The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 11 to 25.
Cultivating India’s Cyber Defense Strategy
http://editors.cis-india.org/internet-governance/files/cultivating-india2019s-cyber-defense-strategy
<b></b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/files/cultivating-india2019s-cyber-defense-strategy'>http://editors.cis-india.org/internet-governance/files/cultivating-india2019s-cyber-defense-strategy</a>
</p>
No publisherAdminCyber SecurityInternet Governance2019-11-13T14:39:19ZFileIndia’s Role in Global Cyber Policy Formulation
http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation
<b>The past year has seen vigorous activity on the domestic cyber policy front in India. On key issues—including intermediary liability, data localization and e-commerce—the government has rolled out a patchwork of regulatory policies, resulting in battle lines being drawn by governments, industry and civil society actors both in India and across the globe.</b>
<p>The article by Arindrajit Basu was <a class="external-link" href="https://www.lawfareblog.com/indias-role-global-cyber-policy-formulation">published in Lawfare</a> on November 7, 2019. The article was reviewed and edited by Elonnai Hickok and Justin Sherman.</p>
<hr />
<p style="text-align: justify; ">The onslaught of recent developments demonstrates how India can shape cyber policy debates. Among emerging economies, India is uniquely positioned to exercise leverage over multinational tech companies due to its sheer population size, combined with a rapid surge in users coming online and the country’s large gross domestic product. India occupies a key seat at the <a href="https://www.theatlantic.com/international/archive/2019/06/g20-data/592606/">data governance table</a> alongside other players like the EU, China, Russia and the United States — a position the country should use to promote its interests and those of other similarly placed emerging economies.</p>
<p style="text-align: justify; ">For many years, the Indian population has served as an economic resource for foreign, largely U.S.-based tech giants. Now, however, India is moving toward a regulatory strategy that reduces the autonomy of these companies in order to pivot away from a system that recently has been termed “<a href="https://swarajyamag.com/magazine/colonialism-20-truly">data colonialism</a>”—in which Western technologies use data-driven revenue bolstered by information extracted from consumers in the Global South to consolidate their global market power. The policy thinking underpinning India’s new grand vision still has some gaps, however.</p>
<h3 style="text-align: justify; ">Data Localization</h3>
<p style="text-align: justify; ">Starting with a circular from the Reserve Bank of India in April 2018, the Indian government has <a href="https://twitter.com/cis_india/status/1143096429298085889">introduced a range of policy instruments</a> mandating “<a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">data localization</a>”—that is, requiring that certain kinds of data must be stored in servers located physically within India. A snapshot of these policies is summarized in the table below.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/IndianLaws.jpg" alt="Indian Laws" class="image-inline" title="Indian Laws" /></p>
<p style="text-align: justify; "><span style="text-align: -webkit-center; ">(</span><em>Source </em><a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf" style="text-align: -webkit-center; "><em>here</em></a><em>. Design credit: Saumyaa Naidu</em><span style="text-align: -webkit-center; ">)</span></p>
<p style="text-align: justify; "><span style="text-align: -webkit-center; ">While there are <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">a number of</a> reasons for this maneuver, two in particular are in line with India’s broader vision of data sovereignty—broadly defined as the sovereign right of nations to govern data within their territory and/or jurisdiction in order to support their national interest for the welfare of their citizens. First, there is an incentive to keep data within India’s jurisdiction because of the cumbersome process through which Indian law enforcement agencies must go during criminal investigations in order to access data stored in the U.S. Second, data localization undercuts the <a href="https://theprint.in/tech/digital-colonialism-why-countries-like-india-want-to-take-control-of-data-from-big-tech/298217/">extractive economic models</a> used by U.S. companies operating in India by which the data generated by Indian citizens is collected in India, stored in data centers located largely in the U.S., and processed and analyzed to derive commercially valuable insights.</span></p>
<p style="text-align: justify; ">Both foreign players and smaller Indian private-sector actors were against this move. A <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">study</a> on the issue that I co-authored earlier this year with Elonnai Hickok and Aditya Chawla found that one of the reasons for this resistance involved the high costs of setting up the data centers that are needed to comply with the requirement. President Trump <a href="https://www.whitehouse.gov/briefings-statements/remarks-president-trump-g20-leaders-special-event-digital-economy-osaka-japan/">echoed</a> this sentiment when he explicitly opposed data localization during a meeting with Prime Minister Narendra Modi on the sidelines of the G-20 in June 2019.</p>
<p style="text-align: justify; ">At the same time, large Indian players such as Reliance and Paytm and Chinese companies like AliBaba and Xilink were in favor of localization—possibly because these companies could absorb the costs of setting up storage facilities while benefiting from the fixed costs imposed on foreign competition. In fact, some companies, such as AliBaba, <a href="https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/alibaba-cloud-opens-second-data-centre-in-india/articleshow/65995570.cms">have already set up storage facilities in India.</a></p>
<p style="text-align: justify; ">As my co-authors and I noted, data localization comes with various risks, both diplomatically and politically. So far, the issue has caused friction in U.S.-India trade relations. For example, before Secretary of State Mike Pompeo's trip to New Delhi in June, the Trump administration <a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation">reportedly</a> contemplated limiting H-1B visas for any country that implements a localization requirement. Further, on his trips to New Delhi, Commerce Secretary Wilbur Ross has <a href="https://www.medianama.com/2019/05/223-us-trade-secretary-wilbur-ross-highlights-data-localisation-high-tariffs-on-electronics-telecom-products-in-india-as-trade-issues/">regularly argued</a> that data localization restrictions are a barrier to U.S. companies and stressed the need to eliminate such barriers. Further, data localization poses several <a href="https://www.lawfareblog.com/where-your-data-really-technical-case-against-data-localization">technical challenges</a> as well as security risks. Mirroring data across multiple locations, as India’s <a href="https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Draft Personal Data Protection Bill</a> mandates, increases the number of physical data centers that need to be protected and thereby the number of vulnerable points that malicious actors can attack.</p>
<p style="text-align: justify; ">Recently, the Indian media have reported <a href="https://economictimes.indiatimes.com/news/economy/policy/policymakers-a-divided-lot-on-personal-data-bill-provisions/articleshow/70404637.cms?from=mdr&utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">disagreements</a> between policymakers over data localization, along with speculation that the data storage requirement in the Draft Personal Data Protection Bill could be limited only to critical data—a term not defined in the bill itself—or be left to sectoral regulators, officials from individual government departments.</p>
<p style="text-align: justify; ">Our paper <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">recommended a dual approach</a>. In our view, data localization policy should include mandatory localization for critical sectors such as defense or payments data, while also adopting “conditional” localization for all other data. Under conditional localization, data should only be transferred to countries that (a) agree to share the personal data of Indian citizens with law enforcement authorities based on Indian criminal procedure laws (examples of such a mechanism may be an executive data-sharing agreement under the <a href="https://epic.org/privacy/cloud-act/">CLOUD Act</a>) and (b) have equivalent privacy and security safeguards. This approach would be in line with India’s overarching vision of data sovereignty and the goal of standing up to the hegemony of big tech and of U.S. internet regulations, while avoiding undue collateral damage to India’s global alliances.</p>
<h3 style="text-align: justify; ">Intermediary Liability</h3>
<p style="text-align: justify; ">In line with the goal of ensuring that big tech is answerable to the rule of law, the Indian government has also sought to regulate the adverse social impacts of some speech hosted by platforms. Rule 3(9) of the <a href="https://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf">Draft of the Information Technology Intermediaries Guidelines (Amendment) Rules, 2018,</a> released by the Ministry of Electronics and Information Technology in December 2019, takes up the interventionist mission of laws like the <a href="https://www.lawfareblog.com/germanys-bold-gambit-prevent-online-hate-crimes-and-fake-news-takes-effect">NetzDg</a> in Germany. The regulation would mandate that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.” These regulations have prompted concerns from both the private sector and civil society groups that claim the proposal fails to address <a href="https://cis-india.org/internet-governance/resources/Intermediary%20Liability%20Rules%202018.pdf">constitutional concerns</a> about algorithmic discrimination, excessive censorship and inappropriate delegation of legislative powers under Indian law. Further, some observers object that the guidelines adopt a “one-size-fits-all” approach to classifying intermediaries that does not differentiate between platforms that thrive on end-to-end encryption like WhatsApp and public platforms like Facebook.</p>
<p style="text-align: justify; ">In many ways, these guidelines—likely to be <a href="https://www.medianama.com/2019/10/223-intermediary-guidelines-to-be-notified-by-jan-15-2020-meity-tells-supreme-court/">notified</a><a href="https://www.medianama.com/2019/10/223-intermediary-guidelines-to-be-notified-by-jan-15-2020-meity-tells-supreme-court/"> (as an amendment to the Information Technology Act) as early as January 2020</a>—put the cart before the horse. Before devising regulatory models appropriate for India’s geographic scale and population, it is first necessary to conduct empirical research about the vectors through which misinformation spreads in India and how misinformation impacts different social, economic and linguistic communities, along with pilot programs for potential solutions to the misinformation problem. And it is imperative that these measures be brought in line with constitutional requirements.</p>
