Monday, November 5, 2012

The Proposed IT Act 2000 Amendments: Boon Or Bane

There are hardly any cyber law firms in India that has contributed so much for the growth and development of cyber law of India as has been done by Perry4Law. In this article by Praveen Dalal, managing partner of Perry4Law and CEO of PTLB he has shared the civil liberties concerns and issues pertaining to human rights protection in cyberspace that have now come true.

The aim of this article, written in 2006, is to consider the far reaching consequences of the proposed IT Act, 2000 amendments as suggested by the Expert Committee appointed by the Government in this regard. These amendments were severely criticised in India because of their inherent weaknesses and retrograde approach. If these proposed amendments have been approved by the cabinet without considering the critical evaluations or without the necessary modification, India will surely be a “safe heaven” for various cyber crime and contraventions. Equally at risk are e-governance in India and e-commerce in India. In the present scenario, cyber law in India is going to be a remedy worse than the malady. We may have a cyber law without teeth. Rather, it may actively encourage and support the criminal tendencies and cyber crimes in India. It is ironical that though India is emerging as the leading country in the field of Information and Communication Technology (ICT) yet the law that is needed to make it a ground reality is itself removing the protection and safeguards necessary for the survival and continued existence of ICT in India. 

I. Introduction

The cyber law, in any country of the World, cannot be effective unless the concerned legal system has the following three pre requisites:

(1) A sound Cyber Law regime,
(2) A sound enforcement machinery, and
(3) A sound judicial system.

Let us analyse the Indian Cyber law on the above parameters.

(1) Sound Cyber Law Regime: The Cyber law in India can be found in the form of IT Act, 2000. Now the IT Act, as originally enacted, was suffering from various loopholes and lacunas. These “Grey Areas” were excusable since India introduced the law recently and every law needs some time to mature and grow. It was understood that over a period of time it will grow and further amendments will be introduced to make it compatible with the International standards. It is important to realise that we need “qualitative law” and not “quantitative laws”. In other words, one single Act can fulfil the need of the hour provided we give it a “dedicated and futuristic treatment”. The dedicated law essentially requires a consideration of “public interest” as against interest of few influential segments. Further, the futuristic aspect requires an additional exercise and pain of deciding the trend that may be faced in future. This exercise is not needed while legislating for traditional laws but the nature of cyber space is such that we have to take additional precautions. Since the Internet is boundary less, any person sitting in an alien territory can do havoc with the computer system of India. For instance, the Information Technology is much more advanced in other countries. If India does not shed its traditional core that it will be vulnerable to numerous cyber threats in the future. The need of the hour is not only to consider the “contemporary standards” of the countries having developed Information Technology standards but to “anticipate” future threats as well in advance. Thus, a “futuristic aspect’ of the current law has to be considered. Now the big question is whether India is following this approach? Unfortunately, the answer is in NEGATIVE. Firstly, the IT Act was deficient in certain aspects, though that was bound to happen. However, instead of bringing the suitable amendments, the Proposed IT Act, 2000 amendments have further “diluted” the criminal provisions of the Act. The “national interest” was ignored for the sake of “commercial expediencies”. The proposed amendments have made the IT Act a “tiger without teeth” and a “remedy worst than malady”.

(2) A Sound Enforcement Machinery: A law might have been properly enacted and may be theoretically effective too but it is useless unless enforced in its true letter and spirit. The law enforcement machinery in India is not well equipped to deal with cyber law offences and contraventions. They must be trained appropriately and should be provided with suitable technological support.

(3) A Sound Judicial System: A sound judicial system is the backbone for preserving the law and order in a society. It is commonly misunderstood that it is the “sole” responsibility of the “Bench” alone to maintain law and order. That is a misleading notion and the “Bar” is equally responsible for maintaining it. This essentially means a rigorous training of the members of both the Bar and the Bench. The fact is that the cyber law is in its infancy stage in India hence not much Judges and Lawyers are aware of it. Thus, a sound cyber law training of the Judges and Lawyers is the need of the hour. In short, the dream for an “Ideal Cyber Law in India” requires a “considerable” amount of time, money and resources. In the present state of things, it may take five more years to appreciate its application. The good news is that Government has sanctioned a considerable amount as a grant to bring e-governance within the judicial functioning. The need of the hour is to appreciate the difference between mere “computerisation” and “cyber law literacy”. The judges and lawyers must be trained in the contemporary legal issues like cyber law so that their enforcement in India is effective. With all the challenges that India is facing in education and training, e-learning has a lot of answers and needs to be addressed seriously by the countries planners and private industry alike. E-learning can provide education to a large population not having access to it.

II. Critical Evaluation Of The Proposed IT Act, 2000 Amendments

The proposed IT Act, 2000 amendments are neither desirable nor conducive for the growth of ICT in India. They are suffering from numerous drawbacks and grey areas and they must not be transformed into the law of the land. These amendments must be seen in the light of contemporary standards and requirements. Some of the more pressing and genuine requirements in this regard are:

(a) There are no security concerns for e-governance in India
 (b) The concept of due diligence for companies and its officers is not clear to the concerned segments
(c) The use of ICT for justice administration must be enhanced and improved
(d) The offence of cyber extortions must be added to the IT Act, 2000 along with Cyber Terrorism and other contemporary cyber crimes
(e) The increasing nuisance of e-mail hijacking and hacking must also be addressed
(f) The use of ICT for day to day procedural matters must be considered
(g) The legal risks of e-commerce in India must be kept in mind
(h) The concepts of private defence and aggressive defence are missing from the IT Act, 2000
(i) Internet banking and its legal challenges in India must be considered
 (j) Adequate and reasonable provisions must me made in the IT Act, 2000 regarding “Internet censorship”
(k) The use of private defence for cyber terrorism must be introduced in the IT Act, 2000
 (l) The legality of sting operations must be adjudged
(m) The deficiencies of Indian ICT strategies must be removed as soon as possible
(n) A sound BPO platform must be established in India, etc.

