The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 21 to 35.
International Cooperation in Cybercrime: The Budapest Convention
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention
<b>In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.</b>
<p><a class="external-link" href="http://cis-india.org/internet-governance/files/budapest-convention-paper.pdf"><b>Click to download the file here </b></a></p>
<hr />
<p style="text-align: justify; "><span>However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“</span><strong>Budapest</strong><span> </span><strong>Convention</strong><span>”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn1"><sup><sup>[1]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Extradition</strong></p>
<p style="text-align: justify; ">Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn2"><sup><sup>[2]</sup></sup></a> In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn3"><sup><sup>[3]</sup></sup></a> Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn4"><sup><sup>[4]</sup></sup></a> The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn5"><sup><sup>[5]</sup></sup></a></p>
<p style="text-align: justify; ">The Convention also recognises the principle of "<em>aut dedere aut judicare</em>" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn6"><sup><sup>[6]</sup></sup></a> then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn7"><sup><sup>[7]</sup></sup></a> The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Mutual Assistance Requests</strong></p>
<p style="text-align: justify; ">The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn9"><sup><sup>[9]</sup></sup></a> Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn10"><sup><sup>[10]</sup></sup></a> However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.</p>
<p style="text-align: justify; ">The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn11"><sup><sup>[11]</sup></sup></a> Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn12"><sup><sup>[12]</sup></sup></a></p>
<p style="text-align: justify; ">Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn13"><sup><sup>[13]</sup></sup></a> (ii) the request concerns an offence considered as a political offence by the requested Party;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn14"><sup><sup>[14]</sup></sup></a> or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, <em>ordre public </em>or other essential interests.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn15"><sup><sup>[15]</sup></sup></a> The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn16"><sup><sup>[16]</sup></sup></a> In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn17"><sup><sup>[17]</sup></sup></a></p>
<p style="text-align: justify; ">In practice it has been found that though States refuse requests on a number of grounds,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn18"><sup><sup>[18]</sup></sup></a> some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn19"><sup><sup>[19]</sup></sup></a> A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:</p>
<p style="text-align: justify; ">“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.</p>
<p style="text-align: justify; ">British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.</p>
<p style="text-align: justify; ">Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.</p>
<p style="text-align: justify; ">A.T. was extradited to Norway and prosecuted.”<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn20"><sup><sup>[20]</sup></sup></a></p>
<p style="text-align: justify; ">It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.</p>
<p style="text-align: justify; ">In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn21"><sup><sup>[21]</sup></sup></a> On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn22"><sup><sup>[22]</sup></sup></a> If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn23"><sup><sup>[23]</sup></sup></a></p>
<p style="text-align: justify; ">In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn24"><sup><sup>[24]</sup></sup></a> Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn25"><sup><sup>[25]</sup></sup></a></p>
<p style="text-align: justify; ">The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn26"><sup><sup>[26]</sup></sup></a> (ii) provide real time collection of traffic data with specified communications in its territory;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn27"><sup><sup>[27]</sup></sup></a> and (iii) provide real time collection or recording of content data of specified communications.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn28"><sup><sup>[28]</sup></sup></a> The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.</p>
<p style="text-align: justify; ">The procedure for sending mutual assistance requests under the Convention is usually the following:</p>
<ol style="text-align: justify; ">
<li>Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.</li>
<li>Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).</li>
<li>The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.</li>
</ol>
<p style="text-align: justify; "><span>The following procedure is then followed in the corresponding receiving Party:</span></p>
<ol style="text-align: justify; ">
<li>Receipt of the request by the Central Authority.</li>
<li>Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).</li>
<li>Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).</li>
<li>Issuance of a court order (if needed).</li>
<li>Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.</li>
<li>Data obtained is examined against the MLA request, which may entail translation or</li>
</ol>
<p style="text-align: justify; ">using a specialist in the language.</p>
<ol style="text-align: justify; ">
<li>The information is then transmitted to requesting State via MLA channels.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn29"><sup><sup>[29]</sup></sup></a></li>
</ol>
<p style="text-align: justify; "><span>In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn30"><sup><sup>[30]</sup></sup></a><span> Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn31"><sup><sup>[31]</sup></sup></a></p>
<p style="text-align: justify; "><span>Preservation Requests</span></p>
<p style="text-align: justify; ">The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.</p>
<p style="text-align: justify; ">The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn32"><sup><sup>[32]</sup></sup></a> However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn33"><sup><sup>[33]</sup></sup></a> In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, <em>ordre public </em>or other essential interests of the requested Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn34"><sup><sup>[34]</sup></sup></a></p>
<p style="text-align: justify; ">In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn35"><sup><sup>[35]</sup></sup></a> Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn36"><sup><sup>[36]</sup></sup></a> If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn37"><sup><sup>[37]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Jurisdiction and Access to Stored Data </strong></p>
<p style="text-align: justify; ">The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn38"><sup><sup>[38]</sup></sup></a> The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn39"><sup><sup>[39]</sup></sup></a> These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn40"><sup><sup>[40]</sup></sup></a></p>
<p style="text-align: justify; ">Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn41"><sup><sup>[41]</sup></sup></a> It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.</p>
<p style="text-align: justify; ">The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn42"><sup><sup>[42]</sup></sup></a> The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn43"><sup><sup>[43]</sup></sup></a> The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn44"><sup><sup>[44]</sup></sup></a></p>
<p style="text-align: justify; ">The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn45"><sup><sup>[45]</sup></sup></a> The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn46"><sup><sup>[46]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Production Order</strong></p>
<p style="text-align: justify; ">A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn47"><sup><sup>[47]</sup></sup></a> It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn48"><sup><sup>[48]</sup></sup></a> Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn49"><sup><sup>[49]</sup></sup></a> However subscriber information<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn50"><sup><sup>[50]</sup></sup></a> can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn51"><sup><sup>[51]</sup></sup></a></p>
<p style="text-align: justify; ">Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn52"><sup><sup>[52]</sup></sup></a> Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.</p>
<p style="text-align: justify; ">Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn53"><sup><sup>[53]</sup></sup></a></p>
<p style="text-align: justify; ">The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn54"><sup><sup>[54]</sup></sup></a> A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn55"><sup><sup>[55]</sup></sup></a> The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn56">[56]</a></sup></sup></p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td colspan="3">
<p align="center"><strong>PRODUCTION ORDER CAN BE SERVED</strong></p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">IF</p>
<p>The criminal justice authority has jurisdiction over the offence</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
<p>The service provider is in possession or control of the subscriber information</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
</td>
</tr>
<tr>
<td>
<p>The service provider is in the territory of the Party</p>
<p>(<em>Article 18(1)(a)</em>)</p>
</td>
<td>
<p>Or</p>
</td>
<td>
<p>A Party considers that a service provider is “offering its services in the territory of the Party” when, for example:</p>
<p>- the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services);</p>
<p>and</p>
<p>- the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party.</p>
<p>(<em>Article 18(1)(b)</em>)</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
</td>
</tr>
<tr>
<td colspan="2">
<p> </p>
</td>
<td>
<p>the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn57"><sup><sup>[57]</sup></sup></a><span> or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn58"><sup><sup>[58]</sup></sup></a><span> Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn59"><sup><sup>[59]</sup></sup></a><span> and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn60"><sup><sup>[60]</sup></sup></a><span> </span></p>
<p style="text-align: justify; "><strong>Language of Requests</strong></p>
<p style="text-align: justify; ">It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn61"><sup><sup>[61]</sup></sup></a> Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn62"><sup><sup>[62]</sup></sup></a></p>
<p style="text-align: justify; "><strong>24/7 Network</strong></p>
<p style="text-align: justify; ">Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn63"><sup><sup>[63]</sup></sup></a> The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn64"><sup><sup>[64]</sup></sup></a> In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn65"><sup><sup>[65]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Drawbacks and Improvements</strong></p>
<p style="text-align: justify; ">The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:</p>
<p style="text-align: justify; "><em><span>Weakness and Delays in Mutual Assistance:</span></em> In practice it has been found that though States refuse requests on a number of grounds,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn66"><sup><sup>[66]</sup></sup></a> some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn67"><sup><sup>[67]</sup></sup></a> The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.</p>
<p style="text-align: justify; "><em><span>Access to data stored outside the territory:</span></em> Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn68"><sup><sup>[68]</sup></sup></a> It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn69"><sup><sup>[69]</sup></sup></a> or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn70"><sup><sup>[70]</sup></sup></a> Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.</p>
<p style="text-align: justify; "><em><span>Language of requests:</span></em> Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn71"><sup><sup>[71]</sup></sup></a></p>
<p style="text-align: justify; "><em><span>Bypassing of 24/7 points of contact:</span></em> Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn72"><sup><sup>[72]</sup></sup></a></p>
<p style="text-align: justify; "><strong>India and the Budapest Convention </strong></p>
<p style="text-align: justify; ">Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:</p>
<ul>
<li>India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn73">[73]</a></sup></sup></li>
<li>Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn74" style="text-align: justify; ">[74]</a></sup></sup></li>
<li>The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn75" style="text-align: justify; ">[75]</a></sup></sup></li>
<li>It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn76" style="text-align: justify; ">[76]</a></sup></sup></li>
<li>Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn77" style="text-align: justify; "><sup><sup>[77]</sup></sup></a></li>
</ul>
<p style="text-align: justify; ">Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn78"><sup><sup>[78]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Conclusion</strong></p>
<p style="text-align: justify; ">The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn79"><sup><sup>[79]</sup></sup></a> This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.</p>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref1"><sup><sup>[1]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 304.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref2"><sup><sup>[2]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref3"><sup><sup>[3]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref4"><sup><sup>[4]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(3).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref5"><sup><sup>[5]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(2).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref6"><sup><sup>[6]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 251.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref7"><sup><sup>[7]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref8"><sup><sup>[8]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(7).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref9"><sup><sup>[9]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(1).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref10"><sup><sup>[10]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref11"><sup><sup>[11]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(2).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref12"><sup><sup>[12]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref13"><sup><sup>[13]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref14"><sup><sup>[14]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(4)(a).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref15"><sup><sup>[15]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(4)(b).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref16"><sup><sup>[16]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref17"><sup><sup>[17]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref18"><sup><sup>[18]</sup></sup></a> Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “<em>Ne bis in idem</em>”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref19"><sup><sup>[19]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref20"><sup><sup>[20]</sup></sup></a> Pedro Verdelho, <em>Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice</em>, 2008, pg. 5, <a href="https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF">https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF</a>, accessed on March 28, 2019.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref21"><sup><sup>[21]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(8).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref22"><sup><sup>[22]</sup></sup></a> However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. <em>See</em> para 278 of the the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref23"><sup><sup>[23]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 28.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref24"><sup><sup>[24]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(9)(a) and (b).