<h3 style="text-align: justify; ">Community Data and “Data as a Public Good”</h3>
<p>Another important question involves the precise meaning of “data” itself—an issue on which various policy documents have failed to deliver a consistent stance.</p>
<p style="text-align: justify; ">The first conceptualization of “community data” appears in both the <a href="https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf">Srikrishna Committee Report</a> that accompanied the <a href="https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Draft Personal Data Protection Bill</a> in 2018 and the draft e-commerce policy. However, neither policy provides clarity on the concept of data.</p>
<p style="text-align: justify; ">When defining community data, the Srikrishna Report endorses a collective protection of privacy as protecting an identifiable community that has contributed to community data. According to the Srikrishna Report, receiving collective protection requires the fulfillment of three key aspects. First, the data belong to an identifiable community. Second, the individuals in the community consent to being a part of the community. And third, the community as a whole consents to its data being treated as community data.</p>
<p style="text-align: justify; ">The <a href="https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf">draft e-commerce policy</a> reconceptualizes the notion of community data as “societal commons” or a “national resource,” where the undefined ‘community” has rights to access data but the government has overriding control to utilize the data for welfare purposes. Unlike the Srikrishna Report, the draft e-commerce policy does not outline the key aspects of community data. This approach fails to demarcate a clear line between personal and nonpersonal data or to specify any practical guidelines or restrictions on how the government can use community data. For this reason, implementation of this policy could pose a threat to the right to privacy that the Indian Supreme Court recognized as a <a href="https://thewire.in/law/supreme-court-aadhaar-right-to-privacy">fundamental right</a> in 2017.</p>
<p style="text-align: justify; ">The second idea is that of “data as a public good.” This is described in Chapter 4 of the <a href="https://www.indiabudget.gov.in/economicsurvey/doc/vol1chapter/echap04_vol1.pdf">2019 Economic Survey Report</a>—a document published by the Ministry of Finance along with the Annual Financial Budget. The report explicitly states that any data governance framework needs to be deferential to privacy norms and the soon-to-be-enacted privacy law. The report further states that “personal data” of an individual in the custody of a government is a “public good” once the datasets are anonymized.</p>
<p style="text-align: justify; ">However, the report’s recommendation of setting up a government database that links several individual databases together leads to the <a href="https://thewire.in/government/india-vision-data-republic-dangers-privacy">“triangulation” problem</a>, in which individuals can be identified by matching different datasets together. The report further suggests that the same data can be sold to private firms (though it is unclear whether this includes foreign or domestic firms). This directly contradicts the characterization of a “public good”—which, by definition, must be <a href="https://www.britannica.com/topic/public-good-economics">n</a><a href="https://www.britannica.com/topic/public-good-economics">onexcludable and nonrivalrous</a>—and is also at odds with the government’s vision of reining in big tech. The government has set up an expert committee to look into the scope of nonpersonal data, and the results of the committee’s deliberations <a href="https://www.medianama.com/2019/09/223-meity-non-personal-data-committee/">are likely to</a> influence the shape that India’s data governance framework takes across multiple policy instruments.</p>
<p style="text-align: justify; ">There is obviously a need to reassess and reevaluate the range of governance efforts and gambits that have emerged in the past year. With domestic cyber policy formulation pivots reaching a crescendo, we must consider how domestic cyber policy efforts can influence India’s approach to global debates in this space.</p>
<h3 style="text-align: justify; ">India’s Contribution to Global Cyber Policy Debates</h3>
<p style="text-align: justify; ">As the largest democracy in the world, India is undoubtedly a key <a href="https://www.newamerica.org/cybersecurity-initiative/reports/digital-deciders/">“digital decider”</a> in shaping the future of the internet. Multilateral cyber policy formulation efforts remain <a href="https://cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india">polarized</a>. The U.S. and its European allies continue to advocate for a free, rules-based conception of cyberspace with limited governmental interference. China and Russia, along with their Shanghai Cooperation Organisation allies, are pushing for a tightly regulated internet in which each state has the right to manage and define its “network frontiers” through domestic regulation free from external interference. To some degree, India is already influencing debate over the internet through its various domestic cyber policy movements. However, its participation in international debates has been lacking the vigor or coherence needed to clearly articulate India’s national interests and take up a global leadership role.</p>
<p style="text-align: justify; ">In shaping its contributions to global cyber policy formulation, India should focus its efforts on three key places: (a) internet governance forums that deliberate the governance of the technical architecture of the internet such as domain names, (b) cyber norms formulation processes that seek to establish norms to foster responsible behavior in cyberspace by states and nonstate actors in cyberspace, and (3) global debates on trade and cross-border data flows that seek to conceptualize the future of global digital trade relationships. As I discuss below, there are key divisions in Indian policy in each of these forums. To realize its grand vision in the digital sphere, India needs to do much more to make its presence felt.</p>
<p><em>Internet Governance Forums</em></p>
<p style="text-align: justify; ">India’s stance on a variety of issues at internet governance forums has been inconsistent, switching repeatedly between <a href="https://www.cigionline.org/sites/default/files/documents/GCIG%20Volume%202%20WEB.pdf">multilateral and multistakeholder visions for internet governance.</a> A core reason for this uncertainty <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">is the participation of multiple Indian government</a> ministries, which often disagree with each other. At global internet governance forums, India has been represented either by the Department of Electronics and Information Technology (now renamed to Ministry of Electronics and Information Technoloft or the Department of Telecommunications (under the Ministry of Communications and Information Technology) or by the Ministry of External Affairs (MEA).</p>
<p style="text-align: justify; ">As my colleagues have documented <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">in a detailed paper,</a> India has been vocal in global internet governance debates at forums including the International Telecommunications Union, the Internet Governance Forum and the U.N. General Assembly. However, the Indian stance on <a href="https://www.diplomacy.edu/IGFLanguage/multistakeholderism">multistakeholderism</a> has been complex, with the MEA advocating for a multilateral stance while the other departments switched between multistakeholderism and “nuanced multilateralism”—which calls for multistakeholder participation in policy formulation but multilateral implementation. The paper also argues that there has been a decline recently in the vigor of Indian participation at forums such as the 2018 meeting of the Working Group on Enhanced Co-operation (WGEC 2.0), due to key personnel changes. For <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">example</a>, B.N. Reddy, who was a skilled and experienced negotiator for the MEA in previous forums, was transferred to another position before WGEC 2.0, and the delegation that attended the meeting did not make its presence felt as strongly or skillfully.</p>
<p><em>Cyber Norms for Responsible State Behavior in Cyberspace</em></p>
<p style="text-align: justify; ">With the exception of two broad and unoriginal statements at the <a href="https://unoda-web.s3-accelerate.amazonaws.com/wp-content/uploads/2016/10/India.pdf">70th</a> and <a href="https://undocs.org/A/71/172">71st</a> sessions of the U.N. General Assembly, India has yet to make public its position on the multilateral debate on the proliferation of norms for responsible state behavior in cyberspace. During the <a href="https://dig.watch/events/open-ended-working-group-oewg-first-substantive-session">substantive session</a> of the Open-Ended Working Group held in September, India largely reaffirmed points made by other states, rather than carving out a new or original approach. The silence and ambiguity is surprising, as India has been represented on four of the five Groups of Governmental Experts (GGEs) set up thus far and has also been inducted into the 2019-2021 GGE that is set to revamp the global cyber norms process. (Due to the GGE’s rotational membership policy, India was not a member of the fourth GGE that submitted its report in 2015.)</p>
<p style="text-align: justify; ">However, before becoming an evangelist of any particular norms, India has some homework to do domestically. It has yet to advance a clear, coherent and detailed public stance outlining its views on the application of international law to cyberspace. This public stance is necessary for two reasons. First, a well-reasoned statement that explains India’s stance on core security issues—such as the applicability of self-defense, countermeasures and international humanitarian law—would show India’s appetite for offensive and defensive strategies for external adversaries and allies alike. This would serve as the edifice of a potentially credible cyber deterrence strategy. Second, developing a public stance would help India to take advantage of the economic, demographic and political leverage that it holds and to assume a leadership role in discussions. The <a href="https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century">U.K.</a>, <a href="https://www.lawfareblog.com/frances-cyberdefense-strategic-review-and-international-law">France,</a> <a href="https://www.lawfareblog.com/germanys-position-international-law-cyberspace">Germany</a>, <a href="https://www.justsecurity.org/64490/estonia-speaks-out-on-key-rules-for-cyberspace/">Estonia</a>, <a href="https://www.justsecurity.org/wp-content/uploads/2017/06/Cuban-Expert-Declaration.pdf">Cuba</a> (backed by China and Russia) and the <a href="https://www.justsecurity.org/wp-content/uploads/2016/11/Brian-J.-Egan-International-Law-and-Stability-in-Cyberspace-Berkeley-Nov-2016.pdf">U.S.</a> have all made their positions publicly known with varying degrees of detail.</p>