The concerns are too many to be discussed in this short article. The Government must seriously take the “genuine concerns” and should avoid the cosmetic changes that may shake the base of already weak cyber law in India.

III. Conclusion

The Government has mistakenly relied too much upon “self governance” by private sectors and in that zeal kept aside the “welfare State role”. The concept of self governance may be appropriate for matters having civil consequences but a catastrophic blunder for matter pertaining to crimes, offences, contraventions and cyber crimes. Further, the Government must also draw a line between “privatisation’ and “abdication of duties” as imposed by the Supreme Constitution of India. The concepts of “Public-Private Partnerships’ must be reformulated keeping in mind the welfare State role of India. The “collective expertise” must be used rather than choosing a segment that is not representing the “silent majority”. It would be appropriate if the Government puts the approved draft by the Cabinet before the public for their inputs before finally placing them before the Parliament.

Source: PTLB Blog

The Draft Intelligence Services (Powers and Regulation) Bill, 2011

A Draft Bill titled the Intelligence Services (Powers and Regulation) Bill, 2011 has been recently circulated in the Lok Sabha. The Bill has been circulated by Manish Tewari, Member of Parliament. The bill though circulated but could not be introduced as the Lok Sabha was adjourned sine die on Friday. It is likely to be introduced in the next session of Parliament.

The Bill intends to establish a Legal Framework for Intelligence Agencies of India. Presently, Intelligence Agencies of India are not governed by any Legal Framework and they are not under Parliamentary Scrutiny.

This is a serious “Constitutional Issue” as exercise of Law Enforcement and Intelligence Powers without any “Constitutionally Valid Law” is serious violations of Constitutional provisions. Finally, some sort of law making has been sought that would also bring Transparency and Accountability among the Intelligence Operations in India. The present Intelligence Infrastructure of India is in big mess and the Bill if made an enforceable law would bring some respite.

However, there are many “Techno Legal and Constitutional Issues” that are “still missing” from the Bill. I/We would discuss the same subsequently. In this post I wish to discuss some of the provisions of the Draft Intelligence Services (Powers and Regulation) Bill, 2011.

The Bill seeks to give statutory status to:

(i) Research and Analysis Wing
(ii) Intelligence Bureau and
(ii) National Technical Research Organisation.

with a view to regulate the manner of the functioning and exercise of powers by the Intelligence Agencies within and beyond the territory of India and to provide for the coordination, control and oversight of such agencies.

The Statement of Objects and Reasons of the proposed Bill says that Intelligence agencies are responsible for maintaining internal security and combating external threats to the sovereignty and integrity of the nation. These responsibilities range from counter-terrorism measures tackling separatist movements to critical infrastructure protection. These agencies are operating without an appropriate statutory basis delineating their functioning and operations. This tends to, among other things, compromise operational efficiency and weakens the professional fabric of these agencies. It also results in intelligence officers not having due protection when performing their duties.

Assessments and gathering of information by intelligence agencies are catalysts for law enforcement units to act, necessitating that these be reliable, accurate and in accordance with law. This kind of efficiency has been hindered by obscured responsibilities that have plagued the functioning of the agencies.

Article 21 of the Constitution provides that no person shall be deprived of his life and personal liberty except according to the procedure established by law. The Supreme Court of India has carved a right to privacy from the right to life and personal liberty. Such rights to privacy are compromised when agencies undertake surveillance operations.

In Re: Peoples Union of Civil Liberties v. Union of India, the Supreme Court issued detailed guidelines regarding telephone tapping. A proper legal framework is required to regulate surveillance of other forms, using different technologies, as well. There is an urgent need to balance the demands of security and privacy of individuals, by ensuring safeguards against the misuse of surveillance powers of intelligence agencies. Therefore, legislation is imperative to regulate the possible infringement of privacy of citizens, while giving credence to security concerns.

In view of the reasons stated, the Bill seeks to enact a legislation pursuant to Entry 8 of List I of the Seventh Schedule of the Constitution of India to provide: -

(a) A legislative and regulatory framework for the Intelligence Bureau, the Research and Analysis Wing and the National Technical Research Organisation;
(b) Designated Authority regarding authorisation procedure and system of warrants for operations by these agencies;
(c) A National Intelligence Tribunal for the investigation of complaints against these agencies.
(d) A National Intelligence and Security Oversight Committee for an effective oversight mechanism of these agencies; and
(e) An Intelligence Ombudsman for efficient functioning of the agencies and for matters connected therewith.

The Bill is a very good beginning though it requires many “improvements” before it is finally passed by both the Houses of Parliament. I hope and wish the Modified and Improved Bill would become an applicable law very soon.

Source: PTLB Blog

Cyber Security Policy Of India

Cyber Security is an issue that tries to protect and preserve the Information Technology Infrastructure (ITI) of a Nation. Since Cyberspace is boundary less it is possible to attack the ITI of any Nation from any place.

We are still dealing with the Cyber Security issues in India. Although India has formulated the Cyber Security Strategy but it is more on the side of prescribed guidelines alone. The practical and actual implementation of the same is still missing.

Policies and Strategies issues are best implemented practically and effectively if they are made part of the National Policies. Till now we have not formulated a National Cyber Security Policy of India that is implantable at National level.

The Cyber Security Policy of India must cover areas like Cyber Laws, Cyber Crimes, Transnational Technological Crimes, Cyber Attacks, Cyber Warfare, Cyber Terrorism, Cyber Espionage, Human Rights Protection in Cyberspace, Critical Infrastructure Protection Plan, Critical ICT Infrastructure Protection, Crisis Management Plan, etc.

