Monthly Archives: October 2012

Indian Encryption Policy Must Be Formulated

Encryption technology is widely used for many legitimate personal and business purposes. In fact many crucial public services cannot be safely and effectively performed if encryption is not deployed and used. For instance, we cannot safely and security conduct online banking transactions without effective use of encryption methodology. Thus, Encryption Policy of India is Needed to be formulated as soon as possible.

We have no National Encryption Policy of India and in the absence of any such Policy Encryption related issues cannot be effectively managed in India. There is no doubt that Indian Encryption Policy Must be Formulated as soon as possible. Further, dedicated Encryption Laws and Regulations in India are also required. We also need dedicated Cyber Security Laws of India.

Use of Encryption in India has never been smooth. Intelligence Agencies in general and Central Home Ministry of India in particular are very much concerned about use of Encryption beyond 40 bits. However, what Home Ministry is not realising is that anything below 128 bits of encryption is definitely “Unsafe” and anything below 256 is “Potentially Unsafe”.

The Stakeholders that need “Higher Encryption Level Protection” includes Banks, Stock Exchanges, E-Mail Service Providers, Corporate Communications, Sensitive Government Communications, etc. It is “Not Feasible” to ask for Encryption Level below 256 bits.

Obviously, Indian Government has to take care of National Security and Law Enforcement needs as well. This does not mean we should have a “Weak Cyber Security Infrastructure” in India. On the contrary, we must ensure a Strong, Robust and Resilient Cyber Security Infrastructure for India.

At Perry4Law Techno Legal Base (PTLB) we believe that India should invest in establishing good Techno Legal Cyber Security Capabilities on the one hand and Cyber Skills and Intelligence Gathering Skills Development in India on the other hand. We believe that E-Surveillance can never be an “Alternative” for good and effective Cyber Security and Intelligence Gathering Capabilities. E-Surveillance must “Supplement” Intelligence Gathering Skills and “Not Supplant” the same.

This entire problem is happening because we have no Encryption Policy in India that clearly demarcates what level of Encryption can be used and what level cannot be. Further, we have no Legal Framework regarding Encryption usage in India.

We also have no Encryption Laws in India or Encryption Framework and Norms in India that have been “Prescribed” by the Parliament of India. All we have are “Encryption Guidelines” that are incorporated in various “Civil Contracts” with Telecom Companies and other such Companies. At most they are “Departmental Guidelines” but they do not have the “Force of Law”.

They are indirectly made applicable as “Forced Conditions” by the Telecom Companies and other Stakeholders. The “Legality” of this is very much doubtful as “End Users” have no “Autonomy” and “Free Choice” in such cases.

The Cyber Law of India, as applicable through Information Technology Act 2000 (IT Act 2000) has a single provisions in this regard. Section 84A of IT Act 2000 says that the Central Government may prescribe the modes or methods of Encryption. Till now the Central Government has not prescribed any “modes or methods” of Encryption usage in India. In fact, the IT Act 2000 is so “Badly Drafted” that many of its provisions are “Unconstitutional” and there is an urgent need to “Repeal” the Cyber Law of India.

It is high time for us to formulate a Techno Legal Encryption Policy for India as soon as possible. The Encryption Policy of India must keep in mind the Commercial, Cyber Security, Cyber Law, National Security, Intelligence Agencies and Law Enforcement requirements.

Further, the Indian Encryption Policy must also keep in mind the Civil Liberties in Cyberspace. Recently, the United Nations has declared that “Access to Internet” is a Human Right. Indian Government must “Balance” the National Security Requirements with Human Rights in Cyberspace as giving “Primacy” to one over another is not feasible.

Perry4Law and PTLB hope that Indian Government would take immediate steps to accommodate these “Suggestions” of ours.

Data Protection Laws In India Are Urgently Needed

Of late India has become super active for formulating norms and rules pertaining to data protection laws in India and data security laws in India. Although this is just the exploration stage yet legal frameworks for data protection and data security may be in pipeline. There is no second opinion that Indian data security laws are urgently needed and we cannot postpone it anymore.

Data Protection and Privacy Protection are very important these days. Data and privacy must be protected with techno legal means so that sensitive information of individuals and organisations is not compromised. Data is very crucial and valuable these days when virtually everything is done in an online environment.

We have no dedicated Data Protection Laws In India. Data of individuals and companies require both constitutional as well as statutory protection. The constitutional analysis of Data Protection In India has still not attracted the attention of either Indian individuals/companies nor of Indian government.