<p><em>Data Transfers</em></p>
<p style="text-align: justify; ">Unlike in other forums, Indian policy has been clearer in the cross-border data transfer debate. This is a foreign policy extension of India’s emphasis on localization and data sovereignty in domestic policy instruments. At the G-20 Summit in Osaka, India and the rest of the BRICS group (Brazil, Russia, China and South Africa) stressed the role that data play in economic development for emerging economies and reemphasized the need for <a href="https://www.youtube.com/watch?v=0a8YsZQ0F6k&feature=youtu.be">data sovereignty</a>. India did not sign the <a href="https://www.international.gc.ca/world-monde/international_relations-relations_internationales/g20/2019-06-29-g20_declaration-declaration_g20.aspx?lang=eng">Osaka Declaration on the Digital Economy</a> that kickstarted the “Osaka Track”—a process whereby the 78 signatories agreed to participate in global policy discussions on international rule-making for e-commerce at the World Trade Organization (WTO). This was a continuation of India’s sustained efforts opposing the e-commerce moratorium at the WTO.</p>
<p style="text-align: justify; ">The importance of cross-border data flows in spurring the global economy found its way into the <a href="https://g20.org/pdf/documents/en/FINAL_G20_Osaka_Leaders_Declaration.pdf">Final G-20 Leaders Declaration</a>—which India signed. Foreign Secretary Vijay Gokhale <a href="https://www.youtube.com/watch?v=0a8YsZQ0F6k&feature=youtu.be">argued</a> that international rule-making on data transfers should not take place in plurilateral forums outside the WTO. Gokhale claimed that limiting the debate to the WTO would ensure that emerging economies have a say in the framing of the rules. The clarity expressed by the Indian delegation at the G-20 should be a model for more confident Indian leadership in this global cyber policy development space.</p>
<h3 style="text-align: justify; ">Looking Forward</h3>
<p style="text-align: justify; ">India is no newcomer to the idea of normative leadership. To overcome material shortcomings in the nation’s early years, Jawaharlal Nehru, the first Indian prime minister, engineered a <a href="https://www.livemint.com/Opinion/h13WRfZP09BWA3Eg68TuVL/What-Narendra-Modi-has-Jawaharlal-Nehru-to-thank-for.html">normative pivot in world affairs</a> by championing the sovereignty of countries that had gained independence from colonial rule. In the years immediately after independence, the Indian foreign policy establishment sought to break the hegemony of the United States and the Soviet Union by advancing a foreign policy rooted in what came to be known as <a href="https://www.foreignaffairs.com/articles/india/2016-09-19/india-after-nonalignment">“nonalignment.”</a></p>
<p style="text-align: justify; ">Making sound contributions to foreign policy in cyberspace requires a variety of experts—international lawyers, computer scientists, geopolitical strategists and human rights advocates. Indian civil society and academia are brimming with tech policy enthusiasts from a variety of backgrounds who could add in-depth substance to the government’s cyber vision. Such engagement has begun to some extent at the domestic level: Most government policies are now opened up to consultation with stakeholders Yet there is still room for greater transparency in this process.</p>
<p style="text-align: justify; ">India's cyber vision is worth fighting for. The continued monetization of data dividends by foreign big tech at the expense of India’s socioeconomic development needs to be countered. This can be accomplished by predictable and coherent policymaking that balances economic growth and innovation with the fundamental rights and values enshrined in the Indian Constitution, including the right to equality, freedom of speech and expression, and the right to life. But inherent contradictions in the conceptualization of personal data, delays in tabling the Personal Data Protection Bill, and uncertain or rushed approaches in several other regulatory policies are all fettering the realization of this vision. On core geopolitical issues, there exists an opportunity to set the rule-shaping agenda to favor India’s sovereign interests. With global cyber policy formulation in a state of flux, India has the economic, demographic and intellectual leverage to have a substantial impact on the debate and recraft the narrative in favor of the rapidly emerging Global South.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation'>http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation</a>
</p>
No publisherbasuCyber SecurityInternet Governance2019-11-13T14:13:33ZBlog EntryDiscussion at CyFy on Technology, Policy and National Security: Building 21st Century Curricula in India’s Law Schools
http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools
<b>Arindrajit Basu attended the session and gave comments on the course outline which included thoughts on:</b>
<ol>
<li>Threshold of technical knowledge-comparison with WTO law</li>
<li>Need for India-centric approaches both in domestic and foreign policy</li>
<li>Possibility of executive training of senior diplomats</li>
<li>Need to include fintech security in the syllabus</li>
<li>Necessity of international law as a tool of conflict 6. Sustained collaboration between think-tanks and universities</li>
</ol>
<p> </p>
<p style="text-align: justify; ">The event was organized by Centre for Communication Governance at National Law University Delhi and Observer Research Foundation at Villa Medici, Taja Mahal Hotel, Man Singh Road, New Delhi.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools'>http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceFinancial Technology2019-10-20T07:23:11ZNews ItemCyber Policy 2.0
http://editors.cis-india.org/internet-governance/news/cyber-policy-2.0
<b>National Law University organized an executive education program in Bangalore on August 17, 2019. Arindrajit Basu was a speaker. He spoke on Deconstructing the India regulatory approach to data governance and cyber security.</b>
<p>For more details about the program, <a class="external-link" href="http://policyandgovernance.in/cyber-policy-2/">click here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cyber-policy-2.0'>http://editors.cis-india.org/internet-governance/news/cyber-policy-2.0</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceCyberspace2019-08-19T14:18:13ZNews ItemPrivate Sector and the cultivation of cyber norms in India
http://editors.cis-india.org/internet-governance/blog/nextrends-india-arindrajit-basu-august-5-2019-private-sector-and-the-cultivation-of-cyber-norms-in-india
<b>Information Communication Technologies (ICTs) have become a regular facet of modern existence. The growth of cyberspace has challenged traditional notions of global order and uprooted the notion of governance itself. All over the world, the private sector has become a critical player, both in framing cyber regulations and in implementing them.</b>
<p style="text-align: justify; ">The article by Arindrajit Basu was published by <a class="external-link" href="http://nextrendsindia.org/private-sector-and-the-cultivation-of-cyber-norms-in-india/">Nextrends India</a> on August 5, 2019.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">While the United Nations ‘Group of Governmental experts’ (GGE), tried and failed to establish a common law for governing the behavior of states in cyberspace, it is Big Tech who led the discussions on cyberspace regulations. Microsoft’s <a class="addbackground" href="https://www.microsoft.com/en-us/cybersecurity/content-hub/a-digital-geneva-convention-to-protect-cyberspace">Digital Geneva Convention</a> which devised a set of rules to protect civilian use of the internet was a notable initiative on that front. Microsoft was also a major driver of the <a class="addbackground" href="https://cybertechaccord.org/">Tech Accords</a> — a public commitment made by over 100 companies “agreeing to defend all customers everywhere from malicious attacks by cyber-criminal enterprises and nation-states.” The <a class="addbackground" href="https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in">Paris Call for Trust and Security in Cyberspace</a> was a joint effort between the French government and Microsoft that brought in (as of today) 66 states, 347 private sector entities, including Indian business guilds such as FICCI and the Mobile Association of India and 139 organisations from civil society and academia from all over the globe.</p>
<p style="text-align: justify; ">However, the entry of Big tech into the business of framing regulation has raised eyeballs across jurisdictions. In India, the government has attempted to push back on the global private sector due to arguably extractive economic policies adopted by them, alongside the threats they pose to India’s democratic fabric. The Indian government has taken various steps to constrain Big Tech, although some of these policies have been hastily rolled out and fail to address the root of the problem.</p>
<p style="text-align: justify; ">I have identified two regulatory interventions that illustrate this trend. First, on <a class="addbackground" href="https://www.thehindubusinessline.com/opinion/resurrecting-the-marketplace-of-ideas/article26313605.ece">intermediary liability</a>, Rule 3(9) of the Draft of the Information Technology 2018 released by the Ministry of Electronics and Information Technology (MeiTy) last December. The rule follows the footsteps of countries like Germany and France by mandating that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.” These regulations have resulted in criticism from both the private sector and civil society as they fail to address concerns around algorithmic discrimination, excessive censorship and gives the government undue power. Further, the regulations paint all the intermediaries with the same brush, thus not differentiating between platforms such as Whatsapp who thrive on end-to-end encryption and public platforms like Facebook.</p>