Till now there is no National Cyber Security Policy of India that covers these issues and is implementing the same. Our websites are frequently defaced, strategic computers are often compromised, sensitive defence documents are occasionally stolen and cyber espionage against India is frequently committed.

I also understand that it is not possible to have an absolute Cyber Security. The notion of having an absolute Cyber Security is a “Myth” as we cannot ensure absolute Cyber security anywhere. There are exploits and vulnerabilities, both hardware and software based, that cannot be anticipated and tackled in advance. In fact, “Zero Days Exploits” are the most difficult one to anticipate and handle. In these types of exploits all Cyber Security Measures proves ineffective and futile.

Further, human beings are usually the weakest link in the Cyber Security infrastructure and Social Engineering is the easiest way to break into a Computer System. Besides being easy, Social Engineering can be incredibly cheap. Social Engineering is the hardest form of attack to defend against because an individual or organisation cannot protect itself with hardware or software alone.

Both Government Departments and Private Companies must have good employee’s awareness activities and information dealing policies in place and the employees must strictly follow these policies. The employees must be willing to ask relevant questions while dealing with a request to provide sensitive information.

Indian Government must also focus upon Techno Legal Cyber Security Skill Development for its employees and departments. Suitable Techno Legal Cyber Security Courses must be made available to Government departments and employees. All these issues must be made part of the Cyber Security Policy of India that should be formulated and implemented as soon as possible.

Source: ICTPS Blog

Cyber Security Capabilities Of India

Maintaining cyber security at the international level is a tedious task. This is so because cyberspace does not recognises any boundary and cyber attacks can be launched from any part of the world. While cyber attacks upon various computer systems and computer resources are cause of concern yet cyber attacks upon critical infrastructures is of grave concern.

Cyber security in India is at initial stage. Even the information technology act, 2000 (IT Act 2000), which is the sole cyber law of India, does not address the cyber crimes and cyber security issues effectively. We have no dedicated cyber security laws in India and we urgently need a dedicated cyber security legal framework in India.

Meanwhile, India is increasingly facing cyber attacks and cyber threats from foreign nationals. In fact, the cyber laws and cyber security trends of India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) has clearly showed the cyber security vulnerabilities of India. Cyber terrorism against India, cyber warfare against India, cyber espionage against India and cyber attacks against India have already increased a lot. Even the cyber law trends of India 2012 by PTLB have also projected an increased rate of cyber crimes in India and cyber attacks against India in the year 2012.

The biggest cyber threat against India is originating in the form of cyber attacks upon Indian critical infrastructures. Critical infrastructure protection in India requires a well formulated policy. Presently we have no critical infrastructure protection policy of India. Further, critical ICT infrastructure protection in India is one area that requires special attention of Indian government.

Fortunately, Indian government has decided to streamline cyber security of India. The Indian government is in the process of finalising an elaborate plan to strengthen India's cyber security capabilities. A national critical information infrastructure protection centre (NCIPC) of India has also been proposed by Indian government. It intends to ensure critical infrastructure protection and critical ICT infrastructure protection in India.

There are few prerequisites that can make the NCIPC of India successful. Firstly, there must be a centralised ICT command centre of India that can coordinate various cyber security issues. Secondly, specialised agencies and authorities must be constituted for critical infrastructure areas like power, telecom, defense, aviation, etc. These agencies and authorities must coordinate with the centralised command centre for cyber security related issues.

Ministry of communication and information technology (MCIT) has already taken certain initiatives in this regard. For instance, a central monitoring system (CMS) project of India has been launched by MCIT to monitor and intercept electronic communications, messages and information. Further, a national telecom network security coordination board (NTNSCB) of India has also been proposed to strengthen the national telecom security of India.

Now Indian government is planning to step up cyber security protection levels, putting in place real time command-and-control centers and delineating responsibilities among various agencies.

Among the proposals are establishment of dedicated command-and-control centers in India to monitor critical infrastructure in real time, constituting computer emergency response teams (CERTs) for key sectors such as power, aviations, etc and formulation of elaborate protocols for all stakeholders involved in the process of ensuring cyber security in India.

The Cabinet Committee on Security (CS) may approve in a few weeks the multi-layered security plans to protect India's critical infrastructure. The national security advisor (NSA) and the cabinet secretary are working on the final plan.

There would be a clear demarcation of responsibilities between Computer Emergency Response Team-India (CERT-In), National Technical Research Organisation (NTRO), Intelligence Bureau (IB), Military Intelligence (MI) and other agencies that have a role in fighting cyber intrusions. Protocols would be formulated to ensure that there is no overlap between the functions and obligations of various agencies fighting cyber attacks against India. The proposed protocol will also cover department of telecom, department of information technology, National Informatics Centre etc.

Under the proposal, the government will also regularly and proactively monitor and scan critical networks. Not just that, the levels of security for these networks will also be stepped up. CERT-In may also be creating its own real time monitoring centre to strengthen it cyber security initiatives. The responsibility for monitoring critical infrastructure will be divided between NCIPC and CERT-In. The government will also set up dedicated CERT for critical sectors such as power, aviation etc where no such national monitoring mechanism exists.

This is a good step in the right direction and Perry4law and PTLB welcome this move. We also hope that with this the cyber security capabilities of India would be upgraded to the required levels.

Source: ICTPS Blog

National Critical Information Infrastructure Protection Centre (NCIPC) Of India

In the recent times, there is an increasing stress upon cyber security at the international level. This is so because cyber attacks are happening at the international level and all the countries are facing this threat.

Countries are trying to coordinate cyber security initiatives at national and international levels. However, cyber security in India is still not up to the mark. India is increasingly facing cyber attacks and cyber threats from foreign nationals.

The cyber laws and cyber security trends of India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) has clearly showed the cyber security vulnerabilities of India. The cyber law trends of India 2012 have also projected an increased rate of cyber crimes in India and cyber attacks against India in the year 2012.