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref25"><sup><sup>[25]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref26"><sup><sup>[26]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 31.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref27"><sup><sup>[27]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 33.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref28"><sup><sup>[28]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref29"><sup><sup>[29]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 37.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref30"><sup><sup>[30]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 123.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref31"><sup><sup>[31]</sup></sup></a> <em>Ibid</em> at 124.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref32"><sup><sup>[32]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref33"><sup><sup>[33]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref34"><sup><sup>[34]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref35"><sup><sup>[35]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref36"><sup><sup>[36]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(7).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref37"><sup><sup>[37]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 30.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref38"><sup><sup>[38]</sup></sup></a> Anna-Maria Osula, <em>Accessing Extraterritorially Located Data: Options for States</em>, <a href="http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf">http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf</a>, accessed on March 28, 2019.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref39"><sup><sup>[39]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 32.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref40"><sup><sup>[40]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 293.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref41"><sup><sup>[41]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, <em>Transborder access and jurisdiction: What are the options?</em>, December 2012, para 310.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref42"><sup><sup>[42]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref43"><sup><sup>[43]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref44"><sup><sup>[44]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref45"><sup><sup>[45]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref46"><sup><sup>[46]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref47"><sup><sup>[47]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 18.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref48"><sup><sup>[48]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 170.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref49"><sup><sup>[49]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 173.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref50"><sup><sup>[50]</sup></sup></a> Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:</p>
<p>a. the type of communication service used, the technical provisions taken thereto and the period of service;</p>
<p>b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;</p>
<p>c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref51"><sup><sup>[51]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 173.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref52"><sup><sup>[52]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref53"><sup><sup>[53]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref54"><sup><sup>[54]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref55"><sup><sup>[55]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref56"><sup><sup>[56]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref57"><sup><sup>[57]</sup></sup></a> Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref58"><sup><sup>[58]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref59"><sup><sup>[59]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, <em>Criminal justice access to data in the cloud: challenges (Discussion paper)</em>, May 2015, pgs 10-14.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref60"><sup><sup>[60]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref61"><sup><sup>[61]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 35.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref62"><sup><sup>[62]</sup></sup></a> <a href="https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1">https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref63"><sup><sup>[63]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 35.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref64"><sup><sup>[64]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 298.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref65"><sup><sup>[65]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 86.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref66"><sup><sup>[66]</sup></sup></a> Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “<em>Ne bis in idem</em>”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref67"><sup><sup>[67]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 7.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref68"><sup><sup>[68]</sup></sup></a> Giovanni Buttarelli, <em>Fundamental Legal Principles for a Balanced Approach</em>, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at <a href="http://ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf">ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref69"><sup><sup>[69]</sup></sup></a> Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref70"><sup><sup>[70]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref71"><sup><sup>[71]</sup></sup></a> <a href="https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1">https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref72"><sup><sup>[72]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 86.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref73"><sup><sup>[73]</sup></sup></a> Dr. Anja Kovaks, <em>India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders</em>, available at <a href="https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/">https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref74"><sup><sup>[74]</sup></sup></a> Alexander Seger, <em>India and the Budapest Convention: Why not?</em>, Digital Debates: The CyFy Journal, Vol III, available at <a href="https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/">https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref75"><sup><sup>[75]</sup></sup></a> <em>Id</em><em>.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref76"><sup><sup>[76]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref77"><sup><sup>[77]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref78"><sup><sup>[78]</sup></sup></a> <a href="https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/">https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/</a></p>
</div>
<div>
<p style="text-align: justify; "><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref79"><sup><sup>[79]</sup></sup></a> Elonnai Hickok and Vipul Kharbanda, <em>Cross Border Cooperation on Criminal Matters - A perspective from India</em>, available at <a href="https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters">https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention</a>
</p>
No publishervipulInternational CooperationBudapest ConventionInternet GovernanceMLATCyber SecurityCyber Crime2019-04-29T22:35:37ZBlog EntryImproving the Processes for Disclosing Security Vulnerabilities to Government Entities in India
http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india
<b>The aim of this policy brief is to recommend changes pertaining to current legislation, policy and practice to the Government of India regarding external vulnerability reporting and disclosure. The changes we recommend within this brief aim to strengthen the processes around voluntary vulnerability and bug disclosure by third parties. </b>
<div> </div>
<div>This is an update to our previously released paper titled "Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India". The full document can be accessed <a href="https://cis-india.org/internet-governance/resources/Improving%20the%20Processes%20for%20Disclosing%20Security%20Vulnerabilities%20to%20Government%20Entities%20in%20India.pdf">here</a>.</div>
<hr width="50%" />
<div> </div>
<div>
<p id="docs-internal-guid-5561d8e6-7fff-16c2-47f6-6fe5dc991e98" dir="ltr">The ubiquitous adoption and integration of information and communication technologies in almost all aspects of modern life raises with it the importance of being able to ensure the security and integrity of the systems and resources that we rely on. This importance is even more pressing for the Government, which is increasing its push of efforts towards digitising the operational infrastructure it relies on, both at the State as well as the Central level.</p>
<p dir="ltr">This policy brief draws from knowledge that has been gathered from various sources, including information sourced from newspaper and journal articles, current law and policy, as well as from interviews that we conducted with various members of the Indian security community. This policy brief touches upon the issue of vulnerability disclosures, specifically those that are made by individuals to the Government, while exploring prevalent challenges with the same and making recommendations as to how the Government’s vulnerability disclosure processes could potentially be improved.</p>
<br />
<h3 dir="ltr">Key learnings from the research include:</h3>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a noticeable shortcoming in the availability of information with regard to current vulnerability disclosure programmes and process of Indian Government entities, which is only exacerbated further by a lack of transparency;</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is an observable gap in the amount and quality of interaction between security researchers and the Government, which is supported by the lack of proper channels for mediating such communication and cooperation;</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are several sections and provisions within the Information Technology Act, 2000, which have the potential to disincentivise legitimate security research, even if the same has been carried out in good faith.</p>
</li></ul>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india'>http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india</a>
</p>
No publisherKaran Saini, Pranesh Prakash and Elonnai HickokCyber SecurityVulnerability Disclosure2019-04-01T12:02:05ZBlog EntryComments on the Draft Second Protocol to the Convention on Cybercrime (Budapest Convention)
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention
<b>Following consultations with data protection, civil society, industry and others, during the Cybercrime Convention Committee (T-CY) meeting from 29 November 2018 onwards, the Cybercrime Convention Committee has sought additional contributions regarding the provisional draft text for a Second Additional Protocol to the Budapest Convention on Cybercrime (“Budapest Convention”).</b>
<p style="text-align: justify; ">The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, artificial intelligence, freedom of expression, and cyber-security. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the rights of stakeholders. CIS is thankful to the Cybercrime Convention Committee for this opportunity to provide feedback to the Draft.</p>
<p style="text-align: justify; ">The draft text addresses three issues viz. language of requests, emergency multilateral cooperation and taking statements through video conferencing. Click to download the <a href="http://editors.cis-india.org/internet-governance/comments-on-the-draft-second-protocol-to-the-convention-on-cybercrime-budapest-convention" class="internal-link">entire submission here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention</a>
</p>
No publishervipulCyber SecurityInternet Governance2019-02-25T16:48:18ZBlog EntryResponse to GCSC on Request for Consultation: Norm Package Singapore
http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation
<b>The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.</b>
<p style="text-align: justify; ">The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.</p>
<p style="text-align: justify; ">The GCSC <a href="https://cyberstability.org/research/singapore_norm_package/">announced the release of its new Norm Package</a> on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace</p>
<p style="text-align: justify; ">The norms introduced by the GCSC focus on the following areas:</p>
<ul style="text-align: justify; ">
<li>Norm to Avoid Tampering</li>
<li>Norm Against Commandeering of ICT Devices into Botnets</li>
<li>Norm for States to Create a Vulnerability Equities Process</li>
<li>Norm to Reduce and Mitigate Significant Vulnerabilities</li>
<li>Norm on Basic Cyber Hygiene as Foundational Defense</li>
<li>Norm Against Offensive Cyber Operations by Non-State Actors</li>
</ul>
<p style="text-align: justify; ">The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.</p>
<hr />
<p style="text-align: justify; "><a href="https://cis-india.org/response-to-gcsc-on-request-for-consultation-norm-package-singapore/at_download/file">Read the full submission here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation'>http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation</a>
</p>
No publisherArindrajit Basu, Gurshabad Grover and Elonnai HickokCyber SecurityInternational RelationsInternet Governance2019-01-27T15:43:12ZBlog EntryEconomics of Cybersecurity: Literature Review Compendium
http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity
<b>The twenty first century has witnessed an unprecedented conflation of everyday experiences and technosocial practices. The emergence of technologies like the Internet of Things, Cloud Computing, Digital Payment infrastructures are all emblematic of this conflation of technology with economic, social and political modes of existence.</b>
<hr />
<p style="text-align: justify;" class="moz-quote-pre">Authored by Natallia Khaniejo and edited by Amber Sinha</p>
<hr />
<p style="text-align: justify;" class="moz-quote-pre">Politics and economics are increasingly being amalgamated with Cybernetic frameworks and consequently Critical infrastructure has become intrinsically dependent on Information and Communication Technology (ICTs). The rapid evolution of technological platforms has been accompanied by a concomitant rise in the vulnerabilities that accompany them. Recurrent issues include concerns like network externalities, misaligned incentives and information asymmetries. Malignant actors use these vulnerabilities to breach secure systems, access and sell data, and essentially destabilize cyber and network infrastructures. Additionally, given the relative nascence of the realm, establishing regulatory policies without limiting innovation in the space becomes an additional challenge as well. The lack of uniform understanding regarding the definition and scope of what can be defined as Cybersecurity also serves as a barrier preventing the implementation of clear guidelines. Furthermore, the contrast between what is convenient and what is ‘sanitary’ in terms of best practices for cyber infrastructures is also a constant tussle with recommendations often being neglected in favor of efficiency. In order to demystify the security space itself and ascertain methods of effective policy implementation, it is essential to take stock of current initiatives being proposed for the development and implementation of cybersecurity best practices, and examine their adequacy in a rapidly evolving technological environment. This literature review attempts to document the various approaches that are being adopted by different stakeholders towards incentivizing cybersecurity and the economic challenges of implementing the same.</p>
<p style="text-align: justify;" class="moz-quote-pre">Click on the below links to read the entire story:</p>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-i">Economics of Cybersecurity Part I</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-ii">Economics of Cybersecurity Part II</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iii">Economics of Cybersecurity Part III</a></li></ul>
<ul>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/economics-of-cyber-security-part-iv">Economics of Cybersecurity Part IV</a></li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity'>http://editors.cis-india.org/internet-governance/blog/natalia-khaniejo-december-31-2018-economics-of-cybersecurity</a>
</p>
No publisherNatallia KhaniejoCyber SecurityInternet Governance2021-05-01T06:09:09ZBlog EntryIs the new ‘interception’ order old wine in a new bottle?