<p style="text-align: justify; ">Another source of discord between the government and the private sector has been the government’s localisation mandate, featuring in a slew of policies. Over the past year, the Indian government has <a class="addbackground" href="https://twitter.com/cis_india/status/1143096429298085889">introduced a range of policy instruments</a> which<br />demand that certain kinds of data must be stored in servers located physically within India — termed “<a class="addbackground" href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">data localization</a>.”</p>
<p style="text-align: justify; ">While this serves <a class="addbackground" href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">a number of policy objectives</a>, the two which stand out are (1) the presently complex process for Indian law enforcement agencies to access data stored in the U.S. during criminal investigations, and (2) extractive economic models used by U.S. companies operating in India.</p>
<p style="text-align: justify; ">A <a class="addbackground" href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">study</a> I co-authored earlier this year on the issue found that foreign players and smaller Indian private sector players were against this move due to the high compliance costs in setting up data centres.</p>
<p style="text-align: justify; ">On this question, we <a class="addbackground" href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">recommended a dual approach</a> that involves mandatory sectoral localisation for critical sectors such as defense or payments data while adopting ‘conditional’ localisation for all other data. Under ‘conditional localisation,’<br />data should only be transferred to countries that (1)Agree to share the personal data of Indian citizens with law enforcement authorities based on Indian criminal procedure laws and (2) Have equivalent privacy and security safeguards.</p>
<p style="text-align: justify; ">These two instances demonstrate that it is important for the Indian government to engage with both the domestic and foreign private sector to carve out optimal regulatory interventions that benefit the Indian consumer and the private sector as a whole rather than a few select big players. At the same time, it is important for the private sector to be a responsible stakeholder and comply both with existing laws and accepted norms of ‘good behaviour.’</p>
<p style="text-align: justify; ">Going forward, there is no denying the role of the private sector in the development of emerging technologies. However, a balance must be struck through continued engagement and mutual respect to create a regulatory ecosystem that fosters innovation while respecting the rule of law with every stakeholder – government, private sector and civil society. India’s position could set the trend for other emerging economies coming online and foster a strategic digital ecosystem that works for all<br />stakeholders.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/nextrends-india-arindrajit-basu-august-5-2019-private-sector-and-the-cultivation-of-cyber-norms-in-india'>http://editors.cis-india.org/internet-governance/blog/nextrends-india-arindrajit-basu-august-5-2019-private-sector-and-the-cultivation-of-cyber-norms-in-india</a>
</p>
No publisherbasuCyber SecurityInternet Governance2019-08-07T15:18:27ZBlog EntryIndia is falling down the facial recognition rabbit hole
http://editors.cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole
<b>Its use as an effective law enforcement tool is overstated, while the underlying technology is deeply flawed.</b>
<p>The article by Prem Sylvester and Karan Saini was published in <a href="https://thewire.in/tech/india-is-falling-down-the-facial-recognition-rabbit-hole">the Wire</a> on July 23, 2019.</p>
<hr />
<p> </p>
<div class="grey-text">
<p>In a
discomfiting reminder of how far technology can be used to intrude on
the lives of individuals in the name of security, the Ministry of Home
Affairs, through the National Crime Records Bureau, <a href="http://ncrb.gov.in/TENDERS/AFRS/RFP_NAFRS.pdf">recently put out a tender</a> for a new Automated Facial Recognition System (AFRS). </p>
<p>The stated objective of this system is to “act as a foundation for a national level searchable platform of facial images,” and to “[improve]
outcomes in the area of criminal identification and verification by
facilitating easy recording, analysis, retrieval and sharing of
Information between different organizations.” </p>
<p>The system will pull facial image
data from CCTV feeds and compare these images with existing records in a
number of databases, including (but not limited to) the Crime and
Criminal Tracking Networks and Systems (or CCTNS), Interoperable
Criminal Justice System (or ICJS), Immigration Visa Foreigner
Registration Tracking (or IVFRT), Passport, Prisons, Ministry of Women
and Child Development (KhoyaPaya), and state police records. </p>
<p>Furthermore, this system of facial
recognition will be integrated with the yet-to-be-deployed National
Automated Fingerprint Identification System (NAFIS) as well as other
biometric databases to create what is effectively a multi-faceted system
of biometric surveillance.</p>
<p>It is rather unfortunate, then, that
the government has called for bids on the AFRS tender without any form
of utilitarian calculus that might justify its existence. The tender
simply states that this system would be “a great investigation
enhancer.” </p>
<p>This confidence is misplaced at best.
There is significant evidence that not only is a facial recognition
system, as has been proposed, <a href="https://www.nytimes.com/2019/07/01/us/facial-recognition-san-francisco.html">ineffective in its application as a crime-fighting tool</a>, but it is a significant <a href="https://www.independent.co.uk/news/uk/home-news/facial-recognition-uk-police-london-trials-inaccurate-legal-results-ethics-a8938851.html">threat to the privacy rights and dignity of citizens</a>.
Notwithstanding the question of whether such a system would ultimately
pass the test of constitutionality – on the grounds that it affects
various freedoms and rights guaranteed within the constitution – there
are a number of faults in the issued tender. </p>
<p>Let us first consider the mechanics of a facial recognition system itself. Facial recognition systems <a href="https://medium.com/@ageitgey/machine-learning-is-fun-part-4-modern-face-recognition-with-deep-learning-c3cffc121d78">chain together a number of algorithms to identify</a>
and pick out specific, distinctive details about a person’s face – such
as the distance between the eyes, or shape of the chin, along with
distinguishable ‘facial landmarks’. These details are then converted
into <a href="https://www.eff.org/pages/face-recognition">a mathematical representation known as a face template</a> for
comparison with similar data on other faces collected in a face
recognition database. There are, however, several problems with facial
recognition technology that employs such methods. </p>
<p>Facial recognition technology depends
on machine learning – the tender itself mentions that the AFRS is
expected to work on neural networks “or similar technology” – which is
far from perfect. At a relatively trivial level, there are several ways
to fool facial recognition systems, including wearing <a href="https://www.theguardian.com/technology/2016/nov/03/how-funky-tortoiseshell-glasses-can-beat-facial-recognition">eyewear</a>, or <a href="https://theoutline.com/post/5172/juggalo-juggalette-facepaint-makeup-hack-beat-facial-recognition-technology?curator=MusicREDEF&zd=4&zi=s7q4e3fe">specific types of makeup</a>. The training sets for the algorithm itself can be deliberately poisoned to recognise objects incorrectly, <a href="https://www.theregister.co.uk/2017/11/06/mit_fooling_ai/">as observed by students at MIT</a>. </p>
<p>More consequentially, these systems
often throw up false positives, such as when the face recognition system
incorrectly matches a person’s face (say, from CCTV footage) to an
image in a database (say, a mugshot), which might result in innocent
citizens being identified as criminals. In a <a href="https://www.bka.de/SharedDocs/Downloads/EN/Publications/Other/photographBasedSearchesFinalReport.pdf?__blob=publicationFile&v=1">real-time experiment</a> set in a train station in Mainz, Germany,
facial recognition accuracy ranged from 17-29% – and that too only for
faces seen from the front – and was at 60% during the day but 10-20% at
night, indicating that environmental conditions play a significant role
in this technology.</p>
<p>Facial recognition software used by the UK’s Metropolitan Police <a href="https://www.independent.co.uk/news/uk/home-news/met-police-facial-recognition-success-south-wales-trial-home-office-false-positive-a8345036.html" rel="noopener" target="_blank">has returned false positives in more than 98% of match alerts generated</a>.</p>
<p>When the American Civil Liberties Union (ACLU) <a href="https://www.aclu.org/blog/privacy-technology/surveillance-technologies/amazons-face-recognition-falsely-matched-28">used</a>
Amazon’s face recognition system, Rekognition, to compare images of
legislative members of the American Congress with a database of
mugshots, the results included 28 incorrect matches.</p>
<p>There is another uncomfortable reason
for these inaccuracies – facial recognition systems often reflect the
biases of the society they are deployed in, leading to problematic
face-matching results. Technological objectivity is largely a myth, and
facial recognition offers a stark example of this. </p>
<p><a href="http://proceedings.mlr.press/v81/buolamwini18a/buolamwini18a.pdf">An MIT study</a> shows that existing facial recognition technology routinely misidentifies
people of darker skin tone, women and young people at high rates,
performing better on male faces than female faces (8.1% to 20.6%
difference in error rate), lighter faces than darker faces (11.8% to
19.2% difference in error rate) and worst on darker female faces (20.8%
to 34.7% error rate). In the aforementioned ACLU study, the false
matches were disproportionately people of colour, particularly
African-Americans. The bias rears its head when the parameters of
machine-learning algorithms, derived from labelled data during a
“supervised learning” phase, adhere to socially-prejudiced ideas of who
might commit crimes. </p>
<p>The implications for facial
recognition are chilling. In an era of pervasive cameras and big data,
such prejudice can be applied at unprecedented scale through facial
recognition systems. By replacing biased human judgment with a machine
learning technique that embeds the same bias, and more reliably, we
defeat any claims of technological neutrality. Worse, because humans
will assume that the machine’s “judgment” is not only consistently fair
on average but independent of their personal biases, they will read
agreement of its conclusions with their intuition as independent
corroboration. </p>
<p>In the Indian context, consider that Muslims, Dalits, Adivasis and other SC/STs are <a href="https://www.newsclick.in/how-caste-plays-out-criminal-justice-system">disproportionately targeted</a> by law enforcement.
