IoT Privacy, Data Protection, Cyber Security And Civil Liberties Issues In India

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBInternet of things (IoT) has received a very positive response from Indian government and Indian entrepreneurs. Although everybody is very enthusiastic about IoT and its usage in India yet nobody is aware about its usage policies and regulatory framework. This situation has arisen as we have neither a dedicated e-commerce law nor a law governing IoT and its uses in India. As a result everybody is just deploying IoT based systems and devices in India without knowing the seriousness of their actions and omissions.

IoT usage and deployment can give rise to IoT privacy, data protection, cyber security and civil liberty issues in India. However, world over these techno legal issues of IoT are still in infancy stage. India has also been trying to bring a policy and regulatory framework for use of IoT in India by various stakeholders.  Issuance of draft IoT Policy of India (pdf) and Revised Draft IoT Policy of India (pdf) are instances of such efforts but they are not sufficient to cover the areas and operations of innovative technology like IoT.

It is obvious that we need techno legal framework for successful and wide scale use of IoT in India. However, this is a difficult task to manage as we have very few techno legal professionals in India and other jurisdictions that can assist in this regard. This is the reason why India is still struggling to enact privacy, data protection and cyber security laws in India. As a result, India has a very poor track record of civil liberties protection in cyberspace and surveillance and censorship issues of Digital India and Aadhaar projects are in active violation of provisions of Indian Constitution.

Perry4Law Organisation (P4LO) believes that as we would start mass deployment of IoT making it omnipresent, all stakeholders would be apprehensive as the cross linking nature of IoT would offer new possibilities and methods to influence and to exchange data and information. This leads to a variety of existing and new potential risks concerning data security, privacy and data protection, which must be considered in advance. The severity and likeliness of each risk will depend on the circumstances in which each IoT application / system is deployed.

Naturally   privacy, data protection and cyber security are complementary requirements for IoT services in India. In particular, data security and data protection are regarded as preserving the confidentiality, integrity and availability of information provided by Indian citizens. Perry4Law Organisation (P4LO) also believes that cyber security is an essential and basic requirement while providing of IoT related services by the industry or government. This is required not only to ensure information security for the organisation itself but also for the benefit of Indian citizens at large.

For instance, IoT presents a variety of potential security risks that could be exploited to harm consumers by: (a) having unauthorised access and misuse of personal information; (b) facilitating attacks on other systems; and (c) creating risks to personal safety. Similarly, privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. These days behavioural targeting is very common among companies who rely upon historical and real time data to analyse and influence consumer’s interests and choices. Companies might use this data to make credit, insurance, and employment decisions. Even if companies are prevented by law for not taking such a course of action still these risks to privacy and security could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.

Perry4Law Organisation (P4LO) strongly recommends that companies developing IoT products and services in India should implement reasonable security practices and procedures. These must include cyber security best practices, e-discovery best practices, cyber law due diligence (pdf), Internet intermediary liability law compliances, etc. Similarly, there must be a dedicated crisis management plan for cyber attacks against IoT in India so that IoT and critical infrastructures can recover from sophisticated cyber attacks as soon as possible.  For instance, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) has recently published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). As per this Cyber Guidance, the Financial Market Infrastructures (FMIs) must develop cyber capabilities to resume their operations within two hours following a cyber disruption. India must also develop robust and resilient cyber security infrastructure so that systems dependent upon Information and Communication Technology (ICT) can come online as soon as possible.

There are some long-standing Fair Information Practice Principles (“FIPPs”) like notice, choice, access, accuracy, data minimisation, security, and accountability that should apply to the IoT segment.  Indian IoT stakeholders must also follow these principle and privacy and data protection best practices so that IoT services can be provided in a legal and law abiding manner not only in India but also in other jurisdictions. Conflict of laws in cyberspace raise complicated techno legal issues that IoT stakeholders must be prepared to deal with. For instance, recently Microsoft has won a case where the US Government was forcing it to disclose e-mail data and details stored in Ireland’s data center. Microsoft argued that as the data was stored in Ireland, it was subject to Irish rather than US law, regardless of the company providing the infrastructure. Thus, IoT stakeholders from India must be aware of and comply with laws of different jurisdictions if their products and services are also offered in those jurisdictions.

Perry4Law Organisation (P4LO) hopes that IoT stakeholders would find this article useful and we also wish them all the best in their projects and business activities.

Posted in Uncategorized | Leave a comment

Techno Legal Responsive Regulatory Framework For Online Payment Industry Of India By Perry4Law Organisation (P4LO)

Perry4Law Organisation (P4LO)Online payment industry of India is not only unorganised but is also largely unregulated. Even the traditional banks of India are not scrutinised for their business and banking activities. For instance, a majority of banks that have extended their online payment portal services to online gambling, online pharmacy and similar such high risk ventures have not done any sort of cyber law due diligence (pdf) at all. They have simply extended their services to many apparently illegal business activities. Indian government in general and Reserve Bank of India (RBI) in particular are responsible for this lapse of regulatory compliance on the part of Indian banks and e-commerce entrepreneurs.

Recently InMobi paid a fine of $950,000 by a US regulatory body for tracking consumers’ locations without their consent. This is not a case with InMobi alone as almost all the e-commerce ventures in India are not complying with techno legal requirements of Indian and foreign laws. They consider legal compliance as a redundant exercise till some regulatory authority shows them the truth. Mobile application developers are also following this practice of non compliance and they may be prosecuted very soon. In fact, the Supreme Court of India will hear next Wednesday a petition seeking a ban on WhatsApp on the ground that the messaging platform’s end-to-end encryption gives terrorists a means of communication that is impossible to intercept. Maharashtra’s FDA has already ordered filing of FIRs against Snapdeal, its CEO Kunal Bahl, directors and distributors for online sale of prescription drugs. Bitcoin ventures of India are also required to comply with techno legal compliance that they rae presently not doing. This makes their Bitcoin busines sin India illegal and unauthorised. These are just few of the examples of e-commerce and business ventures not complying with techno legal requirements of Indian laws.

Online payment market of India is passing through a turbulent phase. As on date the e-commerce and online business legal compliances are not followed by the online payment industry of India. Even the foreign investors were not very serious about cyber law due diligence in India and they invested blindly in Indian ventures. Now they have realised their mistake and they have already squeezed their funding for Indian ventures. Indian entrepreneurs and e-commerce business houses must understand that techno legal compliance is a long term insurance that they cannot ignore just like cyber insurance and cyber security of their businesses.

As far as mobile payment market is concerned, it is booming but legal compliances are still missing from their agenda. Mobile banking cyber security is another area of concern especially with mass usage of smart phones in India. RBI has been streamlining the financial and banking Sector of India. It constituted the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Working Group). The Working Group issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (pdf) to be followed by banks of India. The guidelines have also directed that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the board level at the earliest. However, due to lack of enforcement of these guidelines, banks have done little towards cyber security of their business activities.

Reacting to this reality, RBI decided to set up an IT subsidiary that would look into the cyber security matters of banks of India and RBI. As per media reports, a CEO has also been appointed for managing the affairs of the IT subsidiary of RBI. Further, RBI has also issued a cyber security framework for Indian banks and many of the techno legal suggestions of Perry4Law Organisation (P4LO) have been incorporated into the same. Now RBI has released a policy document titled Payment and Settlement Systems in India: Vision-2018 for streamlining the online payment infrastructure of India. The vision document has suggested formulation of a responsive regulatory framework for online payment industry of India. Some of the salient features of the vision document pertaining to techno legal regulatory framework are as follows:

(1) RBI, in consultation with all the stakeholders, will continue its efforts to create a regulatory framework to promote twin objectives of enhanced coverage with interoperability of the payments system and convenience with security for the end-users in sync with emerging developments and innovations.

(2) The legal framework for payment and settlement systems in the country is provided under the Payment and Settlement Systems Act (the PSS Act), 2007. The PSS Act empowers the Bank to regulate and supervise the payment and settlement systems in the country. In discharging its roles and responsibilities under the Act, the Bank has been putting in place policy framework, issuing guidelines and instructions to banks and authorised payment system operators relating to safety, security and efficiency of payment systems. Besides formulation of new policies and guidelines, existing policies and instructions are all continually reviewed, taking into account the feedback received from the stakeholders.

(3) Taking into account the rapid developments and innovations in the area of payment systems, the Vision-2018 envisages a more responsive regulatory framework based on consultations with stakeholders. The policy framework will support payment system initiatives that enhance access to payment services. The principle of “similar business, similar risk, similar rules” will invariably be applied.

(4) The key focus areas for responsive regulation would be:

(a) New Issues / Areas For Policy Framework

(i) Policy Framework For Central Counter Parties (CCPs): The CCPs are the critical financial market infrastructure (FMI) and the efficient of the same is important. RBI has already declared the policy framework for regulation and supervision of FMIs under the regulatory jurisdiction of the RBI. The PFMIs against which FMIs are assessed lay emphasis on having effective governance framework and management of various risks, including legal, credit and liquidity risks against which FMIs are assessed. To begin with, the RBI would come out with regulations on Governance, Capital/ net worth requirement, registration/authorisation of foreign CCPS. At a later date, RBI may come out with regulations on risk management, if required. This will also serve as effective criterion to measure the equivalence standards of third country regulatory framework for the purpose of recognizing foreign CCPs operating outside and desirous of applying for recognition in India under these regulations.