http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle
<b>The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.</b>
<p style="text-align: justify; ">An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in <a class="external-link" href="https://www.newslaundry.com/2018/12/27/is-the-new-interception-order-old-wine-in-a-new-bottle">Newslaundry.com</a> on December 27, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">On December 20, 2018, through an <a href="http://egazette.nic.in/WriteReadData/2018/194066.pdf" target="_blank">order</a> issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.</p>
<p style="text-align: justify; ">On December 21, the Press Information Bureau published a <a href="http://www.pib.nic.in/PressReleseDetail.aspx?utm_campaign=fullarticle&utm_medium=referral&PRID=1556945" target="_blank">press release</a> providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.</p>
<p style="text-align: justify; ">Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.</p>
<p style="text-align: justify; ">As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.</p>
<p style="text-align: justify; ">When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.</p>
<p style="text-align: justify; ">- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.</p>
<p style="text-align: justify; ">- Condition 42 of the <a href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf" target="_blank">Unified Licence for Access Services</a>, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.</p>
<p style="text-align: justify; ">- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.</p>
<p style="text-align: justify; ">- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.</p>
<p style="text-align: justify; ">- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.</p>
<p style="text-align: justify; ">Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—<a href="https://mha.gov.in/MHA1/Par2017/pdfs/par2013-pdfs/ls-110214/294.pdf" target="_blank">nine Central Government agencies and one State Government agency</a> have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:</p>
<p style="text-align: justify; ">- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.</p>
<p style="text-align: justify; ">- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.</p>
<p style="text-align: justify; ">That said, the<a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009" target="_blank"> IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 </a>under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government <a href="http://meity.gov.in/writereaddata/files/69B%20Notification%20-April%202016.pdf" target="_blank">authorised</a> the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.</p>
<p style="text-align: justify; ">While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are <a href="https://thewire.in/government/narendra-modi-snooping-it-act-home-ministry" target="_blank">constitutionally</a> valid, the lack of t<a href="https://cis-india.org/internet-governance/blog/transparency-in-surveillance" target="_blank">ransparency</a> by the government and the prohibition of transparency by service providers, <a href="https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations" target="_blank">heavy handed </a>penalties on service providers for non-compliance, and a lack of legal backing and <a href="https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance" target="_blank">oversight</a> mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .</p>
<p style="text-align: justify; ">The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On <a href="https://barandbench.com/ministry-of-home-affairs-surveillance-order-challenged-in-supreme-court/" target="_blank">December 24</a>, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.</p>
<p style="text-align: justify; ">But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle'>http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle</a>
</p>
No publisherElonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. BidareIT ActPrivacyInternet GovernanceCyber SecurityInformation Technology2018-12-29T16:02:00ZBlog EntryIndia-China Tech Forum 2018
http://editors.cis-india.org/internet-governance/news/india-china-tech-forum
<b>Arindrajit Basu spoke at the India-China Tech Forum 2018 organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies, Mumbai on December 11 - 12, 2018. The event functioned as a bi-annual dialogue that fosters co-operation in this space between the two countries.</b>
<p class="moz-quote-pre" style="text-align: justify; ">Arindrajit spoke on the panel 'India, China and the future of cyber norms' along with Saravjit Singh,Liu Ke and Weng Wejia. This was a closed door discussion under Chatham House rules. Click <a class="external-link" href="http://cis-india.org/internet-governance/files/india-china-tech-forum-2018">here</a> to read the agenda.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/india-china-tech-forum'>http://editors.cis-india.org/internet-governance/news/india-china-tech-forum</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-12-26T15:32:20ZNews ItemPrivate-public partnership for cyber security
http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-hindu-businessline-december-24-2018-private-public-partnership-for-cyber-security
<b>Given the decentralised nature of cyberspace, the private sector will have to play a vital role in enforcing rules for security. </b>
<p style="text-align: justify; ">The article by Arindrajit Basu was published in <a class="external-link" href="https://www.thehindubusinessline.com/opinion/private-public-partnership-for-cyber-security/article25821899.ece">Hindu Businessline</a> on December 24, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">On November 11, 2018, as 70 world leaders gathered in Paris to commemorate the countless lives lost in World War I, French President Emmanuel Macron inaugurated the Paris Peace Forum with a fiery speech denouncing nationalism and urging global leaders to pursue peace and stability through multilateral initiatives.</p>
<p style="text-align: justify; ">In many ways, it echoed US President Woodrow Wilson’s monumental speech delivered at the US Senate a century ago in which he outlined 14 points on the principles for peace post World War I. As history unkindly reminds us through the catastrophic realities of World War II, Wilson’s principles went on to be sacrificed at the altar of national self-interest and inadequate multilateral enforcement.</p>
<p style="text-align: justify; ">President Macron’s first initiative for global peace — the Paris Call for Trust and Security in Cyber Space was unveiled on November 12 — at the UNESCO Internet Governance Forum — also taking place in Paris. The call was endorsed by over 50 states, 200 private sector entities, including Indian business guilds such as FICCI and the Mobile Association of India and over 100 organisations from civil society and academia from all over the globe. The text essentially comprises a set of high-level principles that seeks to prevent the weaponisation of cyberspace and promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace.</p>
<h2 style="text-align: justify; ">Need for private participation</h2>
<p style="text-align: justify; ">Given the increasing exploitation of the internet for reaping offensive dividends by state and non-state actors alike and the prevailing roadblocks in the multilateral cyber norms formulation process, Macron’s efforts are perhaps of Wilsonian proportions.</p>
<p style="text-align: justify; ">A key difference, however, was that Macron’s efforts were devised hand-in-glove with Microsoft — one of the most powerful and influential private sector actors of our time. Microsoft’s involvement is unsurprising given that private entities have become a critical component of the global cybersecurity landscape and governments need to start thinking about how to optimise their participation in this process.</p>
<p style="text-align: justify; ">Indeed, one of the defining features of cyberspace is its incompatibility with state-centric ‘command and control’ formulae that lead to the ordering of other global security regimes — such as nuclear non-proliferation. The decentralised nature of cyberspace means that private sector actors play a vital role in implementing the rules designed to secure cyberspace.</p>
<p style="text-align: justify; ">Simultaneously, private actors such as Microsoft have recognised the utility of clearly defined ‘rules of the road’ which ensure certainty and stability in cyberspace and ensure its trustworthiness among global customers.</p>
<h2 style="text-align: justify; ">Normative deadlock</h2>
<p style="text-align: justify; ">There have been multiple gambits to develop universal norms of responsible state behaviour to foster cyber stability. The United Nations-Group of Governmental Experts (UN-GGE) has been constituted five times now and will meet again in January 2019.</p>
<p style="text-align: justify; ">While the third and fourth GGEs in 2013 and 2015 respectively made some progress towards agreeing on some baseline principles, the fifth GGE broke down due to opposition from states including Russia, China and Cuba on the application of specific principles of international law to cyberspace.</p>
<p style="text-align: justify; ">This was an extension of a long-running ‘Cold War’ like divide among states at the United Nations. The US along with its NATO allies believe in creating voluntary non-binding norms for cybersecurity through the application of international law in its entirety while Russia, China and its allies in the Shanghai Co-operation Organization (SCO) reject the premise that international law applies in its entirety and call for the negotiation of an independent treaty for cyberspace that lays down binding obligations on states.</p>
<h2 style="text-align: justify; ">Critical role</h2>
<p style="text-align: justify; ">The private sector has begun to play a critical role in breaking this deadlock. Recent history is testament to catalytic roles played by non-state actors in cementing global co-operative regimes.</p>
<p style="text-align: justify; ">For example, Dupont — the world’s leading ChloroFluoroCarbon (CFC) producer — played a leading role in the 1970s and 1980s towards the development of The Montreal Protocol on Substances that Deplete the Ozone Layer and gained positive recognition for its efforts.</p>
<p style="text-align: justify; ">Another example is the International Committee of the Red Cross (ICRC) — a non-governmental organisation that played a crucial role in the development of the Geneva Conventions and its Additional Protocols, which regulate the conduct of atrocities in warfare by preparing initial drafts of the treaties and circulating them to key government players.</p>
<p style="text-align: justify; ">Similarly, in cyberspace, Microsoft’s Digital Geneva Convention which devised a set of rules to protect civilian use of the internet was put forward by Chief Legal Officer, Brad Smith two months before the fifth GGE met in 2017.</p>
<p style="text-align: justify; ">Despite the breakdown at the UN-GGE, Microsoft pushed on with the Tech Accords — a public commitment made by (as of today) 69 companies “agreeing to defend all customers everywhere from malicious attacks by cyber-criminal enterprises and nation-states.”</p>
<p style="text-align: justify; ">Much like the ICRC, Microsoft leads commendable diplomatic efforts with the Paris Call as they reached out to states, civil society actors and corporations for their endorsement.</p>
<h2 style="text-align: justify; ">Looking Forward</h2>
<p style="text-align: justify; ">Private sector-led normative efforts towards securing cyberspace are redundant in the absence of three key recommendations. First, is the implementation of best practices at the organisational level through the implementation of robust cyber defense mechanisms, the detection and mitigation of vulnerabilities and breach notifications — both to consumer and the government.</p>
<p style="text-align: justify; ">Second, is the development of mechanisms that enables direct co-operation between governments and private actors at the domestic level. In India, a Joint Working Group between the Data Security Council of India (DSCI) and the National Security Council Secretariat (NSCS) was set up in 2012 to explore a Private Public Partnership on cyber-security in India , which has great potential but is yet to report any tangible outcomes.</p>
<p style="text-align: justify; ">The third and final point is the recognition that their efforts need to result in a plurality of states coming to the negotiating table. The absence of the US, China and Russia in the Paris Call are eerily reminiscent of the lack of US participation in Woodrow Wilson’s League of Nations, which was one of the reasons for its ultimate failure.</p>
<p style="text-align: justify; ">Microsoft needs to keep on calling with Paris but Beijing, Washington and Alibaba need to pick up.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-hindu-businessline-december-24-2018-private-public-partnership-for-cyber-security'>http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-hindu-businessline-december-24-2018-private-public-partnership-for-cyber-security</a>
</p>
No publisherbasuCyber SecurityInternet Governance2018-12-26T15:02:21ZBlog EntryMapping cybersecurity in India: An infographic
http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-karan-saini-aayush-rathi-and-swaraj-paul-barooah-december-23-mapping-cyber-security-in-india-infographic
<b>This infographic maps the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. Broadly, policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem. The infographic therefore serves as a ready reference point for the research that we have done and hope to continue through our cybersecurity work at CIS.</b>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/copy_of_Infographic.png/@@images/e6749a54-8ea1-43d6-906c-224db9773dbe.png" alt="Infographic" class="image-inline" title="Infographic" /></p>
<hr />
<p style="text-align: center; "><i>Infographic designed by Saumyaa Naidu</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-karan-saini-aayush-rathi-and-swaraj-paul-barooah-december-23-mapping-cyber-security-in-india-infographic'>http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-karan-saini-aayush-rathi-and-swaraj-paul-barooah-december-23-mapping-cyber-security-in-india-infographic</a>
</p>
No publisherArindrajit Basu, Karan Saini, Aayush Rathi and Swaraj BarooahCyber SecurityInternet Governance2018-12-23T16:57:24ZBlog EntryEuropean E-Evidence Proposal and Indian Law
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law
<b>In April of 2018, the European Union issued the proposal for a new regime dealing with cross border sharing of data and information by issuing two draft instruments, an E-evidence Regulation (“Regulation”) and an E-evidence Directive (“Directive”), (together the “E-evidence Proposal”). The Regulation is a direction to states to put in place the proper legislative and regulatory machinery for the implementation of this regime while the Directive requires the states to enact laws governing service providers so that they would comply with the proposed regime.</b>
<p style="text-align: justify; ">The main feature of the E-evidence Proposal is twofold: (i) establishment of a legal regime whereunder competent authorities can issue European Production Orders (<b>EPOs</b>) and European Preservation Orders (<b>EPROs</b>) to entities in any other EU member country (together the “<b>Data Orders</b>”); and (ii) an obligation on service providers offering services in any of the EU member countries to designate legal representatives who will be responsible for receiving the Data Orders, irrespective of whether such entity has an actual physical establishment in any EU member country.</p>
<p style="text-align: justify; ">In this article we will briefly discuss the framework that has been proposed under the two instruments and then discuss how service providers based in India whose services are also available in Europe would be affected by these proposals. The authors would like to make it clear that this article is not intended to be an analysis of the E-evidence Proposal and therefore shall not attempt to bring out the shortcomings of the proposed European regime, except insofar as such shortcomings may affect the service providers located in India being discussed in the second part of the article.</p>
<p><b>Part I - E-evidence Directive and Regulation </b></p>