The NCRB in its 2015 report on prison statistics in India recorded that
over 55% of the undertrials prisoners in India are either Dalits,
Adivasis or Muslims, a number grossly disproportionate to the combined
population of Dalits, Adivasis and Muslims, which amounts to just 39% of
the total population according to the 2011 Census.</p>
<p>If the AFRS is thus trained on these
records, it would clearly reinforce socially-held prejudices against
these communities, as inaccurately representative as they may be of
those who actually carry out crimes. The tender gives no indication that
the developed system would need to eliminate or even minimise these
biases, nor if the results of the system would be human-verifiable.</p>
<p>This could lead to a runaway effect
if subsequent versions of the machine-learning algorithm are trained
with criminal convictions in which the algorithm itself played a causal
role. Taking such a feedback loop to its logical conclusion, law
enforcement may use machine learning to allocate police resources to
likely crime spots – which would often be in low income or otherwise
vulnerable communities.</p>
<p>Adam Greenfield writes in <em>Radical Machines</em>
on the idea of ‘over transparency,’ that combines “bias” of the
system’s designers as well of the training sets – based as these systems
are on machine learning – and “legibility” of the data from which
patterns may be extracted. The “meaningful question,” then, isn’t
limited to whether facial recognition technology works in identification
– “[i]t’s whether someone believes that they do, and acts on that
belief.”</p>
<p>The question thus arises as to why
the MHA/NCRB believes this is an effective tool for law enforcement.
We’re led, then, to another, larger concern with the AFRS – that it
deploys a system of surveillance that oversteps its mandate of law
enforcement. The AFRS ostensibly circumvents the fundamental right to
privacy, as ratified by the Supreme Court in 2018, through sourcing its
facial images from CCTV cameras installed in public locations, where the
citizen may expect to be observed. </p>
<p>The extent of this surveillance is
made even clearer when one observes the range of databases mentioned in
the tender for the purposes of matching with suspects’ faces extends to
“any other image database available with police/other entity” besides
the previously mentioned CCTNS, ICJS et al. The choice of these
databases makes overreach extremely viable.</p>
<p>This is compounded when we note that
the tender expects the system to “[m]atch suspected criminal face[sic]
from pre-recorded video feeds obtained from CCTVs deployed in various
critical identified locations, or with the video feeds received from
private or other public organization’s video feeds.” There further
arises a concern with regard to the process of identification of such
“critical […] locations,” and if there would be any mechanisms in place
to prevent this from being turned into an unrestrained system of
surveillance, particularly with the stated access to private
organisations’ feeds.</p>
<p><a href="https://www.perpetuallineup.org/sites/default/files/2016-12/The%20Perpetual%20Line-Up%20-%20Center%20on%20Privacy%20and%20Technology%20at%20Georgetown%20Law%20-%20121616.pdf">The Perpetual Lineup report</a>
by Georgetown Law’s Center on Privacy & Technology identifies
real-time (and historic) video surveillance as posing a very high risk
to privacy, civil liberties and civil rights, especially owing to the
high-risk factors of the system using real-time dragnet searches that
are more or less invisible to the subjects of surveillance.</p>
<p>It is also designated a “Novel Use”
system of criminal identification, i.e., with little to no precedent as
compared to fingerprint or DNA analysis, the latter of which was
responsible for countless wrongful convictions during its nascent
application in the science of forensic identification, which have since
then been overturned.</p>
<p>In the <em>Handbook of Face Recognition</em>,
Andrew W. Senior and Sharathchandra Pankanti identify a more serious
threat that may be born out of automated facial recognition, assessing
that “these systems also have the potential […] to make judgments about
[subjects’] actions and behaviours, as well as aggregating this data
across days, or even lifetimes,” making video surveillance “an
efficient, automated system that observes everything in front of any of
its cameras, and allows all that data to be reviewed instantly, and
mined in new ways” that allow constant tracking of subjects.</p>
<p>Such “blanket, omnivident surveillance networks” are a serious possibility through the proposed AFRS. <a href="https://jis-eurasipjournals.springeropen.com/track/pdf/10.1155/2009/865259">Ye et al, in their paper on “Anonymous biometric access control”</a>, show
how automatically captured location and facial image data obtained from
cameras designed to track the same can be used to learn graphs of
social networks in groups of people.</p>
<p>Consider those charged with sedition or similar <em>crimes</em>,
given that the CCTNS records the details as noted in FIRs across the
country. Through correlating the facial image data obtained from CCTVs
across the country – the tender itself indicates that the system must be
able to match faces obtained from two (or more) CCTVs – this system
could easily be used to target the movements of dissidents moving across
locations.</p>
<p><strong>Constantly watched</strong></p>
<p>Further, something which has not been
touched upon in the tender – and which may ultimately allow for a
broader set of images for carrying out facial recognition – is the
definition of what exactly constitutes a ‘criminal’. Is it when an FIR
is registered against an individual, or when s/he is arrested and a
chargesheet is filed? Or is it only when an individual is convicted by a
court that they are considered a criminal?</p>
<p>Additionally, does a person cease to be recognised by the tag of a <em>criminal </em>once
s/he has served their prison sentence and paid their dues to society?
Or are they instead marked as higher-risk individuals who may
potentially commit crimes again? It could be argued that such a
definition is not warranted in a tender document, however, these are
legitimate questions which should be answered prior to commissioning and
building a <em>criminal </em>facial recognition system.</p>
<p>Senior and Pankanti note the generalised metaphysical consequences of pervasive video surveillance in the <em>Handbook of Face Recognition:</em> </p>
<p>“the
feeling of disquiet remains [even if one hasn’t committed a major
crime], perhaps because everyone has done something “wrong”, whether in
the personal or legal sense (speeding, parking, jaywalking…) and few
people wish to live in a society where all its laws are enforced
absolutely rigidly, never mind arbitrarily, and there is always the
possibility that a government to which we give such powers may begin to
move towards authoritarianism and apply them towards ends that we do not
endorse.”</p>
<p>Such a seemingly apocalyptic scenario
isn’t far-fetched. In the section on ‘Mandatory Features of the AFRS’,
the system goes a step further and is expected to integrate “with other
biometric solution[sic] deployed at police department system like
Automatic Fingerprint identification system (AFIS)[sic]” and “Iris.”
This form of linking of biometric databases opens up possibilities of a
dangerous extent of profiling.</p>
<p>While the Aadhaar Act, 2016,
disallows Aadhaar data from being handed over to law enforcement
agencies, the AFRS and its linking with biometric systems (such as the
NAFIS) effectively bypasses the minimal protections from biometric
surveillance the prior unavailability of Aadhaar databases might have
afforded. The fact that India does not have a data protection law yet –
and the Bill makes no references to protection against surveillance
either – deepens the concern with the usage of these integrated
databases. </p>
<p>The Perpetual Lineup report warns
that the government could use biometric technology “to identify multiple
people in a continuous, ongoing manner [..] from afar, in public
spaces,” allowing identification “to be done in secret”. Senior and
Pankanti warn of “function creep,” where the public grows uneasy as
“silos of information, collected for an authorized process […] start
being used for purposes not originally intended, especially when several
such databases are linked together to enable searches across multiple
domains.”</p>
<p>This, as Adam Greenfield points out,
could very well erode “the effectiveness of something that has
historically furnished an effective brake on power: the permanent
possibility that an enraged populace might take to the streets in
pursuit of justice.”</p>
<p>What the NCRB’s AFRS amounts to,
then, is a system of public surveillance that offers little demonstrable
advantage to crime-fighting, especially as compared with its costs to
fundamental human rights of privacy and the freedom of assembly and
association. This, without even delving into its implications with
regard to procedural law. To press on with this system, then, would be
indicative of the government’s lackadaisical attitude towards protecting
citizens’ freedoms. </p>
<hr />
<p><em>The views expressed by the authors in this article are
personal.</em></p>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole'>http://editors.cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole</a>
</p>
No publisherPrem Sylvester and Karan SainiCyber SecurityFacial Recognition2019-07-25T13:40:00ZBlog EntryEuropean Summer School on Internet Governance
http://editors.cis-india.org/internet-governance/news/european-summer-school-on-internet-governance
<b>The 13th European Summer School on Internet Governance was held at Meissen in Germany from 13 - 20 July 2019. Akriti Bopanna attended the school. The event was organized by EuroSSIG. </b>
<p>More information on the event can be <a class="external-link" href="https://eurossig.eu/eurossig/2019-edition/programme-2019/">accessed on this page</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/european-summer-school-on-internet-governance'>http://editors.cis-india.org/internet-governance/news/european-summer-school-on-internet-governance</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceInternet Freedom2019-07-23T00:30:15ZNews ItemWorkshop on Cyber-Ethics: Values-driven Innovative Solutions
http://editors.cis-india.org/internet-governance/news/workshop-on-cyber-ethics-values-driven-innovative-solutions
<b>Arindrajit Basu moderated a discussion on Cyber-Ethics at Swiss Nex (Consulate General of Switzerland, Bangalore on 28 June 2019. The event was organized by the Embassy of Switzerland.</b>
<p style="text-align: justify; ">Cyber-space – the virtual reality – influences all countries in the world and all sectors of society. The cyber-world of e-mails, e-commerce, e-government, e-education, e-music, e-prosecutors, artificial intelligence, crypto-currencies are daily reality, with new opportunities. On the other hand, cyber-bullying, cyber-criminality, cyber-security, cyber-war etc. are great challenges.</p>
<p style="text-align: justify; ">Cyber-ethics looks for values-driven innovative solutions to these challenges and opportunities between freedom and privacy, security and peace. Switzerland is a world leader in innovation, India is a world leader in information technologies. How can both countries strengthen ethical, values-driven solutions for the cyber-world? Indian and Swiss Experts present challenges and solutions.</p>
<h3 style="text-align: justify; ">Programme</h3>
<p class="Standard">10.00 Registration & welcome tea n coffee</p>
<p class="Standard">10:30 <b>Welcome remarks</b></p>
<p class="Standard"><b>Mr.Sebastien Hug</b>, CEO, swissnex India and Consul General of Switzerland</p>
<p class="Standard">10:35 <b>Keynote address: Cyber-Ethics between Global Values and Contextual Interests</b></p>
<p class="Standard"><b>Prof. Dr. H.C. Christoph Stückelberger</b>, Founder and President of Globethics.net, Visiting Professor of Ethics in Nigeria, Russia, China</p>
<p class="Standard">11:05 <b>Moderated panel discussion</b></p>
<p class="Standard"><i>Moderator</i>: <b>Arindrajit Basu, </b>Senior Policy Officer, Center for Internet and Society,</p>
<p class="Standard"><i>Panelists</i>:</p>
<p class="Standard"><b>Dr. Pavan Duggal</b>, Founder and President of the International Commission on Cyber Security Law, Advocate at Supreme Court of India</p>
<p class="Standard"><b>Dr Siobhán Martin</b>, Deputy Head, Leadership, Crisis and Conflict Management, Geneva Centre for Security Policy</p>
<p class="Standard"><b>Mr Sameer Chothani</b>, Managing Director - Group Technology, India, UBS</p>
<p class="Standard">12:15 Q&A</p>
