservation must be incorporated in the proposed Amendments in the Public Records Act, 1993 itself.

(b) Publish within one hundred and twenty days from the enactment of this Act,-

(i) The particulars of its organisation, functions and duties;
(ii) The powers and duties of its officers and employees;
(iii) The procedure followed in the decision making process, including channels of supervision and accountability;
(iv) The norms set by it for the discharge of its functions;
(v) The rules, regulations, instructions, manuals and records, held by it or under its control or used by its employees for discharging its functions;
(vi) A statement of the categories of documents that are held by it or under its control;
(vii) The particulars of any arrangement that exists for consultation with, or representation by, the members of the public in relation to the formulation of its policy or implementation thereof;
(viii) A statement of the boards, councils, committees and other bodies consisting of two or more persons constituted as its part or for the purpose of its advice, and as to whether meetings of those boards, councils, committees and other bodies are open to the public, or the minutes of such meetings are accessible for public;
(ix) A directory of its officers and employees;
(x) The monthly remuneration received by each of its officers and employees, including the system of compensation as provided in its regulations;
(xi) The budget allocated to each of its agency, indicating the particulars of all plans, proposed expenditures and reports on disbursements made;
(xii) The manner of execution of subsidy programmes, including the amounts allocated and the details of beneficiaries of such programmes;
(xiii) Particulars of recipients of concessions, permits or authorisations granted by it;
(xiv) Details in respect of the information, available to or held by it, reduced in an electronic form;
(xv) The particulars of facilities available to citizens for obtaining information, including the working hours of a library or reading room, if maintained for public use;
(xvi) The names, designations and other particulars of the Public Information Officers;
(xvii) Such other information as may be prescribed; and thereafter update these publications every year.

These are very wide mandates especially the one created by clause (xiv) that requires NAI to provide details in respect of the information, available to or held by it, and reduced in an electronic form.

(c) Publish all relevant facts while formulating important policies or announcing the decisions which affect public;

(d) Provide reasons for its administrative or quasi-judicial decisions to affected persons. Section 4(2) of the RTI Act, 2005 provides that it shall be a constant endeavour of every public authority to take steps in accordance with the requirements of clause (b) of sub section (1) to provide as much information suo motu to the public at regular intervals through various means of communications, including internet, so that the public have minimum resort to the use of this Act to obtain information.

Again the desirability to adopt Digitilisation of Records and Public records by NAI is clear from Section 4(2) of RTI Act, 2005.

Section 4(3) of the RTI Act, 2005 provides that for the purposes of sub-section (1), every information shall be disseminated widely and in such form and manner which is easily accessible to the public.

Section 4(4) of the RTI Act, 2005 provides that all materials shall be disseminated taking into consideration the cost effectiveness, local language and the most effective method of communication in that local area and the information should be easily accessible, to the extent possible in electronic format with the Central Public Information Officer or State
Public Information Officer, as the case may be, available free or at such cost of the medium or the print cost price as may be prescribed.

The Explanation to Section 4 of RTI Act, 2005 provides that for the purposes of subsections (3) and (4), "disseminated" means making known or communicated the information to the public through notice boards, newspapers, public announcements, media broadcasts, the internet or any other means, including inspection of offices of any public authority.

Section 6 (1) of the RTI Act, 2005 provides that a person, who desires to obtain any information under this Act, shall make a request in writing or through electronic means in
English or Hindi or in the official language of the area in which the application is being made, accompanying such fee as may be prescribed, to the appropriate officer.

An RTI Application can also be made through E-Mail, Fax or any other Electronic means. Thus, NAI must keep in place a “System” and “Procedure” for dealing with Electronic Records and Electronic RTI Applications.

Section 8 (1) of the RTI Act, 2005 provides that notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,-

(a) Information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;
(b) Information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;
(c) Information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;
(d) Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;
(e) Information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;
(f) Information received in confidence from foreign Government;
(g) Information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;
(h) Information which would impede the process of investigation or apprehension or prosecution of offenders;
(i) Cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:

Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:

Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;

(j) Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State
Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Section 8(1) of the RTI Act, 2005 outlines the “Grounds” on which NAI can “Refuse” to give Information about Records and Public Records to an RTI Applicant. By virtue of Section 22 of the RTI Act, 2005, these are the “Only Grounds” subject to which NAI can refuse information to RTI Applicants.