<p style="text-align: justify; ">The E-evidence Proposal introduces the concept of binding EPOs and EPROs. Both Data Orders need to be issued or validated by a judicial authority in the issuing EU member country. A Data Order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that is necessary as evidence in criminal investigations or a criminal proceeding. Such Data Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing country. Both Data Orders can be served on entities offering services such as electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries. Thus companies such as Big Rock (domain name registry), Ferns n Petals (online marketplace providing services in Europe), Hike (social networking and chatting), etc. or any website which has a subscription based model and allows access to subscribers in Europe would potentially be covered by the E-evidence Proposal. The EPRO, similarly to the EPO, is addressed to the legal representative outside of the issuing country’s jurisdiction to preserve the data in view of a subsequent request to produce such data, which request may be issued through MLA channels in case of third countries or via a European Investigation Order (EIO) between EU member countries. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this proposal, the EPRO is an order issued or validated by a judicial authority in a concrete criminal proceeding after an individual evaluation of the proportionality and necessity in every single case.<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a> Like the EPO, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The EPRO only allows preserving data that is already stored at the time of receipt of the order, not the access to data at a future point in time after the receipt of the EPRO.</p>
<p style="text-align: justify; ">While EPOs to produce subscriber data<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> and access data<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a> can be issued for any criminal offence an EPO for content data<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a> and transactional data<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a> may only be issued by a judge, a court or an investigating judge competent in the case. In case the EPO is issued by any other authority (which is competent to issue such an order in the issuing country), such an EPO has to be validated by a judge, a court or an investigating judge. In case of an EPO for subscriber data and access data, the EPO may also be validated by a prosecutor in the issuing country.</p>
<p style="text-align: justify; ">To reduce obstacles to the enforcement of the EPOs, the Directive makes it mandatory for service providers to designate a legal representative in the European Union to receive, comply with and enforce Data Orders. The obligation of designating a legal representative for all service providers that are operating in the European Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.</p>
<p><i><span>Grounds on which EPOs can be issued</span></i></p>
<p style="text-align: justify; ">The grounds on which Data Orders may be issued are contained in Articles 5 and 6 of the Regulation which makes it very clear that a Data Order may only be issued in a case if it is necessary and proportionate for the purposes of a criminal proceeding. The Regulation further specifies that an EPO may only be issued by a member country if a similar domestic order could be issued by the issuing state in a comparable situation. By using this device of linking the grounds to domestic law, the Regulation tries to skirt around the thorny issue of when and on what basis an EPO may be issued. The Regulation also assigns greater weight (in terms of privacy) to transactional and content data as opposed to subscriber and access data and subjects the production and preservation of the former to stricter requirements. Therefore while Data Orders for access and subscriber data may be issued for any criminal offence, orders for transactional and content data can only be issued in case of criminal offences providing for a maximum punishment of atleast 3 years and above. In addition to that EPOs for producing transactional or content data can also be issued for offences specifically listed in Article 5(4) of the Regulation. These offences have been specifically provided for since evidence for such cases would typically be available mostly only in electronic form. This is the justification for the application of the Regulation also in cases where the maximum custodial sentence is less than three years, otherwise it would become extremely difficult to secure convictions in those offences.<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></p>
<p style="text-align: justify; ">The Regulation also requires the issuing authority to take into account potential immunities and privileges under the law of the member country in which the service provider is being served the EPO, as well as any impact the EPO may have on fundamental interests of that member country such as national security and defence. The aim of this provision is to ensure that such immunities and privileges which protect the data sought are respected, in particular where they provide for a higher protection than the law of the issuing member country. In such situations the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State concerned, either directly or via Eurojust or the European Judicial Network.”</p>
<p><b> </b></p>
<p><i><span>Grounds to Challenge EPOs</span></i></p>
<p style="text-align: justify; ">Service Providers have been given the option to object to Data Orders on certain limited grounds specified in the Regulation such as, if it was not issued by a proper issuing authority, if the provider cannot comply because of a <i>de facto</i> impossibility or <i>force majeure</i>, if the data requested is not stored with the service provider or pertains to a person who is not the customer of the service provider.<a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a> In all such cases the service provider has to inform the issuing authority of the reasons for the inability to provide the information in the specified form. Further, in the event that the service provider refuses to provide the information on the grounds that it is apparent that the EPO “manifestly violates” the Charter of Fundamental Rights of the European Union or is “manifestly abusive”, the service provider shall send the information in specified Form to the competent authority in the member state in which the Order has been received. The competent authority shall then seek clarification from the issuing authority through Eurojust or via the European Judicial Network.<a href="#_ftn8" name="_ftnref8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; ">If the issuing authority is not satisfied by the reasons given and the service provider still refuses to provide the information requested, the issuing authority may transfer the EPO Certificate along with the reasons given by the service provider for non compliance, to the enforcing authority in the addressee country. The enforcing authority shall then proceed to enforce the Order, unless it considers that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence; or the data cannot be provided due to one of the following reasons:</p>
<p>(a) the European Production Order has not been issued or validated by an issuing authority as provided for in Article 4;</p>
<p>(b) the European Production Order has not been issued for an offence provided for by Article 5(4);</p>
<p>(c) the addressee could not comply with the EPOC because of de facto impossibility or force majeure, or because the EPOC contains manifest errors;</p>
<p>(d) the European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of EPOC;</p>
<p>(e) the service is not covered by this Regulation;</p>
<p>(f) based on the sole information contained in the EPOC, it is apparent that it manifestly violates the Charter or that it is manifestly abusive.</p>
<p style="text-align: justify; ">In addition to the above mechanism the service provider may refuse to comply with an EPO on the ground that disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request a review of the order by a court in the member country. If the court concludes that a conflict as claimed by the service provider exists, the court shall notify authorities in the third-party country and if that third-party country objects to execution of the EPO, the court must set it aside.<a href="#_ftn9" name="_ftnref9"><sup><sup>[9]</sup></sup></a></p>
<p style="text-align: justify; ">A service provider may also refuse to comply with an order because it would force the service provider to violate a third-country law that protects interests <i>other than</i> fundamental rights or national security and defense. In such cases, the Regulation provides that the same procedure be followed as in case of law protecting fundamental rights or national security and defense, except that in this case the court, rather than notifying the foreign authorities, shall itself conduct a detailed analysis of the facts and circumstances to decide whether to enforce the order.<a href="#_ftn10" name="_ftnref10"><sup><sup>[10]</sup></sup></a></p>
<p><i><span>Service Provider “Offering Services in the Union”</span></i></p>
<p style="text-align: justify; ">As is clear from the discussion above, the proposed regime puts an obligation on service providers offering services in the Union to designate a legal representative in the European Union, whether the service provider is physically located in the European Union or not. This appears to be a fairly onerous obligation for small technology companies which may involve a significant cost to appoint and maintain a legal representative in the European Union, especially if the service provider is not located in the EU. Therefore the question arises as to which service providers would be covered by this obligation and the answer to that question lies in the definitions of the terms “service provider” and “offering services in the Union”.</p>
<p>The term service provider has been defined in Article 2(2) of the Directive as follows:</p>
<p>“‘service provider’ means any natural or legal person that provides one or more of the following categories of services:</p>
<p>(a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];<a href="#_ftn11" name="_ftnref11"><sup><sup>[11]</sup></sup></a></p>
<p style="text-align: justify; ">(b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council<a href="#_ftn12" name="_ftnref12"><sup><sup>[12]</sup></sup></a> for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;</p>
<p>(c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;”</p>
<p style="text-align: justify; ">Thus broadly speaking the service providers covered by the Regulation would include providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. An important qualification that has been added in the definition is that it covers only those services where “storage of data is a defining component of the service”. Therefore, services for which the storage of data is not a defining component are not covered by the proposal. The Regulation also recognizes that most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance; and therefore it specifically provides that services for which the storage of data is not a <i>main characteristic</i> and is thus only of an ancillary nature would not be covered, including legal, architectural, engineering and accounting services provided online at a distance.<a href="#_ftn13" name="_ftnref13"><sup><sup>[13]</sup></sup></a></p>
<p style="text-align: justify; ">This does not mean that all such service providers offering the type of services in which data storage is the main characteristic, in the EU, would be covered by the Directive. The term “offering services in the Union” has been defined in Article 2(3) of the Directive as follows:</p>
<p>“‘offering services in the Union’ means:</p>
<p>(a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and</p>
<p>(b) having a substantial connection to the Member State(s) referred to in point (a);”</p>
<p style="text-align: justify; ">Clause (b) of the definition is the main qualifying factor which would ensure that only those entities whose offering of services has a “substantial connection” which the member countries of the EU would be covered by the Directive. The Regulation recognizes that mere accessibility of the service (which could also be achieved through mere accessibility of the service provider’s or an intermediary’s website in the EU) should not be a sufficient condition for the application of such an onerous condition and therefore the concept of a “substantial connection” was inserted to ascertain a sufficient relationship between the provider and the territory where it is offering its services. In the absence of a permanent establishment in an EU member country, such a “substantial connection” may be said to exist if there are a significant number of users in one or more EU member countries, or the “targeting of activities” towards one or more EU member countries. The “targeting of activities” may be determined based on various circumstances, such as the use of a language or a currency generally used in an EU member country, the availability of an app in the relevant national app store, providing local advertising or advertising in the language used in an EU member country, making use of any information originating from persons in EU member countries in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in EU member countries. A substantial connection can also be assumed where a service provider directs its activities towards one or more EU member countries as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.<a href="#_ftn14" name="_ftnref14"><sup><sup>[14]</sup></sup></a></p>
<p><b>Part II - EU Directive and Service Providers located in India</b></p>
<p style="text-align: justify; ">In this part of the article we will discuss how companies based in India and running websites providing any “service” such as social networking, subscription based video streaming, etc. such as Hike or AltBalaji, Hotstar, etc. and how such companies would be affected by the E-evidence Proposal. At first glance a website providing a video streaming service may not appear to be covered by the E-evidence Proposal since one would assume that there may not be any storage of data. But if it is a service which allows users to open personal accounts (with personal and possibly financial details such as in the case of TVF, AltBalaji or Hotstar) and uses their online behaviour to push relevant material and advertisements to their accounts, whether that would make the storage of data a defining component of the website’s services as contemplated under the proposal is a question that may not be easy to answer.</p>
<p style="text-align: justify; ">Even if it is assumed that the services of an Indian company can be classified as information society services for which the storage of data is a defining component, that by itself would not be sufficient to make the E-evidence Proposal applicable to it. The services of an Indian company would still need to have a “substantial connection” with an EU member country. As discussed above, this substantial connection may be said to exist based on the existence of (i) a significant number of users in one or more EU member countries, or (ii) the “targeting of activities” towards one or more EU member countries. The determination of whether a service provider is targeting its services towards an EU member country is to be made based on a number of factors listed above and is a subjective determination with certain guiding factors.</p>
<p style="text-align: justify; ">There does not seem to be clarity however on what would constitute a significant number of users and whether this determination is to be based upon the total number of users in an EU member country as a proportion of the population of the country or is it to be considered as a proportion of the total number of customers the service provider has worldwide. To explain this further let us assume that an Indian company such as Hotstar has a total user base of 100 million customers.<a href="#_ftn15" name="_ftnref15"><sup><sup>[15]</sup></sup></a> If there is a situation where 10 million of these 100 million subscribers are located in countries other than India, out of which there are about 40 thousand customers in France and another 40 thousand in Malta; then it would lead to some interesting analysis. Now 40 thousand customers in a customer base of 100 million is 0.04% of the total customer base of the service provider which generally speaking would not constitute a “significant number”. However if we reckon the 40 thousand customers from the point of view of the total population of the country of Malta, which is approximately 4.75 Lakh,<a href="#_ftn16" name="_ftnref16"><sup><sup>[16]</sup></sup></a> it would mean approx. 8.4% of the total population of Malta. It is unlikely that any service affecting almost a tenth of the population of the entire country can be labeled as not having a significant number of users in Malta. If the same math is done on the population of a country such as France, which has a population of approx. 67.3 million,<a href="#_ftn17" name="_ftnref17"><sup><sup>[17]</sup></sup></a> then the figure would be 0.05% of the total population; would that constitute a significant number as per the E-evidence Proposal.</p>