<p class="Standard">12:45 Networking lunch</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/workshop-on-cyber-ethics-values-driven-innovative-solutions'>http://editors.cis-india.org/internet-governance/news/workshop-on-cyber-ethics-values-driven-innovative-solutions</a>
</p>
No publisherAdminCyber SecurityInternet Governance2019-07-06T00:51:20ZNews ItemThe Global Nature of Cybersecurity in a Changing World
http://editors.cis-india.org/telecom/news/the-global-nature-of-cybersecurity-in-a-changing-world
<b>Arindrajit Basu represented CIS at the annual grantee convening of the Hewlett Foundation held at San Diego from 20 - 22 June 2019. </b>
<p style="text-align: justify; ">Cybersecurity knows no borders and is not limited to any one geography or culture. The challenges and opportunities facing cybersecurity experts, policymakers and the public areglobal in nature and require globally-minded solutions at all levels. At the same time, rapid changes in technology have a direct impact on societies around the world and the changingthreat environment. The Hewlett Foundation’s 2019 Cyber Initiative Grantee Convening will focus on two pillars: (1) the global nature of cyberspace and (2) emerging technologychallenges and solutions. We will come together to share our work in this space and identify opportunities for meaningful collaboration.</p>
<p style="text-align: justify; ">For more info, <a class="external-link" href="http://cis-india.org/internet-governance/files/public-agenda">click here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/telecom/news/the-global-nature-of-cybersecurity-in-a-changing-world'>http://editors.cis-india.org/telecom/news/the-global-nature-of-cybersecurity-in-a-changing-world</a>
</p>
No publisherAdminCyber SecurityInternet Governance2019-07-05T02:26:52ZNews ItemShining light into darkness: Encouraging greater transparency of government offensive practices in cyberspace
http://editors.cis-india.org/internet-governance/news/shining-light-into-darkness-encouraging-greater-transparency-of-government-offensive-practices-in-cyberspace
<b>RightsCon is organizing a summit on human rights in the digital age in Tunis in June 2019. Sunil Abraham will be attending a conversation on encouraging greater transparency of government offensive practices in cyberspace on June 12.</b>
<p class="moz-quote-pre" style="text-align: justify; ">In the plethora of different cybersecurity benchmark reports today, one is conspicuously missing. No entity has so far found a way to highlight and measure the different cyber offensive and deterrence doctrines, policies, or capabilities on a country-by-country basis. Similarly, there have been limited attempts to not only map, but monitor adherence to, international law and emerging international norms of behaviour in cyberspace.</p>
<p class="moz-quote-pre" style="text-align: justify; ">During this session, pulled together by Microsoft, the Hewlett Foundation and Mastercard, we will explore whether there is value in developing either one or the other product, and assess how difficult they would be to realize. Would such a report encourage greater transparency of these policies and as a result drive international discussion about responsible behaviour in cyberspace? What would data would be required for it to generate a meaningful impact?</p>
<p class="moz-quote-pre" style="text-align: justify; ">We will also examine whether there are lessons that can be learnt on the development, use, and impact of seminal benchmarking reports, such as the Global Peace Index, the Nuclear Security Index, Human Rights Watch’s World Report, and others. This gap is being examined in the light of the potential creation of a CyberPeace Institute, an independent non-profit organization to empower the global community with the knowledge and capabilities to protect civilians in cyberspace from sophisticated systemic cyber-attacks. It is envisioned that the CyberPeace Institute would perform three key functions: a) increase transparency of information on cyberattacks that are perpetrated by sophisticated actors and have significant, direct harm on civilians and civilian infrastructure; b) advance the role of international law and norms in governing the behavior of states and other actors in cyberspace; and c) deliver assistance at scale to the most vulnerable victims of qualifying cyberattacks, accelerating victims’ recovery and increasing their resilience. More information on the proposed Institute can be find in the attached overview.</p>
<p class="moz-quote-pre">The conversation will take place at RightsCon, in the Erythrean room on Wednesday, June 12 from 4:30 p.m - 5:30 p.m.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/shining-light-into-darkness-encouraging-greater-transparency-of-government-offensive-practices-in-cyberspace'>http://editors.cis-india.org/internet-governance/news/shining-light-into-darkness-encouraging-greater-transparency-of-government-offensive-practices-in-cyberspace</a>
</p>
No publisherAdminCyber SecurityInternet Governance2019-06-05T06:53:31ZNews ItemInternational Cooperation in Cybercrime: The Budapest Convention
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention
<b>In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.</b>
<p><a class="external-link" href="http://cis-india.org/internet-governance/files/budapest-convention-paper.pdf"><b>Click to download the file here </b></a></p>
<hr />
<p style="text-align: justify; "><span>However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“</span><strong>Budapest</strong><span> </span><strong>Convention</strong><span>”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn1"><sup><sup>[1]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Extradition</strong></p>
<p style="text-align: justify; ">Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn2"><sup><sup>[2]</sup></sup></a> In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn3"><sup><sup>[3]</sup></sup></a> Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn4"><sup><sup>[4]</sup></sup></a> The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn5"><sup><sup>[5]</sup></sup></a></p>
<p style="text-align: justify; ">The Convention also recognises the principle of "<em>aut dedere aut judicare</em>" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn6"><sup><sup>[6]</sup></sup></a> then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn7"><sup><sup>[7]</sup></sup></a> The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Mutual Assistance Requests</strong></p>
<p style="text-align: justify; ">The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn9"><sup><sup>[9]</sup></sup></a> Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn10"><sup><sup>[10]</sup></sup></a> However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.</p>
<p style="text-align: justify; ">The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn11"><sup><sup>[11]</sup></sup></a> Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn12"><sup><sup>[12]</sup></sup></a></p>
<p style="text-align: justify; ">Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn13"><sup><sup>[13]</sup></sup></a> (ii) the request concerns an offence considered as a political offence by the requested Party;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn14"><sup><sup>[14]</sup></sup></a> or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, <em>ordre public </em>or other essential interests.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn15"><sup><sup>[15]</sup></sup></a> The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn16"><sup><sup>[16]</sup></sup></a> In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn17"><sup><sup>[17]</sup></sup></a></p>
<p style="text-align: justify; ">In practice it has been found that though States refuse requests on a number of grounds,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn18"><sup><sup>[18]</sup></sup></a> some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn19"><sup><sup>[19]</sup></sup></a> A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:</p>
<p style="text-align: justify; ">“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.</p>
<p style="text-align: justify; ">British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.</p>
<p style="text-align: justify; ">Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.</p>
<p style="text-align: justify; ">A.T. was extradited to Norway and prosecuted.”<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn20"><sup><sup>[20]</sup></sup></a></p>
<p style="text-align: justify; ">It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.</p>
<p style="text-align: justify; ">In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn21"><sup><sup>[21]</sup></sup></a> On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn22"><sup><sup>[22]</sup></sup></a> If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn23"><sup><sup>[23]</sup></sup></a></p>
<p style="text-align: justify; ">In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn24"><sup><sup>[24]</sup></sup></a> Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn25"><sup><sup>[25]</sup></sup></a></p>
<p style="text-align: justify; ">The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn26"><sup><sup>[26]</sup></sup></a> (ii) provide real time collection of traffic data with specified communications in its territory;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn27"><sup><sup>[27]</sup></sup></a> and (iii) provide real time collection or recording of content data of specified communications.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn28"><sup><sup>[28]</sup></sup></a> The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.</p>
<p style="text-align: justify; ">The procedure for sending mutual assistance requests under the Convention is usually the following:</p>
<ol style="text-align: justify; ">
<li>Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.</li>
<li>Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).</li>
<li>The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.</li>
</ol>
<p style="text-align: justify; "><span>The following procedure is then followed in the corresponding receiving Party:</span></p>
<ol style="text-align: justify; ">
<li>Receipt of the request by the Central Authority.</li>
<li>Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).</li>
<li>Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).</li>
<li>Issuance of a court order (if needed).</li>
<li>Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.</li>
<li>Data obtained is examined against the MLA request, which may entail translation or</li>
</ol>
<p style="text-align: justify; ">using a specialist in the language.</p>
<ol style="text-align: justify; ">
<li>The information is then transmitted to requesting State via MLA channels.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn29"><sup><sup>[29]</sup></sup></a></li>
</ol>
<p style="text-align: justify; "><span>In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn30"><sup><sup>[30]</sup></sup></a><span> Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn31"><sup><sup>[31]</sup></sup></a></p>
<p style="text-align: justify; "><span>Preservation Requests</span></p>
<p style="text-align: justify; ">The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.</p>
<p style="text-align: justify; ">The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn32"><sup><sup>[32]</sup></sup></a> However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn33"><sup><sup>[33]</sup></sup></a> In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, <em>ordre public </em>or other essential interests of the requested Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn34"><sup><sup>[34]</sup></sup></a></p>
<p style="text-align: justify; ">In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn35"><sup><sup>[35]</sup></sup></a> Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn36"><sup><sup>[36]</sup></sup></a> If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn37"><sup><sup>[37]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Jurisdiction and Access to Stored Data </strong></p>
<p style="text-align: justify; ">The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn38"><sup><sup>[38]</sup></sup></a> The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn39"><sup><sup>[39]</sup></sup></a> These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn40"><sup><sup>[40]</sup></sup></a></p>
<p style="text-align: justify; ">Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn41"><sup><sup>[41]</sup></sup></a> It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.</p>
<p style="text-align: justify; ">The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn42"><sup><sup>[42]</sup></sup></a> The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn43"><sup><sup>[43]</sup></sup></a> The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn44"><sup><sup>[44]</sup></sup></a></p>