(ii) Regulation Of Payment Gateway Service Providers And Payment Aggregators: The increasing growth of electronic payments, especially online payments, riding the growth of e-commerce and m-commerce transactions, has brought to the fore the increasing role and importance of entities that facilitate such online payments such as payment gateway providers and payment aggregators. The current guidelines on maintenance of nodal accounts for such intermediaries (monitored through banks) are indirect and address only a few specific aspects of their functioning. Given their increasing role, the guidelines will be revised for the payments related activities of these entities.

(iii) Exit Policy: Co-existence of an exit policy along with the policy on authorisation of entities which participate in the payment and settlement system is essential for the overall hygiene of the ecosystem. The exit policy would lay down the parameters and processes for voluntary exit of a payment system operator (PSO) authorised to operate a retail payment system. Such a policy would ensure that the interests of the consumers and other stakeholders are protected.

(iv) Framework For Imposition Of Penalty: Guidelines and standards for various payment and settlement systems are issued under the provisions of the PSS Act. Non-adherence to these guidelines and standards by participants and operators attract the penal provisions under the PSS Act. A framework for imposition of such penalties under the PSS Act would be put in place.

(v) Monitoring Framework For New Technologies / Innovations: In order to ensure that regulations keep pace with the developments in technology impacting the payment space, the global level developments in technology such as distributed ledgers, blockchain etc. will be monitored, and regulatory framework, as required, will be put in place. Further, the payments eco-system is dynamically evolving with the advancements and innovations taking place, particularly in the area of FinTechs. In order to provide a platform for innovators to showcase their models to the industry, particularly in the areas of interest to payment systems and services, the Reserve Bank has organised an innovation contest through the Institute for Development and Research in Banking Technology (IDRBT). Learnings from such interfaces will also be used as inputs for policy adaptations.

(b) Review Of Existing Policies:

(i) Prepaid Payment Instruments (PPIs): With increase in number of entities authorised to issue PPIs in the country, their usage for purchase of goods and services as well as funds transfer has also been growing. Over the years, the guidelines have been expanded to include several types of PPIs, some of which are not really being issued / used actively. Similarly, with growing use of PPIs, the initial forbearance given on KYC requirements, customer-facing aspects such as safety and security, risk mitigation measures, complaint redressal mechanism, forfeiture of unutilised balances, fraud monitoring and reporting requirements, etc. merit a review. A comprehensive review of the PPI guidelines will be undertaken keeping in view the changing scenario.

(ii) Mobile Banking Guidelines: To promote mobile phones as access channel to payment and banking services, the guidelines will be reviewed to address issues related to customer registration for mobile banking, safety and security of transactions, risk mitigation and customer grievance redressal measures.

(iii) White Label ATM (WLA) Guidelines: These Guidelines, formed with the objective of ensuring expansion of ATM infrastructure in rural and semi-urban areas, have not resulted in the much needed growth in ATM infrastructure in the desired geographical segments of the country due to multiple factors. The WLA Guidelines will accordingly be examined holistically and targets realigned to meet present conditions.

(5) Payment System Advisory Council (PSAC): The Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), set up under the PSS Act, is the apex body for regulating and supervising the payment system related developments and policies in the country. Vision-2018 envisages setting up of a Payments System Advisory Council (PSAC) to assist the BPSS in formulation of new policies, assessing the impact of new technological developments by providing necessary insights about futuristic developments and innovations in the area. The PSAC could have representations from diverse fields such as technology, telecommunication, FinTech, security solution providers, academia, Government, etc. and strive to provide to the BPSS the necessary consultative feedback from stakeholders for making strategic decisions in the area of payment systems.

(6) Amendments To PSS Act: Sound legal basis, including good governance, is the cornerstone for building a safe and efficient payments eco-system. Keeping this in view, amendments relating to settlement finality in the event of Central Counter Party (CCP) being declared insolvent or dissolved or wound down, and statutory charge on escrow account, have been made to the PSS Act which have come into effect from June 01, 2015.The Reserve Bank, as a member of the international Standard Setting Bodies (SSBs), is committed to adopting the international standards including those relating to recovery and resolution of FMIs. Efforts would, therefore, be made to bring in further amendments to the legal framework for addressing issues, such as:

(a) Resolution / insolvency of Central Counter Party (CCP) / Financial Market Infrastructure (FMI).

(b) Non-registration of charge on collateral with CCP: The Companies Act, 2013 has enlarged the meaning of “charge” under that Act, covering the right of system provider to appropriate collateral. In a dynamic market scenario, where the market participants constantly move in and move out the collaterals from the control of the CCP, it is practically impossible to continuously register or modify the charge. Non registration of charge under the Companies Act should not in any manner affect the right of the CCP to appropriate the collaterals and the settlement finality. As legal certainty is extremely crucial in this market, for avoiding litigation, necessary amendment to clarify this position would be taken up.

(c) Better governance in critical payment systems operators both in retail and large value payment systems by appointing observers on the board of the service providers or by appointing additional directors, as required.

(7) Strengthening Reporting Framework Including Fraud Monitoring: This includes:

(a) Reporting Framework: As part of off-site surveillance process, payment system operators (PSOs) are directed to adhere to periodic reporting requirements. The periodic returns would be moved to XBRL system. This would offer major benefits at all stages of business reporting and analysis, aiding in better quality of information and decision-making. In addition, a structured reporting framework for PSOs to communicate the findings of the audit of their IT systems along with their compliance would also be put in place.

(b) Fraud Monitoring: To further strengthen the confidence in the payment systems and minimise instances of frauds, there is a need to monitor the types of frauds that may be taking place in various payment systems. Accordingly, to begin with, a framework for collection of data on frauds in payment systems would be drawn up in consultation with the industry.

Perry4Law Organisation (P4LO) hopes that our readers would find this summary useful.

Posted in Uncategorized | Leave a comment

Malware Are Defeating Cyber Security Safeguards With Ease

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBCyber Security and Malware are two sides of the same coin. While the former tries to protect critical infrastructures, computer systems, networks, etc yet the latter abhors this same protection. Malware writers are increasingly targeting digital assets to gain control over them and to manipulate them for cyber attacks, cyber crimes and other nefarious activities. We have often heard about machines being turned into botnet and compromised systems to further launch cyber attacks, send spam communications or to deliver malicious codes, software and payloads. A simple search at a customised search engine or with a customised search setting would reveal that Internet is full of unprotected and insecure devices, SCADA systems and computers. Naturally, the critical infrastructures relying upon them are very vulnerable to various forms of cyber attacks.

Malware have years of history and experience behind them to unsettle cyber security initiatives. As these malware evolved, their sophistication and impact has also become elegant. Cyber security service providers and companies are finding it really difficult to match the might of these malware. Some of these malware are so advanced that they are not detected even after many years of their victimisation. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc are some of the examples of such malware.

Financial sector has witnessed its own share of malware. For instance, the notorious malware Carbanak was instrumental in stealing about a Billion US Dollars from financial institutions worldwide. Vskimmer Trojan, capable of stealing credit card information from Windows systems, was already in circulation. Similarly, the Malware Dump Memory Grabber was also targeting POS systems and ATMs of major U.S. banks. These malware have created havoc in India and international levels.

Hardware based malware are also common these days. Kaspersky has revealed in the past that intelligence agencies have been using hardware based stealth spyware. These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard. Similarly, Lenovo was accused of pre installing adware in its laptops. We cannot ignore the killer USBs that can damage the system in which they are used. Telecom equipment companies like Huawei and ZTE are already facing heat over cyber security aspects of their telecom equipments in countries like India, Australia, etc. Huawei was also accused of breaching national security of India by hacking base station controller in AP.

As the law enforcement and intelligence agencies wish to engage in illegal and unconstitutional e-surveillance and spying, cyber security of computer systems and mobile phones and their communications are not allowed to be managed in a secured and encrypted manner. For instance, Vodafone has confirmed that India has been using “secret wires” in the telecom infrastructure to indulge in e-surveillance. Indian Department of Telecommunications suppressed the whole incidence with a mere assurance of “investigation” that never made public so far. This is the reason why Indian mobile security is poorer than Pakistan that is using much better and secured communication systems.

There is no dearth of ideas and methodologies that malware owners can use. U.S. law enforcement agencies have been using fake cell phone towers to illegally intercept mobile communications and data. Surveillance hardware and software like Stingray, Triggerfish, etc are commonly used in U.S. and other jurisdictions. It has also been reported that NSA has been using radio waves and malware for engaging in world wide e-surveillance. Even Anti virus updates can be exploited to install malware upon the targeted systems. Thus, whether a computer system is online, offline or an isolate one, the “combined technique” of malware embedded hardware, spyware, malware and radio waves can allow NSA to get the “relevant information” with some effort in this regard. No doubt, U.S. government is also the biggest buyer of malware in the world.

It is obvious that besides having robust and resilient cyber security infrastructures we also need self defence mechanisms to prevent malware from infecting our systems. There are some methods that can be used to minimise cyber attacks and cyber threats from these malware but 100% cyber security is not possible. However, there are limits to legitimate exercise of self defence and it ceases to be available after a point. In the absence of international cyber law treaty and international cyber security treaty (PDF), this limit has to be judged and guided by the principle of private international law.