The statutory aspects of data protection in India are scattered under various enactments. The Information Technology Act 2000 (IT Act 2000), which is the Cyber Law Of India, also incorporate few provisions regarding data protection in India. However, till now we have no dedicated statutory and constitutional Data Privacy Laws In India and data protection law in India.

Further, we do not have a dedicated Privacy Law In India as well. Privacy Rights In India are still not recognised although the Supreme Court Of India has interpreted Article 21 Of Indian Constitution as the source of privacy rights in India. Just like data protection, provisions pertaining to privacy laws in India are also scattered in various statutory enactments. Privacy Rights And Laws In India need to be strengthened keeping in mind the Privacy Rights In India In The Information Age.

Another related aspect pertains to Data Security In India. In the absence of proper data protection, privacy rights and Cyber Security In India, data security in India is also not adequate. Further, we do not have a dedicated Cyber Security Law In India as well. Cyber Security Issues In India need more attention of Indian government as Managing India’s Cyber Security Problems is not an easy task.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that data protection requirements are essential part of Civil Liberties Protection In Cyberspace. With the growing use of information and communication technology (ICT), data protection requirement has become very important. It would not be wrong to assume privacy and data protection rights as integral part of Human Rights Protection In Cyberspace.

Perry4Law and PTLB believe that Indian government must formulate different laws for privacy, data protection and data security. The IT Act 2000 has already committed the mistake of incorporating all cyberspace related aspects at a single place. This has resulted in a chaos and we have no effective law for any aspect of cyberspace.

Perry4Law and PTLB suggest that India government must formulate separate laws for issues like privacy, data security and data protection.

Indian Data Security Laws Urgently Needed

The need and demand for data protection laws in India and data security laws in India are increasing. This is so because data protection and data security touches almost all the spheres of personal lives and business transactions.

India has remained indifferent towards data protection and data security for long. Now Indian government has shown some inclination towards ensuring a legal framework for data protection and privacy protection in India.

Data is the backbone of any society that primarily relies upon information and communication technology (ICT). Protection of data is both the personal and proprietary requirement of various individuals and institutions. This is the reason why data must be secured through techno legal means.

As on date, we have no dedicated Data Privacy Laws In India and Data Protection Law In India. Even a dedicated Privacy Law Of India is missing. There is an urgent need to formulate Techno Legal Data Security Laws In India, Cyber Security Law In India, Privacy Rights And Laws In India, etc. While formulating such laws, we must keep in mind that Privacy Rights In India In The Information Age are different from the traditional privacy requirements.

Data security is closely related to cyber security expertise. Thus, Cyber Security Issues In India need better and focused attention of Indian government as Managing India’s Cyber Security Problems is a very delicate and tedious task. In these circumstances, Indian Data Protection Laws Are Urgently Needed. We cannot ignore data Protection Laws In India and privacy rights in India anymore. Similarly, Encryption Laws And Regulation In India must also be formulated as soon as possible.

At the national policy levels as well the Indian government has to do lots of hard work. For instance, the Encryption Policy Of India Is Needed. Similarly, an implementable Cyber Security Policy Of India is also need of the hour.

Indian government has also suggested projects and initiatives like National Cyber Coordination Centre (NCCC) Of India, Central Monitoring System (CMS) Project Of India, National Intelligence Grid (Natgrid) Project Of India, etc that would require dealing with the data and information in a constitutional manner.

Clearly data security laws of India are urgently needed. The sooner they would be formulated the better it would be for the interest of various stakeholders in general and national interest of India in particular.

Legal Framework For E-Governance In India

Legal enablement of ICT systems in India and legal framework for information society of India are still missing in India. For instance, we have no legal framework for e-courts in India, online dispute resolution in India, mandatory e-governance services in India, etc. Further, we have no dedicated legal framework for cloud computing in India as on date.

Although electronic delivery (e-delivery) of services in India is needed yet in the absence of suitable policies and legal frameworks in this regard, e-delivery of services in India is still a dream.

lectronic governance in India (e-governance in India) is still at its infancy stage. Most of the e-governance projects of India under the national e-governance plan (NEGP) are still in the pipeline despite the deadline being passed long before. This is despite the fact that thousand of crores of public money has already been utilised for e-governance projects of India but without any constructive and practical results.

Meanwhile, the World Bank has once again issued $ 150 million loan to India. It has been issued under the category of e-delivery of public services development policy loan of India. The purpose of the loan is to ensure e-services delivery policy in India that is presently missing.