<p style="text-align: justify; ">The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn45"><sup><sup>[45]</sup></sup></a> The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn46"><sup><sup>[46]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Production Order</strong></p>
<p style="text-align: justify; ">A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn47"><sup><sup>[47]</sup></sup></a> It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn48"><sup><sup>[48]</sup></sup></a> Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn49"><sup><sup>[49]</sup></sup></a> However subscriber information<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn50"><sup><sup>[50]</sup></sup></a> can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn51"><sup><sup>[51]</sup></sup></a></p>
<p style="text-align: justify; ">Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn52"><sup><sup>[52]</sup></sup></a> Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.</p>
<p style="text-align: justify; ">Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn53"><sup><sup>[53]</sup></sup></a></p>
<p style="text-align: justify; ">The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn54"><sup><sup>[54]</sup></sup></a> A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn55"><sup><sup>[55]</sup></sup></a> The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn56">[56]</a></sup></sup></p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td colspan="3">
<p align="center"><strong>PRODUCTION ORDER CAN BE SERVED</strong></p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">IF</p>
<p>The criminal justice authority has jurisdiction over the offence</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
<p>The service provider is in possession or control of the subscriber information</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
</td>
</tr>
<tr>
<td>
<p>The service provider is in the territory of the Party</p>
<p>(<em>Article 18(1)(a)</em>)</p>
</td>
<td>
<p>Or</p>
</td>
<td>
<p>A Party considers that a service provider is “offering its services in the territory of the Party” when, for example:</p>
<p>- the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services);</p>
<p>and</p>
<p>- the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party.</p>
<p>(<em>Article 18(1)(b)</em>)</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
</td>
</tr>
<tr>
<td colspan="2">
<p> </p>
</td>
<td>
<p>the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn57"><sup><sup>[57]</sup></sup></a><span> or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn58"><sup><sup>[58]</sup></sup></a><span> Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn59"><sup><sup>[59]</sup></sup></a><span> and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn60"><sup><sup>[60]</sup></sup></a><span> </span></p>
<p style="text-align: justify; "><strong>Language of Requests</strong></p>
<p style="text-align: justify; ">It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn61"><sup><sup>[61]</sup></sup></a> Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn62"><sup><sup>[62]</sup></sup></a></p>
<p style="text-align: justify; "><strong>24/7 Network</strong></p>
<p style="text-align: justify; ">Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn63"><sup><sup>[63]</sup></sup></a> The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn64"><sup><sup>[64]</sup></sup></a> In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn65"><sup><sup>[65]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Drawbacks and Improvements</strong></p>
<p style="text-align: justify; ">The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:</p>
<p style="text-align: justify; "><em><span>Weakness and Delays in Mutual Assistance:</span></em> In practice it has been found that though States refuse requests on a number of grounds,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn66"><sup><sup>[66]</sup></sup></a> some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn67"><sup><sup>[67]</sup></sup></a> The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.</p>
<p style="text-align: justify; "><em><span>Access to data stored outside the territory:</span></em> Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn68"><sup><sup>[68]</sup></sup></a> It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn69"><sup><sup>[69]</sup></sup></a> or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn70"><sup><sup>[70]</sup></sup></a> Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.</p>
<p style="text-align: justify; "><em><span>Language of requests:</span></em> Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn71"><sup><sup>[71]</sup></sup></a></p>
<p style="text-align: justify; "><em><span>Bypassing of 24/7 points of contact:</span></em> Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn72"><sup><sup>[72]</sup></sup></a></p>
<p style="text-align: justify; "><strong>India and the Budapest Convention </strong></p>
<p style="text-align: justify; ">Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:</p>
<ul>
<li>India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn73">[73]</a></sup></sup></li>
<li>Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn74" style="text-align: justify; ">[74]</a></sup></sup></li>
<li>The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn75" style="text-align: justify; ">[75]</a></sup></sup></li>
<li>It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn76" style="text-align: justify; ">[76]</a></sup></sup></li>
<li>Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn77" style="text-align: justify; "><sup><sup>[77]</sup></sup></a></li>
</ul>
<p style="text-align: justify; ">Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn78"><sup><sup>[78]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Conclusion</strong></p>
<p style="text-align: justify; ">The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn79"><sup><sup>[79]</sup></sup></a> This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.</p>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref1"><sup><sup>[1]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 304.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref2"><sup><sup>[2]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref3"><sup><sup>[3]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref4"><sup><sup>[4]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(3).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref5"><sup><sup>[5]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(2).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref6"><sup><sup>[6]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 251.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref7"><sup><sup>[7]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref8"><sup><sup>[8]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(7).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref9"><sup><sup>[9]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(1).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref10"><sup><sup>[10]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref11"><sup><sup>[11]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(2).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref12"><sup><sup>[12]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref13"><sup><sup>[13]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref14"><sup><sup>[14]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(4)(a).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref15"><sup><sup>[15]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(4)(b).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref16"><sup><sup>[16]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref17"><sup><sup>[17]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref18"><sup><sup>[18]</sup></sup></a> Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “<em>Ne bis in idem</em>”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref19"><sup><sup>[19]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref20"><sup><sup>[20]</sup></sup></a> Pedro Verdelho, <em>Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice</em>, 2008, pg. 5, <a href="https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF">https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF</a>, accessed on March 28, 2019.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref21"><sup><sup>[21]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(8).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref22"><sup><sup>[22]</sup></sup></a> However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. <em>See</em> para 278 of the the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref23"><sup><sup>[23]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 28.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref24"><sup><sup>[24]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(9)(a) and (b).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref25"><sup><sup>[25]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref26"><sup><sup>[26]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 31.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref27"><sup><sup>[27]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 33.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref28"><sup><sup>[28]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref29"><sup><sup>[29]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 37.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref30"><sup><sup>[30]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 123.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref31"><sup><sup>[31]</sup></sup></a> <em>Ibid</em> at 124.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref32"><sup><sup>[32]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref33"><sup><sup>[33]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref34"><sup><sup>[34]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref35"><sup><sup>[35]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref36"><sup><sup>[36]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(7).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref37"><sup><sup>[37]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 30.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref38"><sup><sup>[38]</sup></sup></a> Anna-Maria Osula, <em>Accessing Extraterritorially Located Data: Options for States</em>, <a href="http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf">http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf</a>, accessed on March 28, 2019.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref39"><sup><sup>[39]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 32.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref40"><sup><sup>[40]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 293.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref41"><sup><sup>[41]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, <em>Transborder access and jurisdiction: What are the options?</em>, December 2012, para 310.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref42"><sup><sup>[42]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref43"><sup><sup>[43]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref44"><sup><sup>[44]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref45"><sup><sup>[45]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref46"><sup><sup>[46]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref47"><sup><sup>[47]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 18.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref48"><sup><sup>[48]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 170.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref49"><sup><sup>[49]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 173.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref50"><sup><sup>[50]</sup></sup></a> Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:</p>
<p>a. the type of communication service used, the technical provisions taken thereto and the period of service;</p>
<p>b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;</p>