Nevertheless, complicated techno legal issues in the field of cyber law and cyber security would keep on arising in the absence of international harmonisation. For instance, authorship attribution is a complicated subject that has to be ascertained before a cyber crime or cyber attack liability can be imputed to an individual, nation or organisation. Similarly, whether a victim can launch his/its own cyber attack against the offender is still to be judged by the courts around the world. Nature, scope and prevention of cyber warfare is another complicated area that cannot be resolved by taking recourse of Tallinn Manual. For the time being, malware are clearly winning the fight against the cyber security vendors and if there is no change in the “strategy and mindset” of security stakeholders, this would be the norm for the next decade.

At Perry4Law Organisation (P4LO) we have dedicated a blog titled International Legal Issues of Cyber Attacks and Cyber Security in this regard. The aim is to provide a techno legal database of articles and opinions about international legal issues of cyber attacks, cyber security, cyber crimes and cyber law. It is supported by Centre of Excellence for Cyber Security Research and Development in India (CECSRDI). We would cover more techno legal issues of cyber security, malware and international law at that blog.

Posted in Uncategorized | 5 Comments

Cyber Law Developments In India 2015

Perry4Law-Organisation-P4LOCyber Law of India faced many crucial challenges in the year 2015. The Information Technology Act 2000 (IT Act 2000) was enacted in the year 2000 and it was presumed that the IT Act 2000 would mature with the passage of time. However, the opposite happened in the year 2015 when the Supreme Court of India committed one of the biggest mistakes in the history of Indian Cyber Law. Further, on the Legislative front as well, the year 2015 did not see any development for the Indian Cyber Law. Overall, Cyber Law Developments in India in 2015 were both “Retrograde” and “Ill Conceived”.

Perry4Law Organisation (P4LO) has been providing Cyber Law Trends and Developments in India for long. Our readers and viewers may find the Cyber Law Developments for the year 2013 and 2014 here (PDF) and here respectively. In this work, Perry4Law Organisation (P4LO) is sharing the Cyber Law Developments that took place in the year 2015 in India. These are as follows:

(1) Cyber Law Due Diligence: Cyber Law Due Diligence (PDF) is well established in India. As per the IT Act 2000, all Digital Stakeholders are required to observe Cyber Law Due Diligence to avoid legal sanctions and Internet Intermediary Liability. Instead of Strengthening of Cyber Law Due Diligence, the Judgment of Supreme Court in Shreya Singhal v. Union of India (24th March 2015), Writ Petition (Criminal) No.167 Of 2012 (PDF) has done exactly opposite and made Indian Cyber Law Due Diligence weaker and ineffective. In fact, the Supreme Court of India has “Killed Cyber Law Due Diligence” in India to a great extent. Nevertheless, Cyber Law Due Diligence is still reqired for diverse purposes in India.

(2) Civil Liberties: The year 2015 proved “Really Bad” for Civil Liberties Protection in Indian Cyberspace. Narendra Modi Government and various State Government showed no regard to Privacy Rights of Indian Citizens and they continued to “Impose” Illegal and Unconstitutional Aadhaar for various Government Services like Digital Locker. Further, issues like Cyber Security of Aadhaar, Smart Cities Civil Liberties issues, etc were also ignored by Narendra Modi Government. However, the worst act of Narendra Modi Government and other State Governments is “Deliberate Contempt of Court” by not following the directions of Supreme Court of India that mandates that Aadhaar is “Not Compulsory” for Government Services. This attitude needs to be changed by Narendra Modi and other State Governments in the year 2016.

(3) Inadequate Cyber Law: Cyber Law of India remained ineffective and inadequate in the year 2015 as well. Neither Indian Government nor Indian Parliament showed any interest in strengthening of Indian Cyber Law. Perry4Law Organisation (P4LO) has made certain “Legal Representations” to the Prime Minister’s Office (PMO), Ministry of Home Affiars (MHA), Department of Electronics and Information Technology (DeitY) and Ministry of Information and Broadcasting in this regard. Fortunately, these Ministries have assured Perry4Law Organisation (P4LO) that our “Legal Representations” would be duly considered by them while making the “Amendments” in the IT Act 2000.

(4) Telegraph Law: Indian Telegraph Act is another legislation that required “Suitable Amendments“. As on date we have no Lawful and Constitutional Interception Law in India and E-Surveillance and Telephone Tapping is still done in an “Unconstitutional Manner“. The year 2015 did not brought any positive developments in this regard. We hope in the year 2016 Narendra Modi Government would work in the direction of formulating a Constitutional Interception Law for India.

(5) Digital India: Narendra Modi Government launched the Digital India Project in the year 2015. However, Digital India is not free from Critical Issues and Shortcomings. The chief among them are lack of Cyber Security Infrastructure and disregard to Civil Liberties aspects like Data Protection (PDF) and Privacy Protection. Naturally, Digital India Project is heading towards Rough Waters and Narendra Modi Government must think in this direction in the year 2016.

(6) Online Gambling: Online Gaming and Gambling Law of India was expected to be “Clarified” through a “Conclusive Ruling” from the Supreme Court of India in the year 2015. However, this did not happen as the Supreme Court of India “Refused to Clarify” in this regard. The Supreme Court refused to clarify regarding Legality of Online Rummy and Online Poker in India and this makes the websites managing Online Rummy and Online Poker vulnerable to punishment in the year 2016. Even the Central Government refused to give any opinion in this regard. Further, tax laws and liabilities for online Poker and Online Rummy websites is also not clear. The year 2016 may see some “Clarifications” in this regard from the Narendra Modi Government.

(7) Legality Of Bitcoins In India: The year 2015 did not see any clarity regarding Legality of Bitcoin in India and Legality of Bitcoin is still doubtful in India. In fact, the Reserve Bank of India (RBI) has “Cautioned“the Bitcoin Stakeholders against “Potential Risks” (PDF) of using Bitcoin in India. Thus, as on date use of Bitcoin in India is “Legally Risky“. In short, dealing in Bitcoins in India is still A “Grey Area” and it is not safe to consider it “Strictly Legal” though Indian Corporate is Lobbying for Regulated Digital Currency in India. The bottom line is that Bitcoin Websites and Owners must comply with Indian Laws to stay legal when it comes to use of Bitcoin in India.

(8) Cyber Breaches Insurance: The year 2015 was good as far as Cyber Insurance in India is concerned. Many Companies opted for Cyber Insurance Policies in India in 2015. These polices covered losses arising out of Cyber Threats and Cyber Crimes. However, Cyber Insurance Stakeholders in India are still not aware of the Techno Legal aspects of Cyber Insurance in India. This may give rise to potential disputes and litigations in the near future. We strongly recommend that Cyber Insurance Policies must comply with Techno Legal Requirements as prescribed by IT Act, 2000 and other Laws so that disputes can be minimised to maximum possible extent. It is the prime responsibility of Insurance Companies to draft the Cyber Insurance Agreements in proper and Techno Legal manner.

(9) Online Pharmacies: The year 2015 witnessed an increased interest in Online Pharmacies among the E-Commerce players and Healthcare Stakeholders. However, a dedicated Legal Framework for Online Pharmacies is still missing. Further, most of the Online Pharmacies operating in India are not at all complying with the Techno Legal requirements of Indian Laws.

(10) Cyber Law Obligations Of Directors/Companies: Cyber Law Obligations of Directors of Indian Companies is now well established in India. However, there is insignificant development in this regard at the Board of Directors level. There are very few Directors who are aware of fields like Cyber Law and Cyber Security and even fewer are those who comply with the same. The year 2016 would see an increased focus upon Cyber Law and Cyber Security Obligations of Directors of Indian Companies and their respective Companies.

Overall the year 2015 was not good for Cyber Law Developments in India and we expect better results from the year 2016. In order to do so successfully, the Narendra Modi Government must take “Pro Active Approach” towards concepts like Cyber Law and Cyber Security. At a time when Cyber Security Developments in India 2015 and potential Cyber Security Trends In India 2016 are showing “Negative Results”, it would be a “Big Challenge” for the Modi Government to manage these issues. Perry4Law Organisation (P4LO) wishes all the best to Modi Government in this regard with a commitment to help it in every possible manner.

Posted in Uncategorized | Leave a comment

Cyber Security Trends In India 2016

Perry4Law-Organisation-P4LOThe year 2015 witnessed lots of buzzing about Cyber Security in India. From political circles to corporate houses, Cyber Security was a hot topic to discuss. Nevertheless, Cyber Security is still at discussion stage and actual implementation of Cyber Security initiatives and measures in India was still missing in 2015. Perry4Law Organisation (P4LO) provided Cyber Security Developments of India 2015 for its viewers and readers. Our viewers and readers may also be interested in Indian Cyber Security Developments in 2015 provided by P4LO.

In this post we are trying to anticipate the Cyber Security Trends of India 2016. This is in continuation of the Cyber Security Trends of India 2015 as provided by us in 2015. The year 2016 may witness the following Cyber Security Trends in India:

(1) Cyber Security Infrastructure: Cyber Security Infrastructure in India could remain at nascent stage in the year 2016 as well. This is so because till now India is still trying to understand the basic concepts of Cyber Security. We believe that Indian Cyber Security Infrastructure must be urgently “Strengthened” so that sophisticated Cyber Attacks can be suitably managed in India.