However, what is more alarming is the fact that in India we have no legal framework for e-governance that can ensure mandatory e-governance services in India. Although the information technology act 2000 carries provisions pertaining to e-governance services in India yet they are “non mandatory” in nature. This has resulted in a poor e-governance services delivery in India. Till now we have no legal framework that mandates that citizens and organisations can claim e-governance as a matter of right.

Further, the scope of NEGP is very wide covering almost all aspects of governance – right from delivery of services and provision of information to business process re-engineering within the different levels of government and its institutions. It is essential that NGP is implemented, monitored and regulated through a legal framework so that it is no more just a plan but reality.

In fact, while implementing the NEGP, various structural and institutional issues have already arisen which clearly call for a statutory mandate for their resolution. The purpose would be to give statutory mandate to the institutional entities, setting up of a separate fund, defining responsibilities and providing for time frames and oversight mechanisms. Thus, this legislation may, inter alia, contain provisions regarding the following:

(a) Definition of e-governance in the Indian context, its objectives and role,

(b) Coordination and oversight mechanisms, support structures at various levels, their functions and responsibilities,

(c) Role, functions and responsibilities of government organisations at various levels,

(d) Mechanism for financial arrangements including public-private partnership,

(e) Specifying the requirements of a strategic control framework for e-government projects dealing with statutory and sovereign functions of the government,

(f) Responsibility for selection and adoption of standards and inter-operability framework,

(g) Framework for cyber security, privacy protection, data security and data protection etc,

(h) Parliamentary oversight mechanism, and

(i) Mechanism for co-ordination between government organisations at Union and State levels.

Source: ICTPS Blog

Legal Framework For Cloud Computing In India

Cloud computing is a commercial project that most of the IT vendors of the world would love to launch in India. This is so because India has a large market for cloud computing business. However, the crucial question is whether India is ready for cloud computing? In short, we have to check whether cloud computing is viable for India especially when techno legal experts of India have answered in negative.

There are many hurdles for the successful implementation of cloud computing framework in India. The biggest among them is absence of legal framework for cloud computing in India. Further, allied legal frameworks are also missing that makes use of cloud computing in India non feasible and prone to numerous legal challenges.

For instance we have no dedicated privacy laws in India, data security laws in India and data protection laws in India. Further, India is fast becoming an endemic e-surveillance society in the absence of proper laws and constitutional procedural safeguards.

For instance, the central monitoring system project of India (CMS project of India) would have absolute control over telecommunications and Internet communications that also without any legal framework and parliamentary oversight. Further, companies like Research in Motion (RIM) have openly declared their support for e-surveillance activities of Indian intelligence agencies by extending cloud computing based e-surveillance model for its Blackberry messenger services.

Further, India is also the only country of the world where phone tapping and e-surveillance is done without a court warrant and beyond the judicial scrutiny. The executive branch of Indian constitution is neither accountable to the parliament of India nor to the judiciary in this regard.

All a police officer or governmental officer has to do is to approach the concerned cloud computing service provider, and it would hand over all your sensitive data and information to him without your knowledge. Further, even if the data is not physically handed over, access to the same can be given to such officer without anybody knowing of such access.

Privacy violations would definitely arise in cases of use of cloud computing in India. The only fact is that you may not be aware that your privacy rights have been violated and your sensitive and personal data is no more a secret.

Indian government must not use software as a service (SAAS) or cloud computing for governmental and public services delivery till suitable procedural safeguards against violation of civil liberties in general and privacy rights in particular are at place. Even industrial players like Infosys and CII have endorsed this viewpoint. Time has come to enact a constitutionally sound legal framework for cloud computing in India.

Source: ICTPS Blog

Exclusive Techno Legal Initiatives Of Perry4Law And PTLB

Issues like cyber law, cyber security, cyber forensics, e-courts, etc are essentially techno legal in nature. Being techno legal in nature they require extra efforts on the part of various stakeholders. This requirement is compulsive in nature and is not confined to a single nation.

Techno legal issues pose special challenges before all nations. This is so because these issues are complex combination of both technical and legal issues. At Perry4Law and Perry4Law Techno Legal Base (PTLB) we have been spearheading many world renowned techno legal initiatives.

For instance, Perry4Law and PTLB are managing the exclusive techno legal centre of excellence for cyber forensics in India, centre of excellence on cyber security in India, virtual legal education campus in India and techno legal e-learning centre of PTLB, lifelong techno legal education in India, legal enablement of ICT systems in India, etc.