<p style="text-align: justify; ">The issues discussed above are very important for any service provider, specially a small or medium sized company since the determination of whether the E-evidence Proposal applies to them or not, apart from any potential legal implications, imposes a direct economic cost for designating a legal representative in an EU member country. Keeping in mind this economic burden and how it might affect the budget of smaller companies, the Explanatory Memorandum to the Regulation clarifies that this legal representative could be a third party, which could be shared between several service providers, and further the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or e-Privacy representatives in addition to the legal representative provided for by the E-evidence Directive).<a href="#_ftn18" name="_ftnref18"><sup><sup>[18]</sup></sup></a></p>
<p style="text-align: justify; ">In case all the above issues are determined to be in favour of the E-evidence Directive being applicable to an Indian company and the company designates a legal representative in an EU member country, then it remains to be seen how Indian laws relating to data protection would interact with the obligations of the Indian company under the E-evidence Directive. As per Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“<b>SPDI Rules</b>”) service providers are not allowed to disclose sensitive personal data or information except with the prior permission of the except disclosure to mandated government agencies. The Rule provides that “the information shall be shared, without obtaining prior consent from provider of information, with <i>Government agencies mandated under the law</i> to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences….”. Although the term “government agency mandated under law” has not been defined in the SPDI Rules, the term “law” has been defined in the Information Technology Act, 2000 (“<b>IT Act</b>”) as under:</p>
<p>“’law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder;”<a href="#_ftn19" name="_ftnref19"><sup><sup>[19]</sup></sup></a></p>
<p style="text-align: justify; ">Since the SPDI Rules are issued under the IT Act, therefore the term “law” referred as used in the would have to be read as defined in the IT Act (unless court holds to the contrary). This would mean that Rule 6 of the SPDI Rules only recognises government agencies mandated under Indian law and therefore information cannot be disclosed to agencies not recognised by Indian law. In such a scenario an Indian company may not have any option except to raise an objection and challenge an EPO issued to it on the grounds provided in Article 16 of the Regulation, which process itself could mean a significant expenditure on the part of such a company.</p>
<p><b>Conclusion</b></p>
<p style="text-align: justify; ">The framework sought to be established by the European Union through the E-evidence Proposal seeks to establish a regime different from those favoured by countries such as the United States which favours Mutual Agreements with (presumably) key nations or the push for data localisation being favoured by countries such as India, to streamline the process of access to digital data. Since the regime put forth by the EU is still only at the proposal stage, there may yet be changes which could clarify the regime significantly. However, as things stand Indian companies may be affected by the E-evidence Proposal in the following ways:</p>
<ul>
<li style="text-align: justify; ">Companies offering services outside India may inadvertently trigger obligations under the E-evidence Proposal if their services have a substantial connection with any of the member states of the European Union;</li>
<li>Indian companies offering services overseas will have to make an internal determination as to whether the E-evidence Proposal applies to them or not;</li>
<li style="text-align: justify; ">In case of Indian companies which come under the E-evidence Proposal, they would be obligated to designate a legal representative in an EU member state for receiving and executing Data Orders as per the E-evidence Proposal.</li>
<li style="text-align: justify; ">If a legal representative is designated by the Indian company they may have to incur significant costs on maintaining a legal representative especially in a situation where they have to object to the implementation of an EPO. The company would also have to coordinate with the legal representative to adequately put forth their (Indian law related) concerns before the competent authority so that they are not forced to fall foul of their legal obligations in either jurisdiction. It is also unclear the extent to which appointed legal representatives from Indian companies could challenge or push back against requests received.</li>
</ul>
<p style="text-align: justify; "><span>Disclaimer</span>: The author of this Article is an Indian trained lawyer and not an expert on European law. The author would like to apologise for any incorrect analysis of European law that may have crept into this article despite best efforts.</p>
<hr />
<p><a href="#_ftnref1" name="_ftn1"><sup><sup>[1]</sup></sup></a> Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 4, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN</a>.</p>
<p><a href="#_ftnref2" name="_ftn2"><sup><sup>[2]</sup></sup></a> Subscriber data means data which is used to identify the user and has been defined in Article 2 (7) as follows:</p>
<p>“‘subscriber data’ means any data pertaining to:</p>
<p>(a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email;</p>
<p>(b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user;”</p>
<p><a href="#_ftnref3" name="_ftn3"><sup><sup>[3]</sup></sup></a> The term access data has been defined in Article 2(8) as follows:</p>
<p>“‘access data’ means data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID. This includes electronic communications metadata as defined in point (g) of Article 4(3) of Regulation concerning the respect for private life and the protection of personal data in electronic communications;”</p>
<p><a href="#_ftnref4" name="_ftn4"><sup><sup>[4]</sup></sup></a> The term content data has been defined in Article 2 (10) as follows:</p>
<p>“‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data;”</p>
<p><a href="#_ftnref5" name="_ftn5"><sup><sup>[5]</sup></sup></a> The term transactional data has been defined in Article 2(9) as follows:</p>
<p>“‘transactional data’ means data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitues access data. This includes electronic communications metadata as defined in point (g) of Article 4(3) of [Regulation concerning the respect for private life and the protection of personal data in electronic communications];”</p>
<p><a href="#_ftnref6" name="_ftn6"><sup><sup>[6]</sup></sup></a> Explanatory Memorandum to the Proposal for Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, Pg. 17, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0225&from=EN</a>.</p>
<p><a href="#_ftnref7" name="_ftn7"><sup><sup>[7]</sup></sup></a> Articles 9(4) and 10(5) of the Regulation.</p>
<p><a href="#_ftnref8" name="_ftn8"><sup><sup>[8]</sup></sup></a> Article 10(5) of the Regulation.</p>
<p><a href="#_ftnref9" name="_ftn9"><sup><sup>[9]</sup></sup></a> Article 15 of the Regulation.</p>
<p><a href="#_ftnref10" name="_ftn10"><sup><sup>[10]</sup></sup></a> Article 16 of the Regulation. Also see <a href="https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/">https://www.insideprivacy.com/uncategorized/eu-releases-e-evidence-proposal-for-cross-border-data-access/</a>.</p>
<p><a href="#_ftnref11" name="_ftn11"><sup><sup>[11]</sup></sup></a> Article 2(4) of the Directive establishing European Electronic Communications Code provides as under:</p>
<p>‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses 'internet access service' as defined in Article 2(2) of Regulation (EU) 2015/2120; and/or 'interpersonal communications service'; and/or services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting, but excludes services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;”</p>
<p><a href="#_ftnref12" name="_ftn12"><sup><sup>[12]</sup></sup></a> Information Society Services have been defined in the Directive specified as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”</p>
<p><a href="#_ftnref13" name="_ftn13"><sup><sup>[13]</sup></sup></a> Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 8, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN</a>.</p>
<p><a href="#_ftnref14" name="_ftn14"><sup><sup>[14]</sup></sup></a> Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 9, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN</a>.</p>
<p><a href="#_ftnref15" name="_ftn15"><sup><sup>[15]</sup></sup></a> Hotstar already has an active customer base of 75 million, as of December, 2017; <a href="https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500">https://telecom.economictimes.indiatimes.com/news/netflix-restricted-to-premium-subscribers-hotstar-leads-indian-ott-content-market/62351500</a></p>
<p><a href="#_ftnref16" name="_ftn16"><sup><sup>[16]</sup></sup></a> <a href="https://en.wikipedia.org/wiki/Malta">https://en.wikipedia.org/wiki/Malta</a></p>
<p><a href="#_ftnref17" name="_ftn17"><sup><sup>[17]</sup></sup></a> <a href="https://en.wikipedia.org/wiki/France">https://en.wikipedia.org/wiki/France</a></p>
<p><a href="#_ftnref18" name="_ftn18"><sup><sup>[18]</sup></sup></a> Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, Pg 5, available at <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0226&from=EN</a>.</p>
<p><a href="#_ftnref19" name="_ftn19"><sup><sup>[19]</sup></sup></a> Section 2(y) of the Information Technology Act, 2000.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-december-23-2018-european-e-evidence-proposal-and-indian-law</a>
</p>
No publishervipulCyber SecurityInternet Governance2018-12-23T16:45:02ZBlog EntryA Critical Look at the Visual Representation of Cybersecurity
http://editors.cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu
<b>The Centre for Internet and Society and design collective Design Beku came together on the 15th of November for a workshop on Illustrations and Visual Representations of Cybersecurity. Images in the public sphere such as visuals in the media, Wikipedia commons, and stock images - play a vital role in the public’s perception of cybercrime and cybersecurity. </b>
<ul>
<li>Edited by Karan Saini / Illustrations by - Paul Anthony George, and Roshan Shakeel</li></ul>
<ul>
<li>Download the <a class="external-link" href="https://cis-india.org/internet-governance/files/critical-look-at-visual-representation-of-cybersecurity/">file here</a></li></ul>
<hr />
<p style="text-align: justify;">The existing imagery comprises of largely stereotypical images of silhouettes of men in hoodies, binary codes, locks, shields; all in dark tones of blue and green. The workshop aimed at identifying the concerns with these existing images and ideating on creating visuals that capture the nuanced concepts within cybersecurity as well as to contextualise them for the Global South. It began with a discussion on the various concepts within cybersecurity including disinformation, surveillance in the name of security, security researchers, regulation of big technology companies, gender and cybersecurity, etc. This was followed by a mapping of different visual elements in the existing cybersecurity imagery to infer the biases in them. Further, an ideation session was conducted to create alternate visualisations that counter these biases. A detailed report of the workshop can be read <a href="https://cis-india.org/internet-governance/workshop-on-cyber-security-illustrations">here</a>.</p>
<p style="text-align: justify;">The participants began by discussing the concerning impacts of present visualisations – there is a lack of representation and context of the global south. Misrepresentation of cybersecurity leads people to be susceptible to disinformation, treats cybercrime as an abstract concept that does not have a direct impact, and oversimplifies the problem and its solutions. The ecosystem in which this imagery exists also presented a larger issue. A majority of the images are created as clickbait alongside media articles. Media houses thus benefit from the oversimplification and mystification of cybersecurity in such images.</p>
<p style="text-align: justify;">Through the mapping of existing images present online, several concerns were identified. The vague elements and unclear representation add to the mystification of cybersecurity as a concept. In present depictions, the use of technological devices and objects, leads to the lack of a human element, distancing the threat from any real impact to people using these devices. The metaphor of a physical threat is often used to depict cybersecurity using elements such as a lock and key. Recurring use of these elements gives a false idea of what is being secured or breached and how. Representations rely on tropes regarding the identity of hackers, and fail to capture the vulnerability of the system. The imagery gives the impression that systems which are breached are immensely secure to begin with and are compromised only as a result of sophisticated attacks carried out by malicious actors. The identity of hackers is commonly associated with cyber attacks and breaches, and the existing imagery reinforces this. Visuals showing a masked man or a silhouette of a man in dark background are the usual markers of a malicious hacker in conventional cybersecurity imagery. While there is a lack of representation of women in stock cybersecurity images, another trope found was that of a cheerful woman coder. There were also images of faceless women with laptops<a name="_ftnref1" href="#_ftn1"><sup><sup>[1]</sup></sup></a>. The reductive nature of these images point to deeper concerns around gender representation in cybersecurity.</p>
<p style="text-align: justify;">The participants examined what the implications of such visual representation would be, and why there is a need to change the imagery. How can visual depictions be more representative? Can they avoid subscribing to a homogenised idea of an Indian context – specific without being reductive? Can better depiction broaden understanding of cybercrime and emphasize the proximity of those threats? With technology, concepts are often understood through metaphors – how data is explained impacts how people perceive it. Visual imagery can play a critical role in demystifying concepts when done well; illustrations can change the discourse. They must begin to incorporate intersecting aspects of gender, privacy, susceptibility of vulnerable populations, generational and cultural gaps, as well as manifestations of the described crimes to make technological laypersons more aware of the threat.</p>
<p style="text-align: justify;">Potential new imagery would need to address aspects such as disinformation, the importance of privacy and who has a right to it, change representation of hackers, depict the cybersecurity community, explain specific concepts to both – the general user and to the people part of cybersecurity efforts in the country, the implications of cybercrime on vulnerable populations, and more in an attempt to deconstruct and disseminate what cybersecurity looks like today.</p>
<p style="text-align: justify;">The ideation session involved rethinking specific concepts such as disinformation, and ethical hacking to create alternate imagery. For instance, disinformation was visually imagined as a distortion of an already distorted message being perceived by the viewer. In order to bring attention to the impact of devices, a phone was thought of as a central object to which different concepts of cybersecurity can be connected.</p>
<p style="text-align: justify;"><img src="http://editors.cis-india.org/home-images/FakeNewsCascade.jpg" alt="null" class="image-inline" title="Fake News Cascade" /></p>