The grounds mentioned in the Public Records Act, 1993 would no more be relevant after the passing of the RTI Act, 2005. The proposed amendments in the Public Records Act, 1993 must add the “Grounds and Exemptions” that NAI wishes to add in addition to the one mentioned by RTI Act, 2005.

Section 8 (2) of the RTI Act, 2005 provides that notwithstanding anything in the Official Secrets Act, 1923 nor any of the exemptions permissible in accordance with sub-section (1), a public authority may allow access to information, if public interest in disclosure outweighs the harm to the protected interests.

Section 8 (3) of the RTI Act, 2005 provides that subject to the provisions of clauses (a), (c) and (i) of sub-section (1), any information relating to any occurrence, event or matter which has taken place, occurred or happened twenty years before the date on which any request is made under Section 6 shall be provided to any person making a request under that section:

Provided that where any question arises as to the date from which the said period of twenty years has to be computed, the decision of the Central Government shall be final, subject to the usual appeals provided for in this Act.

The 20 years period is in conformity with the proposed amendments suggested by the Consultation Committee of NAI formulated to suggest Amendments in the PRA 1993.

Section 9 of the RTI Act, 2005 provides that without prejudice to the provisions of section 8, a Central Public Information Officer or a State Public Information Officer, as the case may be, may reject a request for information where such a request for providing access would involve an infringement of Copyright subsisting in a person other than the State.

Section 10(1) of the RTI Act, 2005 provides that where a request for access to information is rejected on the ground that it is in relation to information which is exempt from disclosure, then, notwithstanding anything contained in this Act, access may be provided to that part of the record which does not contain any information which is exempt from disclosure under this Act and which can reasonably be severed from any part that contains exempt information.

NAI can provide “Partial Access” to its Records and Public Records.

Section 10 (2) of the RTI Act, 2005 provides that where access is granted to a part of the record under sub-section (1), the Central Public Information Officer or State Public Information Officer, as the case may be, shall give a notice to the applicant, informing-

(a) That only part of the record requested, after severance of the record containing information which is exempt from disclosure, is being provided;
(b) The reasons for the decision, including any findings on any material question of fact, referring to the material on which those findings were based;
(c) The name and designation of the person giving the decision;
(d) The details of the fees calculated by him or her and the amount of fee which the applicant is required to deposit; and
(e) His or her rights with respect to review of the decision regarding non-disclosure of part of the information, the amount of fee charged or the form of access provided, including the particulars of the senior officer specified under sub-section (1) of section 19 or the Central Information Commission or the State Information Commission, as the case may be, time limit, process and any other form of access.

Section 11(1) of the RTI Act, 2005 provides that where a Central Public Information Officer or a State Public Information Officer, as the case may be, intends to disclose any information or record, or part thereof on a request made under this Act, which relates to or has been supplied by a third party and has been treated as confidential by that third party, the Central Public Information Officer or State Public Information Officer, as the case may be, shall, within five days from the receipt of the request, give a written notice to such third party of the request and of the fact that the Central Public Information Officer or State Public Information Officer, as the case may be, intends to disclose the information or record, or part thereof, and invite the third party to make a submission in writing or orally, regarding whether the information should be disclosed, and such submission of the third party shall be kept in view while taking a decision about disclosure of information:

Provided that except in the case of trade or commercial secrets protected by law, disclosure may be allowed if the public interest in disclosure outweighs in importance any possible harm or injury to the interests of such third party.

NAI receives many Archives, Records, Books, etc by way of Gifts and otherwise by Third Parties. Such Records, etc must be given subject to the provisions of this Clause or to the Terms and Conditions subject to which they have been given to the NAI by such Third Parties. .