For instance, cyber terrorism against India, cyber warfare against India, cyber espionage against India and cyber attacks against India have increased a lot. Presently, we do not have a strong cyber law to deter cyber attacks and cyber crimes. Further, we have no cyber security laws in India as well.

Cyber security is also crucial to protect critical infrastructure protection of India. Critical infrastructure protection in India requires a well formulated policy. Presently we have no critical infrastructure protection policy of India. Even critical ICT infrastructure protection in India is required.

A national critical information infrastructure protection centre (NCIPC) of India has been proposed. It intends to ensure critical infrastructure protection and critical ICT infrastructure protection in India.

There are few prerequisites that can make the NCIPC of India successful. Firstly, there must be a centralised ICT command centre of India that can coordinate various cyber security issues. Secondly, specialised agencies and authorities must be constituted for critical infrastructure areas like power, telecom, defense, etc. These agencies and authorities must coordinate with the centralised command centre for cyber security related issues.

Ministry of communication and information technology (MCIT) has already taken certain initiatives in this regard. For instance, a central monitoring system (CMS) project of India has been launched by MCIT to monitor and intercept electronic communications, messages and information. Further, a national telecom network security coordination board (NTNSCB) of India has also been proposed to strengthen the national telecom security of India.

However, there is a big problem in the successful implementation of all the abovementioned projects and initiatives as well as the NCIPC of India. Indian government has been avoiding parliamentary oversight of these projects. This is a bad precedent that needs to be urgently taken care of. We need urgent parliamentary oversight for e-surveillance in India, Internet censorship in India, intelligence gathering in India, intelligence authorities of India, central bureau of Investigation, law enforcement agencies of India, Aadhar project of India, etc.

Even privacy laws in India, data security laws in India, data protection laws in India, etc are urgently required to be formulated. The cyber law of India must be suitably amended, perhaps repealed, to make a more robust and stringent cyber law of India. We need dedicated cyber security legal framework in India and cyber forensics laws in India.

For too long Indian parliament has been ignoring its crucial legislative business and it is high time for Indian parliament to do the needful in this regard. Contemporary techno legal issues cannot be left at the mercy and indifference of Indian parliament and Indian government as that may have serious adverse effects upon Indian economy and national security of India.

Source: ICTPS Blog

Cyber Law Due Diligence In India

Cyber Law Due Diligence and Cyber Security Diligence in India are two fields that are not taken seriously by Stakeholders and Intermediaries of India. Under the Information Technology Act 2000 (IT Act 2000) there are many “Due Diligence Requirements” that Banks, Internet Service Providers (ISPs), Search Engines, E-Commerce Portals, etc must fulfill. However, by and large these Due Diligence Requirements are seldom followed till some “Criminal Prosecution” takes place.

This “Mindset” needs to be changed in India. The Cyber Law of India has express provisions that provides for both Civil and Criminal Liabilities for “Non Observance of Due Diligence”. Once these provisions are attracted, the concerned Person or Institutions has to defend himself/itself in a Court of Law.

In India there is a lack of awareness about both Cyber Law of India as well Cyber Law Due Diligence Requirements in India. This is the main reason why Cyber Law Due Diligence has not been upto the requirements and expectations.

Of all stakeholders, Intermediaries must pay special attention to Cyber Law Due Diligence Requirements of India. Intermediaries like ISPs, Cyber Café owners, Web Hosting Service Providers, Blogging Platforms, etc have to take care of issues pertaining to Cyber Law, Cyber Security, Defamation Laws, Intellectual Property Rights (IPRs) Violations, etc.

A special care must be taken of the Online Copyright issues that are increasingly posing problems for Intermediaries. The liability of Internet Intermediaries for Copyright Violations is an issue that should be taken very seriously. With Laws like Digital Millennium Copyright Act (DMCA) and similar Laws, this liability has become very onerous.

“Take Down Notices” for Copyright Violations in the Cyberspace are very common these days. The moment a take Down Notice is communicated to the Intermediary, it becomes imperative on its behalf to take appropriate action. Further, the “Long Arm Jurisdiction” makes the applicability of National Law Extra Territorial. Even the Cyber Law of India has Extra Territorial Applicability.

Perry4Law and Perry4Law Techno Legal Base (PTLB) “Strongly Recommends” that all Stakeholders and Intermediaries must put in place Robust and Effective Due Diligence Mechanisms at their places. This would not only help them in preventing Crimes and Cyber Crimes but would also protect them from various Civil and Criminal Liabilities as well.

Source: ICTPS Blog

Right To Privacy Bill Of India 2011

Law minister Veerappa Moily is planning to introduce the privacy law of India in the forthcoming monsoon session of the parliament. Till now we have no dedicated statutory privacy law in India. The Supreme Court of India has interpreted right to privacy as a fundamental right under article 21 of the constitution of India.

The need to have a privacy law in India has arises as Indian government has launched many e-surveillance and national security related projects without proper privacy and civil liberties safeguards. Projects like Aadhar, National Intelligence Grid (Natgrid), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

Now law ministry is trying to give some minimum privacy safeguards from these projects. The right to privacy bill 2011 of India would provide for such a right to citizens of India and to regulate collection, maintenance, use and dissemination of their personal information. The Bill also contains penal provisions for violation of privacy rights.

The Bill says, “every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.”

The bill gives protection from a citizen's identity theft, including criminal identity theft (posing as another person when apprehended for a crime), financial identify theft (using another's identity to obtain credit, goods and services), etc.

The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer. It mandates destruction of interception of the material within two months of discontinuance of interception.