<p><em>‘Fake News Cascade’ by Paul Anthony George</em></p>
<p><img src="http://editors.cis-india.org/home-images/FakeNews.jpg" alt="null" class="image-inline" title="Fake News" /></p>
<p><em>‘Fake News’ by Paul Anthony George</em></p>
<p><img src="http://editors.cis-india.org/home-images/Disinformation1.jpg" alt="null" class="image-inline" title="Disinformation 1" /></p>
<p><img src="http://editors.cis-india.org/home-images/Disinformation2.jpg" alt="null" class="image-inline" title="Disinformation 2" /></p>
<p><em>‘Disinformation/ Fake News’ by Roshan Shakeel; The sketch is about questioning the validity of what we see online, and that every message we see is constructed in some form or the other by someone else.</em></p>
<p><em><img src="http://editors.cis-india.org/home-images/Disinformation3.jpg" alt="null" class="image-inline" title="Disinformation 3" /></em></p>
<p><em>‘Disinformation/ Fake News’ by Roshan Shakeel; </em>The sketch visualizes how the source of information ('the original') gets distorted after a certain point.</p>
<p>For ethical hacking, a visualisation depicting a day in the life of an ethical hacker was thought of to normalize hacking and to focus on their contribution in security research.</p>
<p><img src="http://editors.cis-india.org/home-images/ADayinLife.jpg" alt="null" class="image-inline" title="A Day in Life" /></p>
<p><em>‘A Day in the Life of an Indian Hacker’ by Paul Anthony George</em></p>
<p><em><img src="http://editors.cis-india.org/home-images/SurveillanceinthenameofSecurity.jpg" alt="null" class="image-inline" title="Surveillance in the name of Security" /></em></p>
<p><em>'Surveillance in the Name of Security' by</em> <em>Roshan Shakeel</em></p>
<p style="text-align: justify;">Resources on ethical hacking (HackerOne)<a name="_ftnref2" href="#_ftn2"><sup>[2]</sup></a> and hacker culture (2600.com)<a name="_ftnref3" href="#_ftn3"><sup>[3]</sup></a> were also consulted as part of the exercise to gather references on the work done by hackers. This allowed a deeper understanding of how the hacker community depicts itself. Check Point Research<a name="_ftnref4" href="#_ftn4"><sup>[4]</sup></a> and Kerala Police Cyberdome<a name="_ftnref5" href="#_ftn5"><sup>[5]</sup></a> were also examined for further insight into cybersecurity. With regard to gender representation, sources that use visual techniques to communicate concerns and advocacy campaigns were also referred to. The Gendering Surveillance<a name="_ftnref6" href="#_ftn6"><sup>[6]</sup></a> initiative by the Internet Democracy project<a name="_ftnref7" href="#_ftn7"><sup>[7]</sup></a>, which looks at how surveillance harms and restricts women, also offered insights on the use of illustrations supporting the case studies. Another reference was the "Visualising Women's Rights in the Arab World"<a name="_ftnref8" href="#_ftn8"><sup>[8]</sup></a> project by the Tactical Technology Collective<a name="_ftnref9" href="#_ftn10"><sup>[9]</sup></a>. The project aims to “strengthen the use of visual techniques by women's rights advocates in the Arab world, and to build a network of women with these skills”.<a name="_ftnref10" href="#_ftn10"><sup>[10]</sup></a></p>
<p style="text-align: justify;">More visual explainers and animations<a name="_ftnref11" href="#_ftn11"><sup><sup>[11]</sup></sup></a> from the Tactical Technology Collective were noted for their broader engagement with digital security and privacy. A video by the Internet Democracy Project that explains the Internet through <em>rangoli</em><a name="_ftnref12" href="#_ftn12"><sup><sup>[12]</sup></sup></a>, was observed specifically for setting the concept in Indian context through the use of aesthetics.</p>
<p style="text-align: justify;">The workshop concluded with a discussion of potential visual iterations – imagery of cybersecurity that is not technology-oriented but focussed on the behavioural implications of access to such technology, illustrated public service announcements enhancing the profile of cybersecurity researchers or the everyday hacker. The impact of the discussion itself can indicate the relevance of such an effort. Artists and designers can be encouraged to create a body of imagery that shifts discourse and perception, to begin visualising for advocacy, demystify and stop the abstraction of cybercrime that can lead to a false sense of security, incorporate unique aspects of the debate within the Indian context, and generate new dialogue and understanding of cybersecurity. A potential step forward from this workshop would be to engage with the design community at large along with the domain experts to create more effective imagery for cybersecurity.</p>
<hr />
<p><a name="_ftn1" href="#_ftnref1"><sup><sup>[1]</sup></sup></a> https://www.hackerone.com/</p>
<p><a name="_ftn2" href="#_ftnref2"><sup><sup>[2]</sup></sup></a> https://2600.com/</p>
<p><a name="_ftn3" href="#_ftnref3"><sup><sup>[3]</sup></sup></a> https://research.checkpoint.com/about-us/</p>
<p><a name="_ftn4" href="#_ftnref4"><sup><sup>[4]</sup></sup></a> http://www.cyberdome.kerala.gov.in/</p>
<p><a name="_ftn5" href="#_ftnref5"><sup><sup>[5]</sup></sup></a> https://genderingsurveillance.internetdemocracy.in/</p>
<p><a name="_ftn6" href="#_ftnref6"><sup><sup>[6]</sup></sup></a> https://internetdemocracy.in/</p>
<p><a name="_ftn7" href="#_ftnref7"><sup><sup>[7]</sup></sup></a> https://visualrights.tacticaltech.org/index.html</p>
<p><a name="_ftn8" href="#_ftnref8"><sup><sup>[8]</sup></sup></a> https://tacticaltech.org/</p>
<p><a name="_ftn9" href="#_ftnref9"><sup><sup>[9]</sup></sup></a> https://visualrights.tacticaltech.org/content/about-website.html</p>
<p><a name="_ftn10" href="#_ftnref10"><sup><sup>[10]</sup></sup></a> https://tacticaltech.org/projects/survival-in-the-digital-age-ono-robot-2012/</p>
<p><a name="_ftn11" href="#_ftnref11"><sup><sup>[11]</sup></sup></a> https://internetdemocracy.in/2018/08/dots-and-connections/</p>
<p><a name="_ftn12" href="#_ftnref12"><sup><sup>[12]</sup></sup></a> https://www.independent.co.uk/life-style/gadgets-and-tech/features/women-in-tech-its-time-to-drop-the-old-stereotypes-7608794.html</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu'>http://editors.cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu</a>
</p>
No publisherParomita Bathija, Padmini Ray Murray, and Saumyaa NaiduCyber SecurityInternet Governance2019-08-21T08:00:11ZBlog EntryCyberspace and External Affairs:A Memorandum for India Summary
http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs
<b>This memorandum seeks to summarise the state of the global debate in cyberspace; outline how India can craft it’s global strategic vision and finally, provides a set of recommendations for the MEA as they craft their cyber diplomacy strategy.</b>
<p class="moz-quote-pre" style="text-align: justify; ">It limits itself to advocating certain procedural steps that the Ministry of External Affairs should take towards propelling India forward as a leading voice in the global cyber norms space and explains why occupying this leadership position should be a vital foreign policy priority. It does not delve into content-based recommendations at this stage. Further, this memorandum is not meant to serve as exhaustive academic research on the subject but builds on previous research by the Centre for Internet & Society in this area to highlight key policy windows that can be driven by India.</p>
<p class="moz-quote-pre" style="text-align: justify; ">This memorandum provides a background to global norms formation focussing on key global developments over the past month; traces the opportunities s for India to play a lead role in the global norms formulation debate and then charts out process related recommendations on next steps towards India taking this forward.</p>
<hr />
<p class="moz-quote-pre" style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/cyberspace-and-external-affairs">Click here</a> to read more</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs'>http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs</a>
</p>
No publisherArindrajit Basu and Elonnai HickokCyber SecurityInternet GovernancePrivacy2018-12-01T04:10:51ZBlog EntryBudapest Convention and the Information Technology Act
http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act
<b>The Convention on Cybercrime adopted in Budapest (“Convention”) is the fist and one of the most important multilateral treaties addressing the issue of internet and computer crimes.</b>
<p style="text-align: justify; "><b>Introduction</b><br />It was drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America.<a href="#_ftn1" name="_ftnref1">[1]</a> The importance of the Convention is also indicated by the fact that adherence to it (whether by outright adoption or by otherwise making domestic laws in compliance with it) is one of the conditions mentioned in the Clarifying Lawful Overseas Use of Data Act passed in the USA (CLOUD Act) whereby a process has been established to enable security agencies of in India and the United States to directly access data stored in each other’s territories. Our analysis of the CLOUD Act vis-à-vis India can be found <a href="https://cis-india.org/internet-governance/blog/an-analysis-of-the-cloud-act-and-implications-for-india">here</a>. It is in continuation of that analysis that we have undertaken here a detailed comparison of the Information Technology Act, 2000 (“<b>IT Act</b>”) and how it stacks up against the provisions of Chapter I and Chapter II of the Convention.<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a></p>
<p style="text-align: justify; ">Before we get into a comparison of the Convention with the IT Act, we must point out the distinction between the two legal instruments, for the benefit of readers from a non legal background. An international instrument such as the Convention on Cybercrime (generally speaking) is essentially a promise made by the States which are a party to that instrument, that they will change or modify their local laws to get them in line with the requirements or principles laid out in said instrument. In case the signatory State does not make such amendments to its local laws, (usually) the citizens of that State cannot enforce any rights that they may have been granted under such an international instrument. The situation is the same with the Convention on Cybercrime, unless the signatory State amends its local laws to bring them in line with the provisions of the Convention, there cannot be any enforcement of the provisions of the Convention within that State.<a href="#_ftn3" name="_ftnref3">[3]</a> This however is not the case for India and the IT Act since India is not a signatory to the Convention on Cybercrime and therefore is not obligated to amend its local laws to bring them in line with the Convention.</p>
<p style="text-align: justify; ">Although India and the Council of Europe cooperated to amend the IT Act through major amendments brought about vide the Information Technology (Amendment) Act, 2008, India still has not become a signatory to the Convention on Cybercrime. The reasons for this appear to be unclear and it has been suggested that these reasons may range from the fact that India was not involved in the original drafting, to issues of sovereignty regarding the provisions for international cooperation and extradition.<a href="#_ftn4" name="_ftnref4">[4]</a></p>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
</td>
</tr>
<tr>
<td>
<p><b>Article 2 – Illegal access</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.</p>
</td>
<td>
<p><b>Section 43</b></p>
<p style="text-align: justify; ">If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -</p>
<p style="text-align: justify; ">(a) accesses or secures access to such computer, computer system or computer network or computer resource</p>
<p> </p>
<p><b>Section 66</b></p>
<p style="text-align: justify; ">If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two <b>three </b>years or with fine which may extend to five lakh rupees or with both.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">The Convention gives States the right to further qualify the offence of “illegal access” or “hacking” by adding elements such as infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system.<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a> However, Indian law deals with the distinction by making the act of unathorised access without dishonest or fraudulent intent a civil offence, where the offender is liable to pay compensation. If the same act is done with dishonest and fraudulent intent, it is treated as a criminal offence punishable with fine and imprisonment which may extend to 3 years.</p>
<p>It must be noted that this provision was included in the Act only through the Amendment of 2008 and was not present in the Information Technology Act, 2000 in its original iteration.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
</td>
</tr>
<tr>
<td>
<p><b>Article 3 – Illegal Interception</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.</p>
<p> </p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Although the Information Technology Act, 2000 does not specifically criminalise the interception of communications by a private person. It is possible that under the provisions of Rule 43(a) the act of accessing a “computer network” could be interpreted as including unauthorised interception within its ambit.</p>
<p style="text-align: justify; ">The other way in which illegal interception may be considered to be illegal is through a combined reading of Sections 69 (Interception) and 45 (Residuary Penalty) with Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which prohibits interception, monitoring and decryption of information under section 69(2) of the IT Act except in a manner as provided by the Rules. However, it must be noted that section 69(2) only talks about interception by the government and Rule 3 only provides for procedural safeguards for such an interception. It could therefore be argued that the prohibition under Rule 3 is only applicable to the government and not to private individuals since section 62, the provision under which Rule 3 has been issued, itself is not applicable to private individuals.</p>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 4 – Data interference</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.</p>
<p>2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.</p>
</td>
<td>
<p>Section 43</p>
<p>If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -</p>
<p>(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;</p>
<p>(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;</p>
<p>(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,</p>
<p>he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. (change vide ITAA 2008)</p>
<p><b>Section 66</b></p>
<p>If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two <b>three </b>years or with fine which may extend to five lakh rupees or with both.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">Damage, deletion, diminishing in value and alteration of data is considered a crime as per Section 66 read with section 43 of the IT Act if done with fraudulent or dishonest intention. <b>While the Convention only requires such acts to be crimes if committed intentionally, however the Information Technology Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.</b></p>
<p style="text-align: justify; ">It must be noted that the optional requirement of such an act causing serious harm has not been adopted by Indian law, i.e. the act of such damage, deletion, etc. by itself is enough to constitute the offence, and there is no requirement of such an act causing serious harm.</p>
<p style="text-align: justify; ">As per the Explanatory Report to the Convention on Cybercrime, “<b>Suppressing</b> of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.” Strictly speaking the act of suppression of data in another system is not covered by the language of section 43, but looking at the tenor of the section it is likely that if a court is faced with a situation of intentional/malicious denial of access to data, the court could expand the scope of the term “damage” as contained in sub-section (d) to include such malicious acts.</p>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 5 – System interference</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, <b>when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data</b>.</p>
</td>
<td>
<p style="text-align: justify; ">Section 43</p>
<p style="text-align: justify; ">If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -</p>