(2) International Cyber Security Framework: Cyber Attacks and Cyber Security are International Issues (PDF) and they deserve to be managed at Global Level. Despite this fact we have no “Globally Acceptable” Cyber Law and Cyber Security Treaties. P4LO has been advocating for the formulation of International Cyber Law and Cyber Security Treaty (PDF) for long. Now Indian Government has also decided to stress upon formulation of International Cyber Law and Cyber Security Treaties. This emphasis upon International Legal Cyber Security Framework would further increase in the year 2016. P4LO has dedicated two web resources titled “International Legal Issues Of Cyber Attacks” and “International Legal Issues of Cyber Security” for our readers and viewers. The aim of these web resources is to help both National and International Stakeholders to frame Techno Legal Cyber Security Regulatory Framework at National and International levels respectively.

(3) Digital India And Aadhaar Cyber Security: Digital India project of Narendra Modi Government is a very ambitious technology driven initiative. It can significantly improve the delivery of Public Services in India by using Information and Communication Technology (ICT). However, Digital India is suffering from various “Shortcomings” that need to be eliminated by Modi Government on priority basis. The chief among them are disregard to Civil Liberties like Privacy Protection and Data Protection and lack of Cyber Security Infrastructure to support the Digital India project.

The worst “Illegality and Unconstitutionality” of Digital India project is its “Forceful and Deliberate Reliance” upon Aadhaar that is Not “Not Mandatory“. For instance, Aadhaar has been made compulsory for Digital Locker despite Supreme Court’s contrary directions. This makes even the Digital India project vulnerable to Constitutionality Attacks. Besides, Aadhaar has its own Data Security, Civil Liberties and Cyber Security issues that are still unresolved as on date. There is an urgent need to disassociate Digital India project from Aadhaar project.

(4) Banking Cyber Security: Cyber Security of banks in India is not satisfactory despite the fact that Reserve Bank of India (RBI) has been trying very hard in this regard since 2010. RBI has in the year 2011 mandated that a Chief Information Officers (CIOs) is mandatory for all banks in India. However, till the December 2015, this requirement has not been complied with by most banks of India. Further, banks of India have also failed to ensure Cyber Security Due Diligence that is mandatory for banks in India. Banks in India are not complying with Cyber Security requirements because RBI has not taken any “Deterrent Action” against the defaulting banks. However, the position would change in the year 2016 as RBI has decided to establish an exclusive IT Subsidiary that would manage the Cyber Security related issues of banks of India. P4LO recommends that RBI must make “Surprise Visits” at the banks in order to check their Cyber Security preparedness. Further, Techno Legal Cyber Security Audits must also be undertaken by RBI to check the Cyber Security Infrastructures of banks of India.

(5) Directors’ Cyber Security Obligations: Cyber Security obligations and Cyber Law Due Diligence (PDF) were not taken seriously by Indian Companies and their Directors in the year 2015. However, things are going to change in the year 2016 as Indian Government has been contemplating introduction of Cyber Security Breach Disclosure Norms in India. Cyber Breaches reporting would become mandatory in such circumstances. In fact, the Indian Companies Act, 2013 imposes Cyber Security Obligations upon Directors of Indian Companies. Similarly, the Information Technology Act, 2000 also imposes Cyber Law Obligations upon Directors of Indian Companies. In short, Cyber Law and Cyber Security Obligations of Directors of Indian Companies would tremendously increase in the year 2016.

(6) Botnet Protection: Indian Government announced the establishment of a Botnet cleaning centre in the year 2015 to tackle the menace of Botnet in India. The same may be established in the year 2016 and that would be a good step to strengthen the Cyber Security Infrastructure of India. This initiative would be in addtion of the initiatives like National Critical Information Infrastructure Protection Centre (NCIPC) of India and National Cyber Security And Coordination Centre (NCSC) Of India. According to a report, Botnet are causing losses upto the extent of $6 Million a month for Online Advertisement Industry alone. The exact estimates of financial and other losses caused by Botnet is not possible as many of them use Deep Web and Dynamic DNS, Fast Flux and Bullet Proof Servers that makes it very difficult to trace and remove such Botnet. Use of Anti Forensics methods coupled with absence of a conclusive Authorship Attribution results in lack of imposing of legal responsibility and criminal prosecution of stakeholders responsible for such Botnet, Malware and Cyber Attacks in majority of cases.

(7) Cloud Computing Cyber Security:Cloud Computing industry and services are still taking a shape in India. Business and Entrepreneurs are still trying to acquaint themselves with the Legal and Regulatory requirements of Cloud Computing in India. Although we have no dedicated Cloud Computing Laws in India yet there are many Techno Legal Cloud Computing Due Diligence requirements in India. Due to the Legal Risks associated with Cloud Computing in India, many believe that use of Cloud Computing is not a viable option in India. The year 2016 would bring enhanced Cyber Law, Cyber Security, Data Protection (PDF) and Privacy Protection obligations upon the Cloud Computing Companies and their Directors.

(8) E-Health Cyber Security: Digital India project of Narendra Modi Government is covering E-Health and M-Health aspects as well. Suitable Legal Framework for E-Health/M-Health is urgently required in India and the same may be done in the year 2016 by Indian Government. A National E-Health Authority (NeHA) of India has already been proposed by Indian Government. Further, Electronic Health Record (EHR) Standards in India have also been formulated by Indian Government. Cyber Security of E-Health and M-Health Applications, Devices and Infrastructure could be stressed in the year 2016 in India.

(9) Critical Infrastructure Protection: Critical Infrastructure Protection (CIP) is a big challenge for both national and international stakeholders. Internet is full of unprotected SCADA systems on which various Critical Infrastructures are blindly relying without any Cyber Security protections. Critical Infrastructure Protection in India (PDF) is not in a good condition and Indian Government needs to work real hard in this regard. Indian Government must take Cyber Security very seriously and it is high time to frame a Critical Infrastructure Policy of India.

(10) CISO Culture: The year 2016 would see an increased appointment and participation of Chief Information Security Officer (CISO) in India. Narendra Modi Government has already appointed Dr. Gulshan Rai as the first CISO of India. Further, Companies in India are increasingly becoming aware that a Chief Information Officer (CIO) is need of the hour to protect the interest of the Company in Digital World and Cyberspace. Keeping this in mind both Enterprises and Indian Government are contemplating to increase spending upon Cyber Security Infrastructures of their respective domains.

We hope this illustrative list of Cyber Security Trends in India 2016 would be informative and our readers and viewers would find it useful.

Posted in Uncategorized | 5 Comments

Cyber Security Developments In India 2015 By Perry4Law Organisation (P4LO)

Perry4Law Organisation (P4LO)Cyber Security Trends and Development provide valuable insight into the shortcomings of Cyber Security initiatives of any Nation. Similarly, Cyber Security Trends and Developments of various Nations also help in consolidation of International Legal Issues of Cyber Security. Though we have no globally acceptable International Cyber Security Treaty (PDF), yet global Cyber Security Trends can help in consolidation of International Legal Issues of Cyber Security.

Perry4Law Organisation (P4LO) has been providing Cyber Security Trends and Developments in India for long. We have already provided the Cyber Security Trends and Developments of India 2013 (PDF) and Cyber Security Trends and Developments in India 2014. We have also provided Cyber Security Trends of India 2015 and most of our predictions and analysis were proved true by the unfolded events that took place in Indian Cyberspace and foreign Jurisdictions. Cyber Security Problems and Challenges of India were also highlighted by us.

We also dedicated an exclusive Blog on International Legal Issues of Cyber Security titled International Legal Issues Of Cyber Attacks And Cyber Security, Cyber Terrorism And Cyber Warfare. The aim of this Blog is to provide Techno Legal Cyber Security inputs and suggestions so that International Legal Issues of Cyber Security can be discussed at a single platform.

Some of the Cyber Security Developments that took place in India in the year 2015 are as follows:

(1) Constitutional Cyber Security: Indian Constitution was framed many decades ago. It was not possible to include provisions pertaining to Cyber Law and Cyber Security in the year 1950. Perry4Law Organisation (P4LO) has suggested that Cyber Security and allied fields must be suitably incorporated into the Indian Constitution keeping in mind the future requirements. We are already working in this direction and would come up with Constitutional Cyber Security Issues very soon.

(2) Protection Of School Children: The year 2015 witnessed that School Children are vulnerable to many forms of Cyber Threats. These include Social Engineering attacks, Cyber Stalking, Cyber Harassment, etc. A need was felt in India that School Children must be suitably educated about Cyber Issues.

(3) Cyber Law Due Diligence: Cyber Law Due Diligence (PDF) is not in good condition in India. Companies, Individuals and other Stakeholders did not comply with Cyber Law Due Diligence requirements in the year 2015 as prescribed by Information Technology Act, 2000 (IT Act 2000). However, the worst blow came from none other than the Supreme Court of India. Indian Supreme Court has killed Cyber Law Due Diligence to a great extent. As a matter of fact, we need a strong Cyber Law Due Diligence in India unlike the one suggested by the Supreme Court.