The bill provides for constitution of a Central Communication Interception Review Committee to examine and review the interception orders passed and is empowered to render a finding that such interception contravened Section 5 of the Indian Telegraphs Act and that the intercepted material should be destroyed forthwith. It also prohibits surveillance either by following a person or closed circuit television or other electronic or by any other mode, except in certain cases as per the specified procedure.

As per the bill, no person who has a place of business in India but has data using equipment located in India, shall collect or processor use or disclose any data relating to individual to any person without consent of such individual.

The bill mandates the establishment of a Data Protection Authority of India, whose function is to monitor development in data processing and computer technology; to examine law and to evaluate its effect on data protection and to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.

The Authority can investigate any data security breach and issue orders to safeguard the security interests of affected individuals in the personal data that has or is likely to have been compromised by such breach.

The bill makes contravention of the provisions on interception an offence punishable with imprisonment for a term that may extend up to five years or with fine, which may extend to Rs. 1 lakh or with both for each such interception. Similarly, disclosure of such information is a punishable offence with imprisonment up to three years and a fine of up to Rs. 50,000, or both.

Further, it says any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext shall be punishable with a fine of up to Rs. 5 lakh.

For some strange reasons, the law ministry has not made the Bill public. By making the Bill public useful public inputs could have been obtained. Without analysing the copy of the Bill, we cannot comment upon the legality and constitutionality of the same. All we can say at this point of time is that the proposed Bill must protect human rights in cyberspace to be valid and constitutional and it must respect the privacy rights of Indian in the information age.

Source: ICTPS Blog

Proposed Draft Right To Privacy Bill 2011 Of India

Right to Privacy is a very important Human Right. For long India ignored this important Civil Liberty despite demands for the same. Finally, Supreme Court of India interpreted Article 21 of the Constitution of India as a “Constitutional Source” of Right to Privacy in India.

Now Right to Privacy is a Fundamental Right in India. However, exercise of a Fundamental Rights is very difficult in India without a support of a “Statutory Right” in this regard. This is the reason why we need to enact a Statutory Law on Right to Privacy in India.

Privacy Rights have become even more important in this Information Era where Privacy of Netizens is in real danger. Indian Government has launched various Projects like Aadhar, NATGRID, CCTNS, Central Monitoring System (CMS), etc that are openly violating the Civil Liberties, including Privacy Rights, of Indians. This has forced the Law Ministry to consider enacting a Privacy Law of India.

Law Ministry has proposed a Right to Privacy Bill of India 2011. Surprisingly, the draft of Right to Privacy Bill of India 2011 has still not been made public so its analysis is not possible. However, this is a good beginning and I welcome this step of Law Minister Veerappa Moily.

I am not sure whether Human Rights in Cyberspace have been considered by the proposed draft Right to Privacy Bill of India 2011. However, Law Ministry must incorporate Privacy Rights in Cyberspace in the proposed Bill to make it effective and meaningful.

Privacy is very important for having peaceful and confidential phone conversations, e-mail communications and other forms of electronic communications. Indian Government has launched various Projects that can openly indulge in Unconstitutional Phone Tapping and Illegal E-Surveillance that also without any “Judicial Scrutiny”.

In the absence of Judicial Scrutiny and Privacy Laws, Indian Citizens are left with no choice but to use “Technological Self Defence Measures” to protect their Privacy Rights, especially in Cyberspace. Even this is not acceptable to Indian Government as it is harassing service providers like Blackberry, Gmail, Skype, etc that are using Encrypted Measures to protect Privacy Rights and to ensure Security. This is just like committing a wrong and then taking advantage of the same to one’s own benefits.

I hope this time we would finally have a Privacy Law of India as in the past as well many times it has been declared that Privacy Law for India would be enacted.

Source: ICTPS Blog

Cyber Forensics And Indian Approach


Cyber Forensics is an area that has not aroused much interest among the Governmental corridors of India. Even the Parliament of India and Indian Judiciary are not very enthusiastic about this much needed Science and Art.

Before I proceed further, it is pertinent to explain the concepts like “Cyber” or “Cyberspace” and “Cyber Forensics” as per my own understanding and with my own personal definitions.

In my opinion the word “Cyber” or “Cyberspace” signifies a “Combination of Information and Communication Technologies (ICT) that includes both Hardware and Software.

Similarly, according to me the word “Cyber Forensics” means “A Scientific and Forensics analysis of “Cyberspace” that includes ICT Components, Hardware and Software in such a manner that the end result is “Presentable and Admissible” in a Court of Law”.

Another concept that I would like to discuss pertains to Electronic Discovery (E-Discovery). According to me there is a difference between Cyber Forensics and E-Discovery. I believe that Cyber Forensics is a “Wider Concept” than E-Discovery. To put it on other words, Cyber Forensics includes E-Discovery but not Vice Versa.

For instance, a properly conducted Cyber Forensics Exercise is “Relevant and “Admissible” for all purposes including Litigation purposes. But E-Discovery may not be “Relevant” and “Admissible” while deciding a Criminal Litigation.

Now coming back to the Indian position, Cyber Forensics has not found favour with the Executive, Judiciary, Legislature and the Administrative Branches of India. We have no dedicated Cyber Forensics Laws in India. Even the Information Technology Act 2000 (IT Act 2000), which is the Cyber Law of India, is not covering Cyber Forensics. A going reference of Cyber Forensics may be found in the IT Act 2000 but that is nothing more than a reference with no actual “Utility” as on date.

This “Poor Condition” of Cyber Forensics in India is attributable to many factors. Firstly, we have no Legal Enablement of ICT Systems in India. Concepts like E-Courts, Online Dispute Resolution (ODR), etc are still missing in India. Secondly, the ICT Policies and Strategies of India are “Defective” and they do not cater the requirements of Cyber Law, Cyber Security, Cyber Forensics, etc. Thirdly, the Parliament of India is not “Comfortable” with ICT related issues. If Parliament is itself not aware of the Techno Legal Concepts like Cyber Law, Cyber Security, Cyber Forensics, etc not much development can take place.