<p>c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref51"><sup><sup>[51]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 173.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref52"><sup><sup>[52]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref53"><sup><sup>[53]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref54"><sup><sup>[54]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref55"><sup><sup>[55]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref56"><sup><sup>[56]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref57"><sup><sup>[57]</sup></sup></a> Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref58"><sup><sup>[58]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref59"><sup><sup>[59]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, <em>Criminal justice access to data in the cloud: challenges (Discussion paper)</em>, May 2015, pgs 10-14.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref60"><sup><sup>[60]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref61"><sup><sup>[61]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 35.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref62"><sup><sup>[62]</sup></sup></a> <a href="https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1">https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref63"><sup><sup>[63]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 35.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref64"><sup><sup>[64]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 298.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref65"><sup><sup>[65]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 86.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref66"><sup><sup>[66]</sup></sup></a> Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “<em>Ne bis in idem</em>”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref67"><sup><sup>[67]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 7.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref68"><sup><sup>[68]</sup></sup></a> Giovanni Buttarelli, <em>Fundamental Legal Principles for a Balanced Approach</em>, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at <a href="http://ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf">ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref69"><sup><sup>[69]</sup></sup></a> Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref70"><sup><sup>[70]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref71"><sup><sup>[71]</sup></sup></a> <a href="https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1">https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref72"><sup><sup>[72]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 86.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref73"><sup><sup>[73]</sup></sup></a> Dr. Anja Kovaks, <em>India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders</em>, available at <a href="https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/">https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref74"><sup><sup>[74]</sup></sup></a> Alexander Seger, <em>India and the Budapest Convention: Why not?</em>, Digital Debates: The CyFy Journal, Vol III, available at <a href="https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/">https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref75"><sup><sup>[75]</sup></sup></a> <em>Id</em><em>.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref76"><sup><sup>[76]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref77"><sup><sup>[77]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref78"><sup><sup>[78]</sup></sup></a> <a href="https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/">https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/</a></p>
</div>
<div>
<p style="text-align: justify; "><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref79"><sup><sup>[79]</sup></sup></a> Elonnai Hickok and Vipul Kharbanda, <em>Cross Border Cooperation on Criminal Matters - A perspective from India</em>, available at <a href="https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters">https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention</a>
</p>
No publishervipulInternational CooperationBudapest ConventionInternet GovernanceMLATCyber SecurityCyber Crime2019-04-29T22:35:37ZBlog EntryImproving the Processes for Disclosing Security Vulnerabilities to Government Entities in India
http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india
<b>The aim of this policy brief is to recommend changes pertaining to current legislation, policy and practice to the Government of India regarding external vulnerability reporting and disclosure. The changes we recommend within this brief aim to strengthen the processes around voluntary vulnerability and bug disclosure by third parties. </b>
<div> </div>
<div>This is an update to our previously released paper titled "Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India". The full document can be accessed <a href="https://cis-india.org/internet-governance/resources/Improving%20the%20Processes%20for%20Disclosing%20Security%20Vulnerabilities%20to%20Government%20Entities%20in%20India.pdf">here</a>.</div>
<hr width="50%" />
<div> </div>
<div>
<p id="docs-internal-guid-5561d8e6-7fff-16c2-47f6-6fe5dc991e98" dir="ltr">The ubiquitous adoption and integration of information and communication technologies in almost all aspects of modern life raises with it the importance of being able to ensure the security and integrity of the systems and resources that we rely on. This importance is even more pressing for the Government, which is increasing its push of efforts towards digitising the operational infrastructure it relies on, both at the State as well as the Central level.</p>
<p dir="ltr">This policy brief draws from knowledge that has been gathered from various sources, including information sourced from newspaper and journal articles, current law and policy, as well as from interviews that we conducted with various members of the Indian security community. This policy brief touches upon the issue of vulnerability disclosures, specifically those that are made by individuals to the Government, while exploring prevalent challenges with the same and making recommendations as to how the Government’s vulnerability disclosure processes could potentially be improved.</p>
<br />
<h3 dir="ltr">Key learnings from the research include:</h3>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a noticeable shortcoming in the availability of information with regard to current vulnerability disclosure programmes and process of Indian Government entities, which is only exacerbated further by a lack of transparency;</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is an observable gap in the amount and quality of interaction between security researchers and the Government, which is supported by the lack of proper channels for mediating such communication and cooperation;</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are several sections and provisions within the Information Technology Act, 2000, which have the potential to disincentivise legitimate security research, even if the same has been carried out in good faith.</p>
</li></ul>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india'>http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india</a>
</p>
No publisherKaran Saini, Pranesh Prakash and Elonnai HickokCyber SecurityVulnerability Disclosure2019-04-01T12:02:05ZBlog EntryComments on the Draft Second Protocol to the Convention on Cybercrime (Budapest Convention)
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention
<b>Following consultations with data protection, civil society, industry and others, during the Cybercrime Convention Committee (T-CY) meeting from 29 November 2018 onwards, the Cybercrime Convention Committee has sought additional contributions regarding the provisional draft text for a Second Additional Protocol to the Budapest Convention on Cybercrime (“Budapest Convention”).</b>
<p style="text-align: justify; ">The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, artificial intelligence, freedom of expression, and cyber-security. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the rights of stakeholders. CIS is thankful to the Cybercrime Convention Committee for this opportunity to provide feedback to the Draft.</p>
<p style="text-align: justify; ">The draft text addresses three issues viz. language of requests, emergency multilateral cooperation and taking statements through video conferencing. Click to download the <a href="http://editors.cis-india.org/internet-governance/comments-on-the-draft-second-protocol-to-the-convention-on-cybercrime-budapest-convention" class="internal-link">entire submission here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention</a>
</p>
No publishervipulCyber SecurityInternet Governance2019-02-25T16:48:18ZBlog EntryResponse to GCSC on Request for Consultation: Norm Package Singapore
http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation
<b>The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.</b>
<p style="text-align: justify; ">The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.</p>
<p style="text-align: justify; ">The GCSC <a href="https://cyberstability.org/research/singapore_norm_package/">announced the release of its new Norm Package</a> on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace</p>
<p style="text-align: justify; ">The norms introduced by the GCSC focus on the following areas:</p>
<ul style="text-align: justify; ">
<li>Norm to Avoid Tampering</li>
<li>Norm Against Commandeering of ICT Devices into Botnets</li>
<li>Norm for States to Create a Vulnerability Equities Process</li>
<li>Norm to Reduce and Mitigate Significant Vulnerabilities</li>
<li>Norm on Basic Cyber Hygiene as Foundational Defense</li>
<li>Norm Against Offensive Cyber Operations by Non-State Actors</li>
</ul>
<p style="text-align: justify; ">The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.</p>
<hr />
<p style="text-align: justify; "><a href="https://cis-india.org/response-to-gcsc-on-request-for-consultation-norm-package-singapore/at_download/file">Read the full submission here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation'>http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation</a>
</p>
No publisherArindrajit Basu, Gurshabad Grover and Elonnai HickokCyber SecurityInternational RelationsInternet Governance2019-01-27T15:43:12ZBlog EntryEconomics of Cybersecurity: Literature Review Compendium
http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity
<b>The twenty first century has witnessed an unprecedented conflation of everyday experiences and technosocial practices. The emergence of technologies like the Internet of Things, Cloud Computing, Digital Payment infrastructures are all emblematic of this conflation of technology with economic, social and political modes of existence.</b>
<hr />
<p style="text-align: justify;" class="moz-quote-pre">Authored by Natallia Khaniejo and edited by Amber Sinha</p>
<hr />
<p style="text-align: justify;" class="moz-quote-pre">Politics and economics are increasingly being amalgamated with Cybernetic frameworks and consequently Critical infrastructure has become intrinsically dependent on Information and Communication Technology (ICTs). The rapid evolution of technological platforms has been accompanied by a concomitant rise in the vulnerabilities that accompany them. Recurrent issues include concerns like network externalities, misaligned incentives and information asymmetries. Malignant actors use these vulnerabilities to breach secure systems, access and sell data, and essentially destabilize cyber and network infrastructures. Additionally, given the relative nascence of the realm, establishing regulatory policies without limiting innovation in the space becomes an additional challenge as well. The lack of uniform understanding regarding the definition and scope of what can be defined as Cybersecurity also serves as a barrier preventing the implementation of clear guidelines. Furthermore, the contrast between what is convenient and what is ‘sanitary’ in terms of best practices for cyber infrastructures is also a constant tussle with recommendations often being neglected in favor of efficiency. In order to demystify the security space itself and ascertain methods of effective policy implementation, it is essential to take stock of current initiatives being proposed for the development and implementation of cybersecurity best practices, and examine their adequacy in a rapidly evolving technological environment. This literature review attempts to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same.</p>
<p style="text-align: justify;" class="moz-quote-pre">Click on the below links to read the entire story:</p>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-i">Economics of Cybersecurity Part I</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-ii">Economics of Cybersecurity Part II</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iii">Economics of Cybersecurity Part III</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iv">Economics of Cybersecurity Part IV</a></li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity'>http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity</a>
</p>
No publisherNatallia KhaniejoCyber SecurityInternet Governance2021-05-01T06:09:09ZBlog Entry