(4) Equation Group And NSA: It has been reported that United States National Security Agency (NSA) may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through Equation Group. NSA has also used radio waves for E-Surveillance purposes in the past. Kaspersky Lab has also revealed that hardware based stealth spyware were also used by Intelligence Agencies in the year 2015.

(5) Cyber Security Infrastructure: Cyber Security Infrastructure in India is still not upto the mark till 2015. Indian Cyberspace is vulnerable to diverse form of Cyber Attacks. In these circumstance, it is imperative that Indian Cyber Security Infrastructure must be strengthened to maximum possible extent. Further, Narendra Modi Government must protect Indian Cyberspace on a Priority basis. As on date and till 2015, India is a Sitting Duck in Cyberspace and Civil Liberties Protection regime.

(6) Banking Cyber Security: Cyber Security of Banks in India is still not given priority by Indian Banks in the year 2015. In fact, Reserve Bank of India (RBI) has been trying to strengthen Cyber Security of Indian Banks but with little success. Now RBI has decided to establish an IT Subsidiary for looking into Cyber Security related issues of Banks of India. This can be a significant move on the part of RBI and may force the Banks in India to finally strengthen their Cyber Security in the year 2016.

(7) Smart Cities: Indian Government has announced in 2015 to establish many Smart Cities in India. Such Smart Cities would be dependent upon Information and Communication Technology (ICT) in diverse manner. Since ICT would be used, Smart Cities Cyber Security in India cannot be ignored by Indian Government. Smart Cities in India, like in foreign countries, are facing many Cyber Security problems and challenges that need to be resolved before launching of full fledged project.

(8) Digital India Cyber Security Issues: Digital India is one of the most ambitious Technology Driven projects of the World. However, its strong dependence upon Aadhaar has made it vulnerable to Legal and Constitutional Attacks. Perry4Law Organisation (P4LO) has outlined some Shortcomings of Digital India Project and we hope they would be considered by Indian Government for a better Digital India initiative of India. The most alarming shortcoming in this regard is that Digital India is suffering from lack of Cyber Security Infrastructure. Nothing is more dangerous and more worrisome than implementing the E-Governance and Digital India Projects of India without adequate Cyber Security.

(9) Cyber Security Legal Framework: All Governments need full and complete “Disclosures” of Cyber Security Breaches affecting the lives of their Citizens. Unfortunately, Cyber Security Breach Disclosure Norms in India are still missing in the year 2015. This is because we have an outdated Cyber Law and missing Cyber Security Law in India. Outdated and Unconstitutional Laws like Cyber Law and Telegraph Act must be urgently repealed and new laws must be formulated in this regard. Further, a Techno Legal Framework must be urgently formulated by Indian Government. At the same time we also need the Cyber Security Policy of India 2015 that is a must to strengthen Indian Cyber Security Capabilities. Civil Liberties Issues in Cyberspace like Privacy Protection must also be ensured by the proposed Cyber Security Policy of India 2015.

(10) E-Surveillance in India: Unconstitutional E-Surveillance issues remained intact in India in the year 2015 as well. Projects like Aadhaar, Digital India, Smart Cities, etc are still violating the Civil Liberties of Indian Citizens without any Procedural and Constitutional Safeguards. Telecom giant Vodafone has confirmed existence of Secret Wires for Indian Government E-Surveillance purposes. Although Indian Department of Telecommunication (DOT) promised investigation into this matter but the same remained an “Empty Promise” only. So far DOT has failed to make the “Investigation Report” public. In similar activities, UK’s Government admitted that it indudged in Illegal E-Surveillance over Lawyers Communications. With the combination of Aadhaar and Digital India, India has become the Biggest Digital Panopticon of the World. To make the matter worst, we have no Parliamentary Oversight over this Digital Panopticon of India. Even the Intelligence Agencies of India need Parliamentary Oversight and Reforms.

(11) Cyber Security Legal Practice: The year 2015 is the starting point for Cyber Security Legal Practice World wide. Law Firms around the World have strated exploring Cyber Security Legal Issues as possible areas of practice. However, as on date there are very few Cyber Security Law Firms in the World that are capable of managing Cyber Security Legal Practice. Perry4Law Law Firm is one of such few Law Firms that are providing Cyber Security and Cyber Forensics Legal Services in India and Foreign Jurisdictions. Some Consultancy Firms have also hired Lawyers in India so they they can provide Cyber Security Legal Services in India. However, the “Legality” of this method is yet to be ascertained as in India Lawyers cannot form Partnership with Non Legal Individuals/Firms. Along with the benefits of Cyber Security Legal Practice, Law Firm’s Cyber Security Obligations in India are also increasing.

(12) Cyber Warfare Policy: Cyber Warfare has become a reality in the present Digital Environment. However, India is not prepared to deal with Cyber Warfare that is taking place at the Global scale. Cyber Warfare against India is also happening but we are not capable of detecting the same in a timely and real time manner. Further, even in the year 2015, we have no Cyber Warfare Policy in India (PDF) that can manage the Techno Legal issues of Cyber Warfare. Even the Tallinn Manual on Cyber Warfare is not applicable to International Cyber Warfare Attacks and Defence and every Nation is free to adopt its own methods and procedures in this regard. Related fields like Cyber Terrorism and Cyber Espionage were also not taken care of by Indian Government in the year 2015.

(13) Encryption Law And Policy: In the year 2015 also Indian Government did not pay any attention to Encryption Policy of India (PDF). The net result is that we have neither a dedicated Encryption Law in India nor any Policy regarding Encryption usage in India till 2015. Although Indian Government tried to formulate an Encryption Policy in the year 2015 yet it was poorly drafted and was immediately withdrawn by Indian Government.

(14) Mobile Security: Just like the year 2014, the year 2015 also witnessed a stress upon Mobile Governance usage in India. Similarly, just like 2014, in the year 2015 also no steps were taken by Indian Government towards ensuring Mobile Security in India. This has given rise to additional Mobile Banking Cyber Security Risks before the Banking Industry of India. Fortunately, RBI has decided to set up an IT Subsidiary to look into matters pertaining to Banking Security and Mobile Banking Cyber Security can also be looked into by that IT Subsidiary.

(15) M-Health: India has also stressed upon use of Mobile Health (M-Health) concept for widespread availability of healthcare services to Indian population. Besides inadequate Cyber Security, M-Health is also suffering from lack of Legal Framework to govern the same. The position is that M-Health projects and businesses in india lacks Regulatory Compliances. Due to this Legal Loophole, M-Health service providers are violating other Indian Laws applicable to them.

(16) Cloud Computing: Cloud Computing in India has miserably failed to comply with either the Indian Laws or the absolutely essential Cyber Security requirements. In the absence of dedicated Laws regarding Privacy Protection and Data Protection (PDF), Virtualisation and Cloud Computing are “Legally Risky” and are “Landmines” for Privacy Violation in India. Further, we have no dedicated Law for Cloud Computing in India as well. The position remained the same in the year 2015.

(17) Internet of Things (IOT): Goods and services based upon Internet of Things (IOT) were introduced in India in 2015. This trend is going to increase in the year 2016 as well as Projects like Smart Cities, Digital India, etc would rely upon IOT for proper functioning. Even the draft IOT Policy of India (PDF) and Revised Draft IOT Policy of India (PDF) were released by Indian Government. However, both the IOT Policies of Indian Government failed to address the Civil Liberties issues. Privacy Rights in the Information age (PDF) have to be addressed by Indian Government for new technologies and concepts.

(18) Cyber Insurance: The year 2015 witnessed a booming Cyber Liability Insurance in India. The major reason for the growth of Cyber Insurance Policies in India is the increased numbers of Cyber Crimes and Cyber Attacks in India. However, Cyber Insurance Stakeholders in India have still to understand the technicalities of Techno Legal aspects of Cyber Insurance.

Perry4Law Organisation (P4LO) hopes that our readers would find this research report on Indian Cyber Security Development in India 2015 useful.

Posted in Uncategorized | 2 Comments

Perry4Law Organisation (P4LO) Celebrates And Supports The First Constitution Day Of India 2015

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBConstitution of India is the supreme document of India that governs the Constitutional issues including the governance and functioning of Executive, Parliament and Judiciary of India. Constitution of India is the bulkiest document of its type in the world. It carries many Articles and Schedules that are not easy to understand.

Perry4Law Organisation (P4LO) has been dicussing various issues of Indian Constitution from time to time. This is more so regarding Civil Liberties, Human Rights and Fundamental Rights subjects that are very near and dear to our hearts.

P4LO is also on the forefront of celebrating the “Constitution Day of India” from the very begining. For instance, P4LO has decided to celebrate the First Constitution Day of India on 26th November 2015 in a very novel and desirable manner. We have officially launched the Virtual Law Campus (VLC) in India that covers many techno legal fields like Constitution of India, Cyber Law, Cyber Security, Cyber Forensics, Civil Laws, Criminal Laws, etc.

Dedicated websites in this regard would be made operational very soon and few of these websites can be accessed here1, here2 and here3. Two dedicated blogs have also be launched in this regard and the same can be accessed at blog1 and blog2. This is in addition to the already existing initiative titled Virtual Legal Education Campus (VLEC) of India.