I personally believe that Cyber Law of India should be repealed and a more comprehensive Cyber Law must be enacted. Similarly we need “Dedicated Laws” for Cyber Security and Cyber Forensics in India.

In my subsequent posts, I would try to cover every possible aspect of Cyber Forensics that is applicable to India and World Wide. Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that this Blog would prove useful to all Stakeholders.

The Basics Of Internet Protocol (IP) Address System

An Internet Protocol (IP) Address is an important aspect of not only the World Wide Web (WWW)/Internet but is also required for conducting a successful Cyber Forensics Analysis. So it is important to have a basic knowledge about IP Address. In this Article I would try to cover the most significant aspects of IP Address and a detailed and technical analysis is beyond the scope of this Article.

Every Computer that communicates on the Internet is allotted a unique IP Address. Through this unique IP Address the “Identity” of the Individual may be established. However, there are exceptions to this case. For instance using of a Proxy Server may not reveal the true IP Address of the Individual. Similarly, IP Address Spoofing may not provide the correct details of the Computer that has been used to send the communication. 

There are two Standards for IP addresses i.e. IP Version 4 (IPv4) and IP Version 6 (IPv6). Presently, most Computers are using IPv4 but soon the same would be migrated to IPv6 as IPv4 is no more able to cope up with the growing demands of IP Addresses.

An IP Address can be either Static or Dynamic. Generally, a Static IP Address is one that your Administrator/ISPs allots and configures by editing your Computer's Network Settings. It produces a single and constant identifiable IP Address that can be easily attributable to the Computer using the same.

A Dynamic IP Address is assigned by the Dynamic Host Configuration Protocol (DHCP), a service running on the Network. DHCP typically runs on Network Hardware such as Routers or dedicated DHCP Servers. A Computer using Dynamic IP Address is allotted a new IP Address for each “New Session” during its “Lease Period”.

A single IP Address may further be shared by different Computers using a “Router”. If you use a Router to share an Internet connection, the Router gets the IP Address issued directly from the ISP. Then, it creates and manages a Subnet for all the Computers connected to that Router. The Router would get the External IP Address and the Computers connected to the Router would get Internal IP Addresses to further “Identify” each Individual Computer.

The most common locations for finding IP Addresses are Log Files, in the Received Header fields of an E-Mail, Tcpdump Traces, etc. In some circumstances only a Host Name must have been recorded, but this can simply be translated into an IP Address.

IP Addresses are the “First Step” in the Cyber Forensics Investigations. However, IP Tracking must be done with great caution and with good application of mind. A casual IP tracking exercise may not only provide wrong results but can also implicate an innocent person.  I would cover these issues in more detail in my subsequent articles.

Data Security Laws In India

The need and demand for data protection laws in India and data security laws in India are increasing. This is so because data protection and data security touches almost all the spheres of personal lives and business transactions.

India has remained indifferent towards data protection and data security for long. Now Indian government has shown some inclination towards ensuring a legal framework for data protection and privacy protection in India.

Data is the backbone of any society that primarily relies upon information and communication technology (ICT). Protection of data is both the personal and proprietary requirement of various individuals and institutions. This is the reason why data must be secured through techno legal means.

As on date, we have no dedicated Data Privacy Laws In India and Data Protection Law In India. Even a dedicated Privacy Law Of India is missing. There is an urgent need to formulate Techno Legal Data Security Laws In India, Cyber Security Law In India, Privacy Rights And Laws In India, etc. While formulating such laws, we must keep in mind that Privacy Rights In India In The Information Age are different from the traditional privacy requirements.

Data security is closely related to cyber security expertise. Thus, Cyber Security Issues In India need better and focused attention of Indian government as Managing India’s Cyber Security Problems is a very delicate and tedious task. In these circumstances, Indian Data Protection Laws Are Urgently Needed. We cannot ignore data Protection Laws In India and privacy rights in India anymore. Similarly, Encryption Laws And Regulation In India must also be formulated as soon as possible.

At the national policy levels as well the Indian government has to do lots of hard work. For instance, the Encryption Policy Of India Is Needed. Similarly, an implementable Cyber Security Policy Of India is also need of the hour.

Indian government has also suggested projects and initiatives like National Cyber Coordination Centre (NCCC) Of India, Central Monitoring System (CMS) Project Of India, National Intelligence Grid (Natgrid) Project Of India, etc that would require dealing with the data and information in a constitutional manner.

Clearly data security laws of India are urgently needed. The sooner they would be formulated the better it would be for the interest of various stakeholders in general and national interest of India in particular.

Source: Legal Enablement Of ICT Systems In India

IP Address Spoofing And Its Defenses

Internet Protocol Address (IP Address) plays a very significant role in our day to day lives. Whether it is Cyber Security or Cyber Forensics, IP Address has a crucial role to play. IP Address is also the Starting Point for any Cyber Crime Investigation. So it is of utmost importance that an IP Address must be correctly ascertained.

Similarly, the Crackers and Cyber Criminals are interested in hiding their “Digital Footprints” through various means. IP Spoofing, use of Proxies, utilising Botnet for nefarious activities, exploiting Unsecured Wireless Access Points and Connections, etc are some of the methods that are used by Cyber Criminals.

IP Address is also the starting point to determine the “Authorship Attribution” that is a must before an accused is “Convicted” by a Court of Law. For instance, if a single Computer of Internet connection is used by multiple users, it is absolutely essential to ascertain who in fact used the Computer/Connection for the “Offending Act”.

Similarly, it is absolutely essential to ensure that the owner of a Wireless Connection is actually the person who committed the Cyber Crime or Cyber Contravention. In the majority of cases, such an Unsecured Wireless Connection is misused by others and the IP Address of the owner is reflected for that activity.