<p style="text-align: justify; ">(e) disrupts or causes disruption of any computer, computer system or computer network;</p>
<p style="text-align: justify; "><b>Explanation </b>- for the purposes of this section -</p>
<p style="text-align: justify; ">(i) "Computer Contaminant" means any set of computer instructions that are designed -</p>
<p style="text-align: justify; ">(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or</p>
<p style="text-align: justify; ">(b) by any means to usurp the normal operation of the computer, computer system, or computer network;</p>
<p style="text-align: justify; ">(iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;</p>
<p style="text-align: justify; "> </p>
<p><b>Section 66</b></p>
<p style="text-align: justify; ">If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two <b>three </b>years or with fine which may extend to five lakh rupees or with both.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">The offence of causing hindrance to the functioning of a computer system with fraudulent or dishonest intention is an offence under the IT Act. <b>While the Convention only requires such acts to be crimes if committed intentionally, however the IT Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.</b></p>
<p style="text-align: justify; ">The IT Act does not require such disruption to be caused in any particular manner as is required under the Convention, although the acts of introducing computer viruses as well as damaging or deleting data themselves have been classified as offences under the IT Act.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 6 – Misuse of devices</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:</p>
<p style="text-align: justify; ">a the production, sale, procurement for use, import, distribution or otherwise making available of:</p>
<p>i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;</p>
<p style="text-align: justify; ">ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and</p>
<p>b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.</p>
<p style="text-align: justify; ">2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.</p>
<p style="text-align: justify; ">3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing offences against the confidentiality, the integrity and availability of computer systems or data. While the IT Act does not by itself makes the production, sale, procurement for use, import, distribution of devices designed to be adopted for such purposes, sub-section (g) of section 43 along with section 120A of the Indian Penal Code, 1860 which deals with “conspiracy” could perhaps be used to bring such acts within the scope of the penal statutes.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 7 – Computer related forgery</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">The acts of deletion, alteration and suppression of data by itself is a crime as discussed above, there is no specific offence for doing such acts for the purpose of forgery. However this does not mean that the crime of online forgery is not punishable in India at all, such crimes would be dealt with under the relevant provisions of the Indian Penal Code, 1860 (Chapter 18) read with section 4 of the IT Act.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 8 – Computer-related fraud</b></p>
<p>Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by:</p>
<p>a any input, alteration, deletion or suppression of computer data,</p>
<p>b any interference with the functioning of a computer system,</p>
<p>with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Just as in the case of forgery, there is no specific provision in the IT Act whereby online fraud would be considered as a crime, however specific acts such as charging services availed of by one person to another (section 43(h), identity theft (section 66C), cheating by impersonation (section 66D) have been listed as criminal offences. Further, as with forgery, fraudulent acts to procure economic benefits would also get covered by the provisions of the Indian Penal Code that deal with cheating.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 9 – Offences related to child pornography</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:</p>
<p>a producing child pornography <b>for the purpose of its distribution </b>through a computer system;</p>
<p>b offering or making available child pornography through a computer system;</p>
<p>c distributing or transmitting child pornography through a computer system;</p>
<p>d procuring child pornography through a computer system for oneself or for another person;</p>
<p>e possessing child pornography in a computer system or on a computer-data storage medium.</p>
<p style="text-align: justify; ">2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:</p>
<p>a a minor engaged in sexually explicit conduct;</p>
<p>b a person appearing to be a minor engaged in sexually explicit conduct;</p>
<p>c realistic images representing a minor engaged in sexually explicit conduct.</p>
<p style="text-align: justify; ">3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.</p>
<p style="text-align: justify; ">4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, subparagraphs d and e, and 2, sub-paragraphs b and c.</p>
</td>
<td>
<p style="text-align: justify; "><b>67 B Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form. </b></p>
<p>Whoever,-</p>
<p>(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or</p>
<p style="text-align: justify; ">(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or</p>
<p>(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or</p>
<p>(d) facilitates abusing children online or</p>
<p>(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,</p>
<p style="text-align: justify; ">shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:</p>
<p style="text-align: justify; ">Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-</p>
<p style="text-align: justify; ">(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or</p>
<p>(ii) which is kept or used for bonafide heritage or religious purposes</p>
<p>Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The publishing, transmission, creation, collection, seeking, browsing, etc. of child pornography is an offence under Indian law punishable with imprisonment for upto 5 years for a first offence and upto 7 years for a subsequent offence, along with fine.</p>
<p style="text-align: justify; ">It is important to note that bona fide depictions for the public good, such as for publication in pamphlets, reading or educational material are specifically excluded from the rigours of the section, Similarly material kept for heritage or religious purposes is also exempted under this section. Such exceptions are in line with the intent of the Convention, since the Explanatory statement itself states that “The term "pornographic material" in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 10 – Offences related to infringements of copyright and related rights</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.</p>
<p style="text-align: justify; ">2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as define under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.</p>
<p style="text-align: justify; ">3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.</p>
</td>
<td>
<p><b>81 Act to have Overriding effect </b></p>
<p style="text-align: justify; ">The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.</p>
<p style="text-align: justify; ">Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The use of the term "pursuant to the obligations it has undertaken" in both paragraphs makes it clear that a Contracting Party to the Convention is not bound to apply agreements cited (TRIPS, WIPO, etc.) to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation under the present Convention.</p>
<p style="text-align: justify; ">The IT Act does not try to intervene in the existing copyright regime of India and creates a special exemption for the Copyright Act and the Patents Act in the clause which provides this Act overriding effect. India’s obligations under the various treaties and conventions on intellectual property rights are enshrined in these legislations.<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 11 – Attempt and aiding or abetting</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed.</p>
<p style="text-align: justify; ">2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c of this Convention.</p>
<p>3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article.</p>
</td>
<td>
<p><b>84 B Punishment for abetment of offences </b></p>
<p style="text-align: justify; ">Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.</p>
<p style="text-align: justify; ">Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.</p>
<p> </p>
<p><b>84 C Punishment for attempt to commit offences </b></p>
<p style="text-align: justify; ">Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.</p>
</td>
</tr>
</tbody>
</table>
<p>As can be seen, both attempts as well as abetment of criminal offences under the IT Act have also been criminalised.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 12 – Corporate liability</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:</p>
<p>a a power of representation of the legal person;</p>
<p>b an authority to take decisions on behalf of the legal person;</p>
<p>c an authority to exercise control within the legal person.</p>
<p style="text-align: justify; ">2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.</p>
<p>3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.</p>
<p>4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.</p>
</td>
<td>
<p><b>85 Offences by Companies. </b></p>
<p style="text-align: justify; ">(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:</p>
<p style="text-align: justify; "><b>Provided </b>that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.</p>
<p style="text-align: justify; ">(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.</p>
<p><b>Explanation</b>-</p>
<p>For the purposes of this section</p>
<p>(i) "Company" means any Body Corporate and includes a Firm or other Association of individuals; and</p>
<p>(ii) "Director", in relation to a firm, means a partner in the firm.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The liability of a company or other body corporate has been laid out in the IT Act in a manner similar to the Budapest Convention. While, the test to determine the relationship between the legal entity and the natural person who has committed the act on behalf of the legal entity is a little more detailed<a href="#_ftn7" name="_ftnref7">[7]</a> in the Convention, the substance of the test is laid out in the IT Act as “a person who is in charge of, and was responsible to, the company”.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 14</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.</p>
<p style="text-align: justify; ">2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to:</p>
<p style="text-align: justify; ">a the criminal offences established in accordance with Articles 2 through 11 of this Convention;</p>
<p style="text-align: justify; ">b other criminal offences committed by means of a computer system; and</p>
<p style="text-align: justify; ">c the collection of evidence in electronic form of a criminal offence.</p>
<p style="text-align: justify; ">3 a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20.</p>
<p style="text-align: justify; ">b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system:</p>
<p style="text-align: justify; ">i is being operated for the benefit of a closed group of users, and</p>
<p style="text-align: justify; ">ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications.</p>
<p style="text-align: justify; ">Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">This is a provision of a general nature that need not have any equivalence in domestic law. The provision clarifies that all the powers and procedures provided for in this section (Articles 14 to 21) are for the purpose of “specific criminal investigations or proceedings”.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 15 – Conditions and safeguards</b></p>
<p style="text-align: justify; ">1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.</p>
<p style="text-align: justify; ">2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, <i>inter alia</i>, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.</p>
<p style="text-align: justify; ">3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">This again is a provision of a general nature which need not have a corresponding clause in the domestic law. India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India, 1950.<a href="#_ftn8" name="_ftnref8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; ">In addition, India has enacted the Protection of Human Rights Act, 1993 for the constitution of a National Human Rights Commission, State Human Rights Commission in States and Human Rights Courts for better protection of “human rights” and for matters connected therewith or incidental thereto. Thus, there does exist a statutory mechanism for the enforcement of human rights<a href="#_ftn9" name="_ftnref9"><sup><sup>[9]</sup></sup></a> under Indian law. It must be noted that the definition of human rights also incorporates rights embodied in International Covenants and are enforceable by Courts in India.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 16 – Expedited preservation of stored computer data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.</p>
<p>2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.</p>
<p>4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
<p><b>Article 17 – Expedited preservation and partial disclosure of traffic data</b></p>
<p>1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:</p>
<p>a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and</p>
<p>b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.</p>
<p>2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
</td>
<td>
<p><b>29 Access to computers and data. </b></p>
<p>(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (Amended vide ITAA 2008)</p>
<p> </p>
<p>(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary.</p>
<p> </p>
<p><b>67 C</b> <b>Preservation and Retention of information by intermediaries </b></p>
<p>(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.</p>
<p> </p>
<p><b>Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011</b></p>
<p>3(7) - When required by lawful order, the intermediary shall provide information <b>or any such assistance</b> to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.</p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">It must be noted that Article 16 and Article 17 refer only to data preservation and not data retention. “Data preservation” means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to change or deteriorate. Data retention means to keep data, which is currently being generated, in one’s possession into the future.<a href="#_ftn10" name="_ftnref10"><sup><sup>[10]</sup></sup></a> In short, the article provides only for preservation of existing stored data, pending subsequent disclosure of the data, in relation to specific criminal investigations or proceedings.</p>
<p style="text-align: justify; ">The Convention uses the term "order or similarly obtain", which is intended to allow the use of other legal methods of achieving preservation than merely by means of a judicial or administrative order or directive (e.g. from police or prosecutor). In some States, preservation orders do not exist in the procedural law, and data can only be preserved and obtained through search and seizure or production order. Flexibility was therefore intended by the use of the phrase "or otherwise obtain" to permit the implementation of this article by the use of these means.</p>
<p style="text-align: justify; ">While Indian law does not have a specific provision for issuing an order for preservation of data, the provisions of section 29 as well as sections 99 to 101 of the Code of Criminal Procedure, 1973 may be utilized to achieve the result intended by Articles 16 and 17. Although section 67C of the IT Act uses the term “preserve and retain such information”, this provision is intended primarily for the purpose of data retention and not data preservation.</p>
<p style="text-align: justify; ">Another provision which may conceivably be used for issuing preservation orders is Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011 which requires intermediaries to provide “any such assistance” to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. However, in the absence of a power of preservation in the main statute (IT Act) it remains to be seen whether such an order would be enforced if challenged in a court of law.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 18 – Production order</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:</p>