Since Constitution of India is organic in nature, P4LO has also introduced the modern concepts of Laws to Indian Constitution. We have dedicated mnay Techno Legal Blogs that are covering the Techno Legal issues of Indian Constitution. When the Constitution of India was drafted, Information and Communication Technology (ICT) was not in use. Hence, ICT related issues were not incorporated into the Indian Constitution. At P4LO we are working in the direction of making the provisions of Indian Constitution in conformity with ICT and Techno Legal requirements.

We have already suggested that Indian Government must formulate a Techno Legal Framework for India as Indian Cyberspace is suffering from many threats and deficiencies. For instance, Indian Constitution must also suitably accomodate contemporary topics like Cyber Law, Cyber Security, Cyber Forensics, E-Discovery, E-Courts, Online Dispute Resolution (ODR), etc.

Similarly, Indian Government must also work in the direction of strengthening of Online Education and Skills Development in India. We have taken a small but significant step in these directions by establishing the first ever Virtual Law Campus (VLC) of India and world wide. The VLC would cover many Techno Legal Skills Development fields including Techno Legal issues of Indian Constitution.

We hope the Indian Government would find our initiatives in general and VLC in particular helpful in furthering the Preambulary Intents and Constitutional Philosophy.

Posted in Uncategorized | Leave a comment

Global Techno Legal News And Views By Perry4Law Organisation (P4LO)

Global Techno Legal News And Views By Perry4Law Organisation (P4LO)Merging of technology and law raises interesting techno legal issues that are not easy to handle. There are very few organisations or individuals that can manage techno legal issues in India and world wide. Perry4Law Organisation (P4LO) is one such organisation that handles unique and qualitative techno legal services in fields like cyber law, cyber security, cyber forensics, e-discovery, etc. One such initiative is known as Global Techno Legal News and Views.

Some of the interesting post of the blog are:

(1) Non Mandatory Aadhaar: The matter pertaining to legality and constitutionality of Aadhaar project is pending before the Supreme Court of India. The Central Government has been maintaining that Aadhaar is not mandatory but for all practical purposes it has been made mandatory by Indian Government.

(2) Digital India: Digital India project of India is an ambitious but troublesome initiative as it is suffering from numerous shortcomings. This is the reason that the Digital India project is heading towards rough waters. In fact, Digital India is the biggest digital panopticon of India so far. There is an urgent need to make it legal and constitutional.

(3) Carbanak Malware: The notorious malware Carbanak was instrumental in stealing about a Billion US Dollars from financial institutions worldwide. Vskimmer Trojan, capable of stealing credit card information from Windows systems, was already in circulation. Similarly, the Malware Dump Memory Grabber was also targeting POS systems and ATMs of major U.S. banks. These malware were creating havoc in India and international levels.

(4) Censorship By Twitter: In an unexpected move, Twitter has been censoring tweets relating to topics like Aadhaar, Digital India, etc. Till the time of writing of this post, Twitter is still censoring topics like Aadhaar, Digital India, etc.

(5) Hardware Spyware: Kaspersky has revealed that intelligence agencies have been using hardware based stealth spyware. These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard.

(6) FBI Search Warrants: Recently a proposal was made to expand the search warrant powers of FBI. Google opposed the same and openly conveyed its dissent for the proposed US Justice Department proposal to expand federal powers to search and seize digital data, warning that the changes would open the door to US “government hacking of any facility” in the world.

(7) Lenovo Adware: Lenovo has been accused of pre installing Adware in laptops thereby compromising their security. Users have complained that a programme called Superfish pre-installed by Lenovo on consumer laptops was “Adware”, or software that automatically displays adverts.

(8) Microsoft Cloud Computing: It has been reported that Microsoft has adopted a new standard for cloud privacy that commits the company to protect the privacy of customers’ data, not to use it for advertisement purposes, and to inform the customer of legal requests for personal data. Google along with other companies has been fighting against e-surveillance activities of U.S. agencies.

(9) Mobile Communications Security: Intercept has recently published an article describing that U.S. and British spies hacked into the internal network of Gemalto in 2010 that is one of the largest manufacturers of SIM cards in the world. They stole the encryption keys used to protect the privacy of mobile cellular communications across the globe. These spies mined the private communications of Gemalto engineers and employees in multiple countries, including India. However, the most interesting revelation comes in the form that GCHQ could not intercept keys used by mobile operators in Pakistan, even though Pakistan is a priority target for Western intelligence agencies. This is because Pakistanis used more secure methods to transfer the encryption keys between the SIM card manufacturers and Pakistani mobile operators.

(10) Lawyers Communications: Recently a British court ruled that the U.S. – U.K. surveillance regime was unlawful for seven years. This means that the regime has also failed to comply with the European convention on human rights. U.K. government is already facing a trial where it has been accused of unlawfully intercepted conversations between lawyers and their clients.

(11) Online Card Games: Some online gaming stakeholders in India have approached the Supreme Court of India to get clarity on the legality of online games like rummy, poker, etc. In response of the same, the Supreme Court asked the opinion of Central Government in this regard but the same has been informally denied by the Central Government. This means that till the time Supreme Court actually says that online rummy, online poker and online card games are legal in India, majority of these gaming stakeholders may be exposing themselves to legal risks and civil and criminal liabilities. Now that the Supreme Court of India has finally refused to decided legality of online poker and online rummy in India, online card games websites may be legally risky if not properly drafted and managed.

(12) Internet Safety Campaign: Indian government has announced that an Internet safety campaign would be started very soon in India. From the media reports it seems that the awareness drive would cover all stakeholders ranging from school level to government departments.

(13) Google Timestamps: In a bizzare manner, Google has manipulated the timestamp of the news titled Digital India, Aadhaar and digital panopticon of India and put the date 27-02-2015 instead of 02-03-2015. This means that news surfers looking for latest news would not get the same and after some time the news would be removed from the relevance search as well. We have also checked the date results and the news was lying on 4th page with other news of 27th February 2015 date. This is a strange behaviour on the part of Google and all such behavioursa of Google are catalogued at the blog titled “Unofficial Websites, News, Blogs And SERPs Censorship By Google“. A mirror of this blog is also available here.

(14) E-Mail Policy: Indian government has been struggling long to formulate and implement the e-mail policy of India. This is important for India as sensitive documents cannot be transferred out of India as per Indian laws like Public Records Act, 1993. Even Delhi High Court is analysing the e-mail policy of India and has shown its displeasure over slow action on the part of Indian government in this regard. It has now been reported that Indian government has decided to ban the use of Gmail or any other private email for official communication across all its organisations, and make it mandatory for them to migrate to email services provided by the National Informatics Centre (NIC).

(15) CISO Of India: In a significant move, the Prime Minister’s Office (PMO) has appointed Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India. This would go a long way in ensuring critical infrastructure protection in India (PDF). We also strongly recommend that a revised Cyber Security Policy of India 2015 must be drafted by Modi Government that must address cyber security issues in a more comprehensive and holistic manner. Further, international legal issues of cyber attacks must also be considered well in advance by Indian Government. Perry4Law Organisation (P4LO) has released a research paper on international legal issues of cyber security and cyber attacks and the same can be considered by Indian Government while strengthening Indian cyber security capabilities.

(16) Anti Bullying Committee: Cyber bullying in India is a big nuisance with practically no remedies. However, things would be changed very soon with the issuance of CBSE Guidelines for Prevention of Bullying and Ragging in Schools 9th March 2015, Reg: (D.O. No. 12-19/2012-RMSA-I) (PDF). Due to increasing cases of physical and cyber-bullying of students, Central Board of Secondary Education (CBSE) has directed all its affiliated schools to form an anti-bullying committee. The committee should comprise of vice-principal, a senior teacher, school doctor, counsellor, parent-teacher representative, school management representative, legal representative and peer educators. CBSE also directed the schools to tackle sexual abuses and strictly implement POCSO Act 2012.

(17) Technology Companies Regulations: Dealing with technology and foreign companies is a big challenge for Indian government. Whether it is taxation aspects or applicability of Indian laws to such companies, India has not been able to achieve a success in this regard so far. There is also a lack of legal framework to govern such technology and foreign companies in India as on date. At Perry4Law Organisation (P4LO) and Perry4Law’s Techno Legal Base (PTLB) we have been suggesting techno legal frameworks in this regard from time to time. We at P4LO and PTLB welcome this support of Indian Government and various stakeholders to our suggestions and recommendations from time to time. However, we strongly recommend that we need a comprehensive techno legal framework in this regard especially if we have to make the “Made in India” and “Digital India” projects successful.

(18) Killer USB: A Russian hacker/researcher created a killer USB that can crash the victim system once the modified/hacked USB is plugged into it. The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down.

(19) Traffic Routing: Networks and systems need to trust each other to make the Internet function in a speedier manner. If one system or service provider falters, the services of other may be hampered. In one such incidence, users around the world were not able to access Google’s service for a short period of time due to a technical glitch. Users were cut off due to the routing leak from Indian broadband Internet provider Hathway. The leak is similar to a 2012 incident caused by an Indonesian ISP, which took Google offline for 30 minutes worldwide.

(20) Grid Security Expert System (GSES): A Grid Security Expert System (GSES) of India has been proposed to be developed by Powergrid. Cyber security of automated power grids of India is need of the hour. It is only after a massive power blackout in 2012 that Indian government has woken up to the dangers of cyber attacks against Indian power sector. GSES would involve installation of knowledge based Supervisory Control and Data Acquisition (SCADA) system, numerical relays and Remote Terminal units upto 132 kV stations and the reliable Optical fibre Ground wire (OPGW) communication system at an estimated cost of around Rupees 1200 crores. The objective of the GSES is implementation of the Automatic Defense mechanism to facilitate reliable and secure grid operation.