Thus, Authorship Attribution is an important aspect of “Determining the Culpability” of an Offender where the means to commit the Offence are common and accessible to many people simultaneously. Data Mining and Profiling of the accused to “Attribute Culpability” to him/her alone is an emerging area of Cyber Crime Investigation.

IP Spoofing is one of the methods used by Cyber Criminals to deny “Authorship Attribution” to them. A Cyber Crime Investigator would first ascertain the IP Address and then after analysing the E-Mail Headers/Logs, She would come to a conclusion that the IP Address reflected in the communication is a Forged or Spoofed one. Ascertaining the true and correct IP Address is required to proceed further in such case. 

IP Address Spoofing requires creation of IP packets with a forged source IP Address with a purpose of concealing the real identity of the sender or impersonating another System. The most common Protocol for data exchange over Internet is the TCP/IP. The header of each IP Packet contains, among other things, the numerical source and destination address of the Packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different Computer.

However, there is a “Limitation” to such a use. To establish a Connection, TCP uses a “Three Way Handshake” and IP Spoofing by its very nature fails to satisfy this handshake. So the purposes of IP Spoofing are limited in nature. For instance, IP Spoofing can be used for Denial of Service Attacks (DOS) as the attacker is least bothered to receive a “Response”. IP Spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP Addresses. IP Spoofing can also be used for Session Hijacking or Host Impersonation.

There are some services that are vulnerable to IP Spoofing. These include RPC (Remote Procedure Call services), any service that uses IP address authentication, the X Window System, the R services suite (rlogin, rsh, etc.), etc.

IP Spoofing can take many forms. In Non-Blind Spoofing the attacker is on the same subnet as the victim and this enables him to perform session hijacking. Using this technique, an attacker could effectively bypass any authentication measures that have taken place to build a connection.

In Blind Spoofing several packets are sent to the target machine in order to sample sequence numbers. Computers in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most Operating Systems (OSs) implement random sequence number generation, making it difficult to predict them accurately.

In Man in the Middle Attack (MITM) the attacker intercepts a legitimate communication between two Computers. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “Spoofing” the identity of the original sender, who is presumably trusted by the recipient.

There is a “General Consensus” that IP Spoofing does not allow gaining Anonymous Internet Access, which is a common misconception for those unfamiliar with the practice. Any sort of Spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

However, some believe that if a Website is not using syncookies and is using predictable initial sequence numbers, it is possible to create a live TCP connection without actually revealing the original IP Address. This may be possible as the attacker may be least interested in getting back the “Responses”. I would deal with this issue separately and in greater details subsequently.

IP Spoofing can be prevented and defended against through methods like Packet Filtering, Websites using syncookies and unpredictable initial sequence numbers, use of multiple authentication protocols so that they do not exclusively rely on the IP Address for authentication, use of Encryption, etc.

Some upper layer protocols provide their own defense against IP Spoofing attacks. For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

There is an urgent need to do more in depth research in the field of IP Spoofing and I would try to cover this field in great details in my subsequent posts.

Cyber And High Tech Crime Investigation And Training Centre

In this post we are discussing about the Cyberand Hi-Tech Crime Investigation and Training (CHCIT) Centre of India managed by Perry4Law Techno Legal Base (PTLB). This is the exclusive techno legal cyber and hi-tech crime investigation and training centre of India that is managing both technical and legal issues of cyber crimes and high tech crimes.

Techno legal issues especially cyber crimes and cyber security issues in India are complicated to manage and tackle. Countries all over the world are struggling to deal with the same. Even in India we have to cover a long road before expertise pertaining to cyber security in India and cyber forensic in India can be achieved.

Research and development plays a major role in developing cyber security capabilities. It is also crucial to develop methods to fight against cyber crimes and cyber attacks. Private initiatives like cyber security research centre of India (CSRCI), cyber forensics research and development centre of India (CFRDCI), cyber crimes investigation centre of India (CCICI), etc are crucial in this regard.

At Perry4Law and PTLB we are managing the exclusive techno legal cyber crime and high tech investigation and training centre of India. We are also managing the exclusive techno legal centre of excellence for cyber crimes investigation in India.

Further, in order to inculcate techno legal skills among police, lawyers, judges, professionals, etc we have been managing the exclusive techno legal centre of excellence for lifelong learning in India where we are providing trainings, courses and education in the fields like cyber law, cyber security, cyber forensics, etc. PTLB e-learning platform further helps in achieving this objective.

The cyber crimes investigation centre of India by PTLB aims at developing techno legal skills among cyber crime investigators on the pone hand and modernisation of police force of India on the other. We provide cyber crimes investigation trainings in India to various stakeholders.

Perry4Law and PTLB have also provided cyber crimes trends in India 2012, cyber law trends in India 2012, cyber security trends in India 2012, etc. Previous years trends have also been provided by Perry4Law and PTLB to give various stakeholders a good look of cyber environment of India. 

We have been providing ICT trends in India since 2005-06. The ICT trends in India 2009 and subsequent trends have discussed both the positive and negative aspects of Indian ICT policies and strategies.

We hope that this exclusive techno legal cyber crime investigation centre of India would prove useful to all stakeholders in India and abroad.

Cyber Security Council Of India Established

This article has reported that a cyber security council of India has been constituted by Indian government. We at Perry4Law Techno Legal Base (PTLB) welcome this move of Indian government as it was a much needed initiative. 

According to the report published by my colleague, the cyber security council of India has been constituted by Indian government. This is a good step in the right direction as such an action was long due on the part of Indian government.

Although this is a modest beginning yet if Indian government is committed this can transform into a major cyber security initiative by Indian government. I am hereby sharing the report of my friend for our readers.