Similarly, on the education, trainings and skills development front as well Perry4Law and PTLB have been managing many initiatives. For instance, the exclusive techno legal e-learning in India is managed by PTLB whereas highly specialised and domain specific trainings and education is managed by Perry4Law techno Legal ICT Training Centre (PTLITC).

Perry4Law and PTLB are also managing the exclusive techno legal e-courts consultancy and training centre of India, online dispute resolution services in India, e-discovery services in India, e-commerce services in India, cyber forensics services in India, cyber security services in India, LPO and KPO services in India, etc.

We are also discussing important issues pertaining to international ICT policies and strategies. Similarly, techno legal issues are specifically discussed at PTLB blog. We hope these initiatives would prove useful to all stakeholders.

Source: ICTPS Blog

E-Courts In India: Reasons For Their Failure

Electronic Courts in India are essential part of Legal Enablement of ICT Systems in India. Ensure Legal Enablement for ICT Systems of India can bring many advantages and benefits. It can bring transparency and accountability along with speedier disposal of cases. In short, establishment of E-Courts in India can bring much needed judicial reforms in India.

Establishment of E-Courts in India is a tedious and complicated process. It requires tremendous Techno Legal Expertise without which Electronic Courts in India cannot be established.

The key advantages of establishment of Electronic Courts in India is achievement of Transparency and Efficiency, reduction in Corruption and Backlog of cases, Cost and Time Saving, Witness Protection, etc. Through E-Filing cases can be filed from any part of India and if we use E-Trials as well we would be allowing greater participation of Witnesses in Court Proceedings.

It must also be understood that there is a difference between a Computerised Court and Electronic Court (E-Court). Although we have many Computerised Courts in India, even in District Courts of Delhi and High Court of Delhi, yet we do not have a single E-Court in India till October 2012.

Till a Computerised Court is capable of Electronic Filing, Electronic Evidence Submission, etc through Internet it cannot be termed as an E-Court. Presently, physical presence at the Court’s premises is required to submit files and documents on Electronic Media like CDs and that negates the whole concept of E-Courts in India.

Lack of Techno Legal Expertise is the main reason for poor performance of E-Courts in India. Further, Governmental and Judicial Will to establish E-Courts in India are also missing. Establishment of E-Courts in India can help in reducing the backlog of cases in India. Although there are no exact figures that can be given in this regard yet I believe that establishment of E-Courts could help in reducing Backlog of cases upto 30%.

It is absolutely required to establish E-Courts in India as soon as possible. The first indication of establishment of E-Courts in India was given in the year 2003. However, till now not even a single E-Court has been established by any State or by Centre. India must establish few E-courts within the next Five years.

However, establishment of E-Courts in India in the next Five years depends upon how “Serious” we are regarding establishment of E-Courts in India. With the present “Speed” and “Commitment” we cannot establish even a single E-Court in India by 2017. However, if we start working in this direction right now, establishment of few “Experimental E-Courts” is possible till 2017. Time has come to seriously work in this regard as Electronic Delivery of Justice in India has failed to materialise so far.

Cyber Security Policy Of India

Cyber security in India has not received the attention of Indian policy makers. As a result India has witnessed many sophisticated cyber security attacks against its computer systems operating at crucial departments and places from time to time. Even the terrorists are using technology to further their nefarious objectives in India. The problem is that Indian government, like any other government, is not capable of tackling cyber security issues single handedly. It needs private sector support to achieve this task.

According to Praveen Dalal, Managing Partner of the exclusive techno-legal cyber security research and training centre of India (CSRTCI), cyber security in India needs an urgent rejuvenation. He informs that till now Indian government has not thought it fit to consider cyber security as a part of National Policy.

It is obvious that India is finding it difficult to gather necessary cyber security expertise and this is resulting in a weak cyber security. Fortunately, private initiatives like CSRTCI are bridging the much needed gap of cyber security in India. The centre is providing techno-legal solutions for areas like cyber law, cyber security, cyber forensics, cyber terrorism, cyber espionage, critical ICT infrastructure protection, cyber war, etc. It is also providing techno-legal solutions for Indian projects like CCTNS, Natgrid, NCTC, etc.

CSRTCI also maintains a “repository” of software and tools for areas like cyber security, cyber forensics, penetration testing, malware analysis, encryption, stegnography, etc. It also maintains a rich techno-legal literature, articles, databases, etc for ready reference.