(21) Cyber Law Due Diligence: Cyber law due diligence received a major jolt when the Supreme Court of India read down the internet intermediary due diligence requirements. The main problem seems to be reading down of Section 79(3) (b) and Rule 3(4) By Supreme Court in a manner that would be counter productive in the long run. In fact, reading down of Section 79(3) (b) and Rule 3(4) is more problem than solution as the Supreme Court erred in adopting this approach.

(22) SEBI And Cyber Security: It has been reported that SEBI has expanded the ambit of its Technical Advisory Committee (TAC) to include cyber security of the markets. CECSRDI welcomes this move of SEBI and is committed to help it in every possible manner to achieve this benign cyber security objective.

(23) E-Police Station: An e-police station in Delhi would register online FIR for motor vehicle theft cases. The pilot project of the “Motor Vehicle Theft (MVT) Application” is now accessible on mobiles and computers. Presently this facility is available only for police stations in South Delhi and the same will be extended to entire Delhi after sorting out technical glitches and other problems.

(24) Social Media Compliances: Social media websites are not complying with laws of India. India’s struggle against social media websites to fall in line with Indian laws continues even in Narendra Modi’s regime. To make the matter worst we have no social media laws in India or any effective and implementable social media policy of India. Of course, a new framework for use of social media by governmental organisations has been suggested by Indian government in the past but that is of little help in solving the present problem at hand. The real solution, according to Praveen Dalal, is formulation of a techno legal framework that can address the diverse and complicated issues of cyberspace in India. In short, social networking laws in India need clarity and codification.

(25) MPPEB Scam: MPPEB scam has become an investigation nightmare for the law enforcement agencies of India. The credibility and reliability of evidence is in question on the one hand and unresolved cyber forensics issues are on the other hand. Scientific investigation methodology is still to be used in the investigation of MPPEB scam.

(26) IT Subsidiary Of RBI: The Reserve Bank of India (RBI) has showed its commitment to fight against cyber crimes and financial frauds by declaring that an information technology driven subsidiary would be established by it to deal with cyber nuisances. This IT subsidiary of RBI would also deal with cyber security and related issues with a special focus upon banking related technology issues. The IT subsidiary of RBI would also evaluate the technical capabilities of banks that is almost missing as on date.

(27) Privacy Invasive Software: The Supreme Court of India has asked the Indian Government to clarify upon privacy invasive software and mobile applications. Supreme Court of India has taken a serious note of the software and mobile applications that can be used to extract private information from smartphones.

(28) Smart Cities In India: Smart cities in India have been proposed to be established in near future. However, smart cities in India may face cyber security and civil liberties issues that are left unresolved by Indian Government.

(29) Protection Of Good Samaritan: In a welcome move, the Narendra Modi led Government has issued Guidelines on Protection of Good Samaritan While Saving Lives of Road Accident Victims (2015) (PDF). This shows the sensitivity of Indian Government towards the precious lives that can be saved if road accident victims can be taken to hospitals as soon as possible.

We hope our readers would find this post and blog useful.

Posted in Uncategorized | 1 Comment

Law Of Domicile In India

Law Of Domicile In IndiaDomicile of an individual is very significant for deciding his/her marriage, succession, taxation, etc related issues. However, domicile is a complicated subject as it is a mixed question of facts and laws. In fact, there is no set procedure to get a domicile certificate in India as on date. To make the matter worst, there is an acute confusion between a domicle certificate and a residence certificate. Most of the Indian States and their authorities consider a residence certificate as a domicile certificate.

In its popular sense, this synonymous treatment of domicile and residence may be justified. However, in its technical sense, domicile is a conflict of laws principle and it has no role to play while deciding the territorial laws of a nation. In essence, domicile involves existence of more than one sovereign jurisdiction and a corresponding resolution of legal issues by applying the most appropriate law in a given circumstances.

Domicile as a conflict of laws concept identifies a person, in cases having a foreign element, with a territory subject to a single system of law, which is regarded as his personal law. Generally speaking, a person is domiciled in the country in which he is considered to have his permanent home. His domicile is of the whole country, being governed by common rules of law, and not confined to a part of it.

The interesting part about a domicile is that no one can be without a domicile and no one can have two domiciles. This is logical as well as a person domiciled in a particular jurisdiction cannot be domiciled in another foreign territory. For instance, in India a domicile of origin is attributed to every person at birth by operation of law. This domicile is not decided by his place of birth or by the place of residence of his father or mother, but by the domicile of the appropriate parent at the time of his birth, according as he is legitimate or illegitimate.

A person domiciled in a country establishes his legal status for the whole of the country and is subject to one body of law. But in federal countries like the United States, Australia, or Canada, or in a composite State like the United Kingdom, different systems of law may prevail in different regions in respect of certain matters. In such cases, each of the territories governed by a separate system of law is treated, for the purpose of conflict of laws, as a ‘country’, though in public international law or constitutional law it is not a separate sovereign State.

This is not the legal position in India. Though a Union of States, and a federation in that sense, the whole country is governed by a single unified system of law, with a unified system of judicial administration, notwithstanding the constitutional distribution of legislative powers between the Centre and the States. There is no State-wise domicile within the territory of India. A man who is domiciled in India is domiciled in every State in India and identified with a territorial system of legal rules pervading throughout the country. He is ‘domiciled’ in the whole of this country, even though his permanent home may be located in a particular spot within it . Thus, the concept of “domicile” varies from country to country and from jurisdiction to jurisdiction.

It is equally important to understand the difference between the terms domicile and residence. The word “domicile” should not be confused with a simple “residence”. The residence is a physical fact and no volition/intention is needed to establish it. The animus manendi is not an essential requirement of residence, unlike in the case of a domicile of choice. Thus, any period of physical presence, however short, may constitute residence provided it is not transitory, fleeting or casual. The intention is not relevant to prove the physical fact of residence except to the extent of showing that it is not a mere fleeting or transitory existence To insist on an element of volition is to confuse the features of ‘residence’ with those of ‘domicile’. While residence and intention are the two essential elements constituting the ‘domicile of choice’ residence in its own right is a connecting factor in a national legal system for purposes of taxation, jurisdiction, service of summons, voting etc .

The determination of domicile of an individual has a great legal significance. It helps in identifying the personal law by which an individual is governed in respect of various matters such as the essential validity of a marriage, the effect of marriage on the proprietary rights of husband and wife, jurisdiction in divorce and nullity of marriage, illegitimacy, legitimation and adoption and testamentary and intestate succession to moveables. The domicile is the legal relationship between an individual and a territory with a distinctive legal system, which invokes that system as his personal law. India recognises only one domicile, namely, domicile in India by virtue of Artice 5 of the Constitution of India. Further, the concept of ‘domicile’ has no relevance to the applicability of municipal laws, whether made by the Union of India or by the States.

The law of domicile in India can be traced under the Indian Succession Act, 1925. The domicile under the provisions of the Act can be classified under the following categories:

(i) Domicile of origin,

(ii) Domicile of choice, and

(iii) Domicile by operation of law.

(i) Domicile of origin: Every person must have a personal law, and accordingly every one must have a domicile. He receives at birth a domicile of origin, which remains his domicile, wherever he goes, unless and until he acquires a new domicile. The new domicile, acquired subsequently, is generally called a domicile of choice. The domicile of origin is received by operation of law at birth and for acquisition of a domicile of choice one of the necessary conditions is the intention to remain there permanently. The domicile of origin is retained and cannot be divested until the acquisition of the domicile of choice. By merely leaving his country, even permanently, one will not, in the eye of law, lose his domicile until he acquires a new one. This proposition that the domicile of origin is retained until the acquisition of a domicile of choice is well established and does not admit of any exception .

(ii) Domicile of choice: The domicile of origin continues until he acquires a domicile of choice in another country. Upon abandonment of a domicile of choice, he may acquire a new domicile of choice, or his domicile of origin, which remained in abeyance, revives. The burden of proving a change of domicile is on him who asserts it. The domicile of origin is more tenacious. “Its character is more enduring, its hold stronger and less easily shaken off. The burden of proving that a domicile of origin is abandoned is needed much heavier than in the case of a domicile of choice. No domicile of choice can be acquired by entering a country illegally. The domicile of choice is a combination of residence and intention. Residence, which is a physical fact, means bodily presence as an inhabitant. Such residence must be combined with intention to reside permanently or for an unlimited time in a country. It is such intention coupled with residence that acquires him a new domicile. It is immaterial for this purpose that the residence is for a short duration, provided it is coupled with the requisite state of the mind, namely the intention to reside there permanently. If a man intends to return to the land of his birth upon a clearly foreseen and reasonably anticipated contingency, such as, the end of his studies, he lacks the intention required by law. His tastes, habits, conduct, actions, ambitions, health, hopes, and projects are keys to his intention. That place is properly the domicile of a person in which he has voluntarily fixed the habitation of himself and his family, not for a mere special and temporary purpose, but with a present intention of making it his permanent home, unless and until something (which is unexpected or the happening of which is uncertain) shall occur to induce him to adopt some other permanent home.