Cyber security of India has finally got the attention of Indian government. Indian government has been announcing many initiatives that could strengthen cyber security of India. Although these initiatives have come late yet this is a good beginning from all counts.

Now it has been reported that the Indian government has launched a new and dedicated wing of the country's National Security Council Secretariat (NSCC). The function of the proposed wing would be to deal with the growing cyber threat especially those from cyber terrorists.

Cyber terrorism against India, cyber warfare against India, cyber espionage against India, etc are on rise and this dedicated wing can be really helpful in this regard. The wing would coordinate with other existing law enforcement agencies. The objective of the wing would be to keep both public and private computer safe from cyber attack and malicious activities.

The proposed wing would work in the direction of ensuring coordination among various government departments of India so that both national and international cyber threats can be countered. Gradually the wind would be extended to make its initiatives and efforts more holistic and wide.

However, India still needs to stress upon cyber security research and development. Till now we have a sole techno legal cyber security research centre of India that is managed by Perry4Law and PTLB.


Close association and coordination with expert techno legal institutions like PTLB is the need of the hour. Let us hope that Indian government would collaborate and coordinated with institutions like PTLB to make its cyber security initiatives more holistic and effective.

Data Protection Laws In India

We have no dedicated data protection laws in India. Data of individuals and companies require both constitutional as well as statutory protection. The constitutional analysis of data protection in India has still not attracted the attention of either Indian individuals/companies nor of Indian government.

The statutory aspects of data protection in India are scattered under various enactments. The Information Technology Act 2000 (IT Act 2000), which is the cyber law of India, also incorporate few provisions regarding data protection in India. However, till now we have no dedicated statutory and constitutional data privacy laws in India and data protection law in India.

Further, we do not have a dedicated privacy law in India as well. Privacy rights in India are still not recognised although the Supreme Court of India has interpreted Article 21 of Indian constitution as the source of privacy rights in India. Just like data protection, provisions pertaining to privacy laws in India are also scattered in various statutory enactments. Privacy rights and laws in India need to be strengthened keeping in mind the privacy rights in India in the information age.

Another related aspect pertains to data security in India. In the absence of proper data protection, privacy rights and cyber security in India, data security in India is also not adequate. Further, we do not have a dedicated cyber security law in India as well.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that data protection requirements are essential part of civil liberties protection in cyberspace. With the growing use of information and communication technology (ICT), data protection requirement has become very important. It would not be wrong to assume privacy and data protection rights as integral part of human rights protection in cyberspace.

Perry4Law and PTLB believe that Indian government must formulate different laws for privacy, data protection and data security. The IT Act 2000 has already committed the mistake of incorporating all cyberspace related aspects at a single place. This has resulted in a chaos and we have no effective law for any aspect of cyberspace.

Perry4Law and PTLB suggest that India government must formulate separate laws for issues like privacy, data security and data protection.

Source: Corporate Laws In India

Legal Formalities Required For Starting E-Commerce Business In India

E-commerce laws and regulations in India are still evolving. This has created a sort of confusion and uncertainty among e-commerce entrepreneurs in India. While some have opened e-commerce outlets through websites others are exploring a more appropriate and legal way of running an e-commerce business in India.

Legal issues of e-commerce in India vary as per different business models. For instance, electronic trading of medical drugs in India requires more stringent e-commerce and legal compliances as compared to other e-commerce activities. Digital communication channels for drugs and healthcare products in India are scrutinised more aggressively than other e-commerce activities. In fact, regulatory and legislative measures to check online pharmacies trading in banned drugs in India are already in pipeline.

Besides there are many legal formalities that are required in order to start a company and e-commerce activity in India. A business can be operated as:

(1) Sole Proprietorship.

(2) Partnership.

(3) Company – Public/Private.

(4) Limited Liability Partnerships (LLP).

Mostly people decide to open a private company to substantiate an e-commerce activity and this article would cover that aspect alone. To incorporate a private limited company you must approve its name, registered office address, have at least 2 directors with director identification numbers (DINs), must have a minimum authorised capital of Rs. 1 Lakh, memorandum of association (MOA) and articles of association (AOA), digital signature certificates (DSCs) wherever applicable, etc. Once these conditions and requirements are fulfilled, a certificate of incorporation is sent by post to the registered office of the newly registered company.

The private limited company is also required to comply with income tax related compliances. These include obtaining permanent account number (PAN), tax deduction account number (TAN), value added tax (VAT) registration and obtaining of tax identification number (TIN), professional tax if applicable, service tax, etc.

In certain cases, compliance with labour laws is also required. For instance, the Shops and Establishment Act is a legislation implemented by various States in India. The Act lays down mutual statutory obligation and rights of employers and employees. Registration of shop/establishment is mandatory within 30 days of commencement of work. Other workmen and labour related legislations cover areas like employees provident fund, employees state insurance, etc.

However, e-commerce in India is also required to be conducted in a legally permissible manner. This is more so when the information technology act 2000 (IT Act 2000) prescribes stringent penal and pecuniary penalties for violation of its provisions during e-commerce transactions.

The e-commerce players must ensure cyber law due diligence in India. This is more so when the cyber law due diligence for companies in India has become very stringent and foreign companies and websites are frequently prosecuted in India for non exercise of cyber due diligence.

The legal requirements for undertaking e-commerce in India also involve compliance with other laws like contract law, Indian penal code, etc. Further, online shopping in India also involves compliance with the banking and financial norms applicable in India. For instance, take the example of PayPal in this regard. If PayPal has to allow online payments receipt and disbursements for its existing or proposed e-commerce activities, it has to take a license from Reserve Bank of India (RBI) in this regard. Further, cyber due diligence for Paypal and other online payment transferors in India is also required to be observed.

Perry4Law and Perry4Law Techno Legal Base (PTLB) wish all the best to all e-commerce players in India and abroad.