However, the most important and crucial achievement of the CSRTCI is that it has an “Exclusive Techno-Legal Software Repository” and research literature. It also has expertise for “aggressive defence” and human rights protection in cyberspace. In short, it is a single place destination for the techno-legal cyber security and allied fields.

The government of India and private sector of India must concentrate upon cyber security as soon as possible. Further, there is an emergent need to make proper amendments in the otherwise impotent, weak and ineffective cyber law of India. The increasing cyber crimes in India is also attributable to the “welcoming law” of India incorporated in the information technology act 2000 that instead of deterring the cyber criminals is in fact encouraging them to indulge in cyber crimes.

Source: Cyber Laws In India

Banking Regulation Act Amendments Approved By Cabinet

Finance Ministry of India and Reserve Bank of India (RBI) have been working in the direction of bringing many good Financial and Banking Sector Reforms in India. In this direction RBI has already issued two good policy documents that would streamline use of Information Technology to enhance core banking practices in India.

The first document is a report of its Working Group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as Information Technology Vision Document for 2011-17 (IT Vision 2011-17). The vision document has recommended many good suggestions including requiring that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of Board of Directors.

Further, RBI has shown its willingness to allow big industrial houses to set up banks in India. However, it would not allow them to open the banks unless RBI gets the “Power to Supersede” Boards of banks that are not being run properly. RBI also wants the right to oversee the operations of the promoting company and any affiliates that will have business relationships with the bank. RBI has been suggesting bringing suitable Amendments in the Banking Regulation Act, 1949 (BRA 1949) in this regard.

Reacting immediately the Cabinet approved the long-pending amendment to the BRA 1949. The proposed amendments align voting rights of shareholders in proportion to the equity held and provide more regulatory teeth to the RBI. These powers now include the power to supersede bank boards.

Finance Minister Pranab Mukherjee would bring the proposed amendments in the BRA 1949 in current session of Parliament (March 2011) to carry forward the proposals made by RBI in this regard. Mukherjee said RBI proposes to issue guidelines for new private bank licences by the end of March. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including supersession of bank Boards.

These are the much needed Banking and Financial Sector Reforms that were long pending. By including the contemporary issues of Information and Communication Technology, RBI has also covered a wide area. Hopefully Parliament of India would approve the amendments as soon as possible.

Source: PTLB Blog

National Cyber Coordination Centre (NCCC) Of India

Cyber law issues, cyber security and national security are on agenda of Indian government these days. However, till now cyber security in India is not upto the mark and cyber law of India requires an urgent repeal. This is because the entire approach and attitude of India government is defective.

Indian government has failed to understand that e-surveillance is not a substitute for cyber security capabilities. Instead of developing cyber security capabilities of India, the Indian government is stressing upon growing use of e-surveillance in India and Internet censorship in India.

All these exercises of India government have been done without any legal framework supporting these initiatives of Indian government. Phones are tapped in India without a constitutionally valid phone tapping laws in India. The central monitoring system project of India (CMS Project of India) is also not supported by any legal framework. Surveillance of Internet traffic in India is also another area that requires a sound legal framework. Various authorities with far reaching powers have been created without any legal backing.

Now the government has proposed setting up of National Cyber Coordination Centre (NCCC) of India. The NCCC would provide actionable alerts to government departments in cases of perceived security threats. It is hoped that this would help in fighting terrorists and other cyber criminals.

The NCCC will scan whole cyber traffic flowing at the point of entry and exit at India’s international Internet gateways. The web scanning centre will provide actionable alerts for proactive actions to be taken by government departments. All government departments will now talk to the Internet Service Providers (ISPs) through NCCC for real time information and data on threats. Presently, the monitoring of web traffic is done by Centre for Development of Telematics (C-DoT) which has installed its equipments at the premises of ISPs and gateways.

All tweets, messages, emails, status updates and even email drafts will now pass through the new scanning centre. The centre may probe further into any email or social media account if it finds a perceived threat.

India’s National Security Council Secretariat (NCSC) has asked various departments to assess their needs for officials, who will coordinate with the scanning agency. The National Security Council handles the political, nuclear, energy and strategic security concerns of the country.

This can be another agency without a legal framework. Creating agencies without legal framework is counter productive as it violates civil liberties and human rights. The Indian government must keep this in mind while creating NCCC.

Source: ICTPS Blog