The only intention required for a proof of a change of domicile is an intention of permanent residence. What is required to be established is that the person who is alleged to have changed his domicile of origin has voluntarily fixed the habitation of himself and his family in, the, new country, not for a mere special or temporary purpose, but with a present intention of making it his permanent home. On the question of domicile at a particular time the course of his conduct and the facts and circumstances before and after that time are relevant.

(c) Domicile by operation of law. (Married women’s domicile): The rules of Private International Law in India are not codified and are scattered in different enactments such as the Civil Procedure Code, the Contract Act, the Indian Succession Act, the Indian Divorce Act, and the Special Marriage Act etc. In addition, some rules have also been evolved by judicial decisions. In matters of status or legal capacity of natural persons, matrimonial disputes, custody of children, adoption, testamentary and intestate succession etc. the problem in this country is complicated by the fact that there exist different personal laws and no uniform rule can be laid down for all citizens. The distinction between matters which concern personal and family affairs and those which concern commercial relationships, civil wrongs etc. is well recognised in other countries and legal systems. The law in the former area tends to be primarily determined and influenced by social, moral and religious considerations, and public policy plays a special and important role in shaping it. Hence, in almost all the countries the jurisdictional, procedural and substantive rules that are applied to disputes arising in this area are significantly different from those applied to claims in other areas. That is as it ought to be. For, no country can afford to sacrifice its internal unity, stability and tranquility for the sake of uniformity of rules and comity of nations which considerations are important and appropriate to facilitate international trade, commerce, industry, communication, transport, exchange of services, technology, manpower etc. This glaring Tact of national life has been recognised both by the Hague Convention of 1968 on the Recognition of Divorce and Legal Separations as well as by the Judgments Convention of the European Community of the same year. Article 10 of the Hague Convention expressly provides that the contracting States may refuse to recognise a divorce or legal separation if such recognition is manifestly incompatible with their public policy. The Judgments Convention of the European Community expressly excludes from its scope (a) status or legal capacity of natural persons, (b) rights in property arising out of a matrimonial relationship, (c) wills and succession, (d) social security, and (e) bankruptcy. A separate convention was contemplated for the last of the subjects.

The judicial interpretation of the concept of domicile in India is very clear. In Dr.Pradeep Jain v U.O.I the Supreme Court observed: “The entire country is taken as one nation with one citizenship and every effort of the Constitution makers is directed towards emphasizing, maintaining and preserving the unity and integrity of the nation. Now if India is one nation and there is only one citizenship, namely, citizenship of India, and every citizen has a right to move freely throughout the territory of India and to reside and settle in any part of India, irrespective of the place where he is born or the language which he speaks or the religion which he professes and he is guaranteed freedom of trade, commerce and intercourse throughout the territory of India and is entitled to equality before the law and equal protection of the law with other citizens in every part of the territory of India, it is difficult to see how a citizen having his permanent home in Tamil Nadu or speaking Tamil language can be regarded as an outsider in Uttar Pradesh or a citizen having his permanent home in Maharashtra or speaking Marathi language be regarded as an outsider in Karnataka. He must be held entitled to the same rights as a citizen having his permanent home in Uttar Pradesh or Karnataka, as the case may be. To regard him as an outsider would be to deny him his constitutional rights and to derecognise the essential unity and integrity of the country by treating it as if it were a mere conglomeration of independent States”.

In Dr.Yogesh Bhardwaj v State of U.P the Supreme Court observed: “Domicile’, being a private international law concept, is inapposite to the relevant provisions, having no foreign element, i.e., having no contact with any system of law other than Indian, unless that expression is understood in a less technical sense. An expression, which has acquired a special and technical connotation, and developed as a rule of choice or connecting factor amongst the competing diverse legal systems as to the choice of law or forum, is, when employed out of context, in situations having no contact with any foreign system of law, apt to cloud the intended import of the statutory instrument.

In Mr. Louis De Raedt v U.O.I the Supreme Court observed: “For the acquisition of a domicile of choice, it must be shown that the person concerned had a certain State of mind, the animus manendi. If he claims that he acquired a new domicile at a particular time, he must prove that he had formed the intention of making his permanent home in the country of residence and of continuing to reside there permanently. Residence alone, unaccompanied by this state of mind, is insufficient. The burden to prove that the petitioners had an intention to stay permanently in India lies on them. The fundamental right of the foreigner is confined to Article 21 for life and liberty and does not include the right to reside and settle in this country, as mentioned in Article 19(1)(e), which is applicable only to the citizens of this country. The power of the Government in India to expel foreigners is absolute and unlimited and there is no provision in the Constitution fettering this discretion. The legal position on this aspect is not uniform in all the countries but so far the law that operates in India is concerned, the Executive Government has unrestricted right to expel a foreigner”.

In Y. Narasimha Rao V Y. Venkata Lakshmi the Supreme Court observed: “As pointed out above, the present decree dissolving the marriage passed by the foreign court is without jurisdiction according to the Act as neither the marriage was celebrated nor the parties last resided together nor the respondent resided within the jurisdiction of that court. The decree is also passed on a ground that is not available under the Act, which is applicable to the marriage. What is further, the decree has been obtained by appellant 1 by stating that he was the resident of the Missouri State when the record shows that he was only a bird of passage there and was ordinarily a resident of the State of Louisiana. He had, if at all, only technically satisfied the requirement of residence of 90 days with the only purpose of obtaining the divorce. He was neither domiciled in that State nor had he an intention to make it his home. He had also no substantial connection with the forum”.

The law of domicile in India is crystal clear and is free from any ambiguities. However, there seems to be an ignorance of the concept in its true perspective in India among various States and their authorities. We at Perry4Law Organisation (P4LO) beleive that there is an urgent need to spread “public awareness” in this regard. Further, it would be a good startegy to formulate the domicile Policy of India by Central Government as soon as possible. We hope the Central Government would come up with the Indian Domicile Policy very soon.

Posted in Uncategorized | Leave a comment

Aarushi Murder Case Reflects Poor Cyber Forensics Usage By CBI And Defence Lawyers

Aarushi Murder Case Reflects Poor Cyber Forensics Usage By CBI And Defence LawyersVery few murder cases are as sensational and complex as is the Aarushi murder case. There are many loose ends and infirmities in the investigation of Aarushi murder case by the Central Bureau of Investigation (CBI). Although CBI claims to have successfully cracked the case yet public opinion in this regard is sharply divided. The aim of this article is not to discuss all the pros and cons of the decision of the lower court but a very specific aspect that has been ignored by CBI and even by the defense lawyers/lower court to a great extent. This aspect pertains to inadequate and improper usage of digital evidence and cyber forensics best practices by the CBI while conducting investigation and prosecution of the parents of Aarushi for her murder.

As per the cyber forensics trends and developments in India 2014, till now cyber forensics is not widely and appropriately used by the law enforcement agencies, lawyers, judges, etc in India. As a result most of the cyber criminals are either not prosecuted at all or they are acquitted in the absence of adequate evidence. Similarly, the truth of a crime can be revealed by using proper cyber forensics methodologies but the same is not possible till our law enforcement agencies use proper cyber forensics methods.

Another related issue is that the defense lawyers are also not pressing hard to use cyber forensics principles while defending their clients. If the defense lawyers produce convincing and admissible digital evidences based upon sound cyber forensics practices, the courts would be bound to accept the same. This would also force the public prosecutors and law enforcement agencies like CBI to strengthen their own cyber forensics and cyber crimes investigation capabilities.

In short, handling of digital evidence is a big challenge for the law enforcement agencies of India and lawyers/courts. We have already witnessed that cyber forensics issues have troubled our law enforcement agencies in Aarushi Talwar’s murder case, IPL Match Fixing case, Bitcoins websites investigation, Nokia’s tax violation case, Rajnath Singh Son’s case, Amrita Rai’s G-Mail account hacking case, etc. Indian government must seriously consider empowering law enforcement agencies of India with suitable trainings and technologies.

In the Aarushi murder case, CBI failed to use cyber forensics methodologies and digital evidence to prove the guilt of the accused beyond reasonable doubts. It is very important to maintain a “chain of custody” and “proper documentation” of the acquisition of such digital evidence and investigation authorities must ensure that the evidence acquired by them is “admissible” in a court of law.

Unfortunately, the lawyers of the convicted parents seem to have ignored the digital evidence that, if proved successfully, could easily lead to their acquittal. The same should be pressed before the High Court before it is too late. When stakes are high it is not a good strategy to ignore and exclude crucial areas that can strengthen a lawyer’s case.

At Perry4Law Organisation (P4LO) we believe that in the present times many scams, crimes and contraventions can be effectively solved using cyber forensics methods. Even the recent MPPEB/ Vyapam scam has raised interesting cyber forensics issues. Indian law enforcement agencies, lawyers and courts must understand the importance of the “forensically sound image” of the hard disk/digital media in question by using the bit by bit image method. Similarly, the strength and capabilities of cyber forensics laboratories operating in India must also increase and enhanced.

As far as Aarushi murder case is concerned, the same reflects a poor cyber forensics usage by CBI and defense lawyers and proper use of the same by either side may result in tilting of the case in its favour before the higher courts.

Posted in Uncategorized | Leave a comment