Section 11(2) of the RTI Act, 2005 provides that where a notice is served by the Central Public Information Officer or State Public Information Officer, as the case may be, under sub-section (1) to a third party in respect of any information or record or part thereof, the third party shall, within ten days from the date of receipt of such notice, be given the opportunity to make representation against the proposed disclosure.

Section 11(3) of the RTI Act, 2005 provides that notwithstanding anything contained in Section 7, the Central Public Information Officer or State Public Information Officer, as the case may be, shall, within forty days after receipt of the request under Section 6, if the third party has been given an opportunity to make representation under sub-section (2), make a decision as to whether or not to disclose the information or record or part thereof and give in writing the notice of his decision to the third party.

Section 11(4) of the RTI Act, 2005 provides that a notice given under sub-section (3) shall include a statement that the third party to whom the notice is given is entitled to prefer an appeal under section 19 against the decision.

Third Party Relationships of NAI must be suitably regulated. A sound and practical Procedure or Guidelines in this regard is desirable on the part of NAI.

Section 22 of the RTI Act, 2005 provides that the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in the Official Secrets Act, 1923, and any other law for the time being in force or in any instrument having effect by virtue of any law other than this Act.

The RTI Act, 2005 would “Override” the provisions of Public Records Act, 1993 and its Rules by virtue of this section.

Section 24 (1) of the RTI Act, 2005 provides that nothing contained in this Act shall apply to the intelligence and security organisations specified in the Second Schedule, being organisations established by the Central Government or any information furnished by such organisations to that Government:

Provided that the information pertaining to the allegations of corruption and human rights violations shall not be excluded under this sub-section:

Provided further that in the case of information sought for is in respect of allegations of violation of human rights, the information shall only be provided after the approval of the Central Information Commission, and notwithstanding anything contained in section 7, such information shall be provided within forty-five days from the date of the receipt of request.

Section 24 (2) of the RTI Act, 2005 provides that the Central Government may, by notification in the Official Gazette, amend the Schedule by including therein any other intelligence or security organisation established by that Government or omitting therefrom any organisation already specified therein and on the publication of such notification, such organisation shall be deemed to be included in or, as the case may be, omitted from the Schedule.

Sunday, July 3, 2011

International Cyber Security Cooperation Is Needed

Cyber Threats have emerged as a major cause of concern for National and International businesses and Governments these days. In the absence of an Internationally Acceptable Legal Framework for ensuring Cyber Security at National levels, the need of International Cyber Security Treaty or Convention has become more apparent.

There are many precarious Cyber Attacks threats that could prove to be really damaging. Today many Critical Public Services are provided through the use of Information and Communication Technology (ICT) and in an Online Environment.

Since Cyberspace is boundary less, it is very difficult to prevent Cyber Attacks from different Jurisdictions. Even if a Cyber Attack can be located to a particular Jurisdiction, “Attributing” the same to a single Individual or Organisation/State is really difficult.

There are numerous challenges that need to be addressed in order to formulate International Cooperations and the Policies that are essential to fight with International Cyber Attacks and Cyber Crimes.

True International Cyber Security cannot be achieved till we have an Internationally Applicable and Internationally Acceptable Cyber Security Treaty. Similarly, International Cyber Crimes cannot be tackled till we have Internationally Acceptable Cyber Crime Treaty.

However, in the zeal to fight against Cyber Attacks and Cyber Crimes, Human Rights Protection in Cyberspace should not be neglected as has been done till now. Every possible effort must be made to “Reconcile” Human Rights with National Security and Law Enforcement Requirements.

The present practice of violating Human Rights in Cyberspace World over by playing the card of “National Security” is an aspect that has to be taken care of especially by the United Nations.

At the end of the day, the battle against Cyber Attacks and Cyber Crimes cannot be won till we enact a “Human Rights Oriented” International Legal Framework because in Cyberspace “Non State Players” are sometimes “More Powerful and Better Equipped” than National Governments. They are also “More Assertive” in Cyberspace than in the Realtime and Offline World. I hope International Community would mull over all these aspects and consider enacting the International Cyber Security Treaty or Convention.