<p>a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and</p>
<p>b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.</p>
<p>2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
<p>3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:</p>
<p>a the type of communication service used, the technical provisions taken thereto and the period of service;</p>
<p>b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;</p>
<p>c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.</p>
<p> </p>
</td>
<td>
<p><b>Section 28(2)</b></p>
<p>(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-Tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act.</p>
<p><b>Section 58(2)</b></p>
<p>(2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely -</p>
<p>(b) requiring the discovery and production of documents or other electronic records;</p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">While the Cyber Appellate Tribunal and the Controller of Certifying Authorities both have the power to call for information under the IT Act, these powers can be exercised only for limited purposes since the jurisdiction of both authorities is limited to the procedural provisions of the IT Act and they do not have the jurisdiction to investigate penal provisions. In practice, the penal provisions of the IT Act are investigated by the regular law enforcement apparatus of India, which use statutory provisions for production orders applicable in the offline world to computer systems as well. It is a very common practice amongst law enforcement authorities to issue orders under the Code of Criminal Procedure, 1973 (section 91) or the relevant provisions of the Income Tax Act, 1961 to compel production of information contained in a computer system. The power to order production of a “document or other thing” under section 91 of the Criminal Procedure Code is wide enough to cover all types of information which may be residing in a computer system and can even include the entire computer system itself.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 19 – Search and seizure of stored computer data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:</p>
<p>a a computer system or part of it and computer data stored therein; and</p>
<p>b a computer-data storage medium in which computer data may be stored in its territory.</p>
<p style="text-align: justify; ">2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:</p>
<p>a seize or similarly secure a computer system or part of it or a computer-data storage</p>
<p>medium;</p>
<p>b make and retain a copy of those computer data;</p>
<p>c maintain the integrity of the relevant stored computer data;</p>
<p>d render inaccessible or remove those computer data in the accessed computer system.</p>
<p style="text-align: justify; ">4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.</p>
<p>5 The powers and procedures referred to in this article shall be subject to Articles 14 and15.</p>
</td>
<td>
<p><b>76 Confiscation </b></p>
<p style="text-align: justify; ">Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation:</p>
<p style="text-align: justify; "><b>Provided </b>that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.</p>
<p> </p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">While Article 19 provides for the power to search and seize computer systems for the investigation into criminal offences of any type of kind, section 76 of the IT Act is limited only to contraventions of the provisions of the Act, rules, orders or regulations made thereunder. However, this does not mean that Indian law enforcement authorities do not have the power to search and seize a computer system for crimes other than those contained in the IT Act; just as in the case of Article 18, the authorities in India are free to use the provisions contained in the Criminal Procedure Code and other sectoral legislations which allow for seizure of property to seize computer systems when investigating criminal offences.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 20 – Real-time collection of traffic data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:</p>
<p>a collect or record through the application of technical means on the territory of that Party, and</p>
<p>b compel a service provider, within its existing technical capability:</p>
<p>i to collect or record through the application of technical means on the territory of that Party; or</p>
<p>ii to co-operate and assist the competent authorities in the collection or recording of,</p>
<p> </p>
<p>traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.</p>
<p>2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.</p>
<p>4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
</td>
<td>
<p><b>69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security </b></p>
<p>(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.</p>
<p>(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.</p>
<p>(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.</p>
<p>(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.</p>
<p>Explanation: For the purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned to it in section 43.</p>
<p>(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.</p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Section 69B in the IT Act enables the government to authorise the monitoring and collection of traffic data through any computer system. Under the Convention, orders for collection and recording of traffic data can be given for the purposes mentioned in Articles 14 and 15. On the other hand, as per the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, an order for monitoring may be issued for any of the following purposes relating to cyber security:</p>
<p>(a) forecasting of imminent cyber incidents;</p>
<p>(b) monitoring network application with traffic data or information on computer resource;</p>
<p>(c) identification and determination of viruses or computer contaminant;</p>
<p>(d) tracking cyber security breaches or cyber security incidents;</p>
<p>(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;</p>
<p>(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;</p>
<p>(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;</p>
<p>(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;</p>
<p>(i) any other matter relating to cyber security.</p>
<p style="text-align: justify; ">As can be seen from the above, the reasons for which an order for monitoring traffic data can be issued are extremely wide, this is in stark contrast to the reasons for which an order for interception of content data may be issued under section 69. The Rules also provide that the intermediary shall not disclose the existence of a monitoring order to any third party and shall take all steps necessary to ensure extreme secrecy in the matter of monitoring of traffic data.</p>
<table>
<tbody>
<tr style="text-align: justify; ">
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 21 – Interception of content data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:</p>
<p>a collect or record through the application of technical means on the territory of that Party, and</p>
<p>b compel a service provider, within its existing technical capability:</p>
<p style="text-align: justify; ">i to collect or record through the application of technical means on the territory of that Party, or</p>
<p style="text-align: justify; ">ii to co-operate and assist the competent authorities in the collection or recording of,</p>
<p style="text-align: justify; ">content data, in real-time, of specified communications in its territory transmitted by means of a computer system.</p>
<p style="text-align: justify; ">2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.</p>
<p style="text-align: justify; ">4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
</td>
<td>
<p><b>69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource </b></p>
<p style="text-align: justify; ">(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.</p>
<p style="text-align: justify; ">(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed</p>
<p>(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -</p>
<p style="text-align: justify; ">(a) provide access to <b>or secure access to </b>the computer resource containing such information; generating, transmitting, receiving or storing such information; or</p>
<p>(b) intercept or monitor or decrypt the information, as the case may be<b>; </b>or</p>
<p>(c) provide information stored in computer resource.</p>
<p>(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.</p>
</td>
</tr>
</tbody>
</table>
<p>There has been a lot of academic research and debate around the exercise of powers under section 69 of the IT Act, but the current piece is not the place for a standalone critique of section 69.<a href="#_ftn11" name="_ftnref11">[11]</a> The analysis here is limited to a comparison of the provisions of Article 20 vis-à-vis section 69 of the IT Act.</p>
<p style="text-align: justify; ">In that background, it needs to be pointed out that two important issues mentioned in Article 20 of the Convention are not specifically mentioned in section 69B, viz. (i) that the order should be only for specific computer data, and (ii) that the intermediary should keep such an order confidential; these requirements are covered by Rules 9 and 20 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, respectively.</p>
<table>
<tbody>
<tr style="text-align: justify; ">
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 22 – Jurisdiction</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:</p>
<p>a in its territory; or</p>
<p>b on board a ship flying the flag of that Party; or</p>
<p>c on board an aircraft registered under the laws of that Party; or</p>
<p>d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.</p>
<p>2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.</p>
<p>3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition.</p>
<p style="text-align: justify; ">4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law.</p>
<p style="text-align: justify; ">5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.</p>
</td>
<td>
<p><b>1. Short Title, Extent, Commencement and Application </b></p>
<p style="text-align: justify; ">(2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.</p>
<p><b>75 Act to apply for offence or contraventions committed outside India </b></p>
<p style="text-align: justify; ">(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.</p>
<p style="text-align: justify; ">(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The Convention provides for extra territorial jurisdiction only for crimes committed outside the State by nationals of that State. However, the IT Act applies even to offences under the Act committed by foreign nationals outside India, as long as the act involves a computer system or computer network located in India.</p>
<p style="text-align: justify; ">Unlike para 3 of Article 22 of the Convention, the IT Act does not touch upon the issue of extradition. Cases involving extradition would therefore be dealt with by the general law of the land in respect of extradition requests contained in the Extradition Act, 1962. The Convention requires that in cases where the state refuses to extradite an alleged offender, it should establish jurisdiction over the offences referred to in Article 21(1) so that it can proceed against that offender itself. In this regard, it must be pointed out that Section 34A of the Extradition Act, 1962 provides that “Where the Central Government is of the opinion that a fugitive criminal cannot be surrendered or returned pursuant to a request for extradition from a foreign State, it may, as it thinks fit, take steps to prosecute such fugitive criminal in India.” Thus the Extradition Act gives the Indian government the power to prosecute an individual in the event that such individual cannot be extradited.</p>
<p><b>International Cooperation</b></p>
<p style="text-align: justify; ">Chapter III of the Convention deals specifically with international cooperation between the signatory parties. Such co-operation is to be carried out both "in accordance with the provisions of this Chapter" and "through application of relevant international agreements on international cooperation in criminal matters, arrangements agreed to on the basis of uniform or reciprocal legislation, and domestic laws." The latter clause establishes the general principle that the provisions of Chapter III do not supersede the provisions of international agreements on mutual legal assistance and extradition or the relevant provisions of domestic law pertaining to international co-operation.<a href="#_ftn12" name="_ftnref12"><sup><sup>[12]</sup></sup></a> Although the Convention grants primacy to mutual treaties and agreements between member States, in certain specific circumstances it also provides for an alternative if such treaties do not exist between the member states (Article 27 and 28). The Convention also provides for international cooperation on certain issues which may not have been specifically provided for in mutual assistance treaties entered into between the parties and need to be spelt out due to the unique challenges posed by cyber crimes, such as expedited preservation of stored computer data (Article 29) and expedited disclosure of preserved traffic data (Article 30). Contentious issues such as access to stored computer data, real time collection of traffic data and interception of content data have been specifically left by the Convention to be dealt with as per existing international instruments or arrangements between the parties.</p>
<p><b>Conclusion</b></p>
<p style="text-align: justify; ">The broad language and wide terminology used IT Act seems to cover a number of the cyber crimes mentioned in the Budapest Convention, even though India has not signed and ratified the same. Penal provisions such as illegal access (Article 2), data interference (Article 4), system interference (Article 5), offence related to child pornography (Article 9), attempt and aiding or abetting (Article 11), corporate liability (Article 12) are substantially covered and reflected in the IT Act in a manner very similar to the requirements of the Convention. Similarly procedural provisions such as search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), interception of content data (Article 21) and Jurisdiction (Article 22) are also substantially reflected in the IT Act.</p>
<p style="text-align: justify; ">However certain penal provisions mentioned in the Convention such as computer related forgery (Article 7), computer related fraud (Article 8) are not provided for specifically in the IT Act but such offences are covered when provisions of the Indian Penal Code, 1860 are read in conjugation with provisions of the IT Act. Similarly procedural provisions such as expedited preservation of stored computer data (Article 16) and production order (Article 18) are not specifically provided for in the IT Act but are covered under Indian law through the provisions of the Code of Criminal Procedure, 1973.</p>
<p style="text-align: justify; ">Apart from the above two categories there are certain provisions such as misuse of devices (Article 6) and Illegal interception (Article 3) which may not be specifically covered at all under Indian law, but may conceivably be said to be covered through an expansive reading of provisions of the Indian Penal Code and the IT Act. It may therefore be said that even though India has not signed or ratified the Budapest Convention, the legal regime in India is substantially in compliance with the provisions and requirements contained therein.</p>
<p style="text-align: justify; ">Thus, the Convention on Cybercrime is perhaps the most important international multi state instruments that may be used to combat cybercrime, not merely because the provisions thereunder may be used as a model to bolster national/local laws by any State, be it a signatory or not (as in the case of India) but also because of the mechanism it lays down for international cooperation in the field of cyber terrorism. In an increasingly interconnected world where more and more information of individuals is finding its way to the cloud or other networked infrastructure the international community is making great efforts to generate norms for increased international cooperation to combat cybercrime and cyber terrorism. While the Convention is one such multilateral effort, States are also proposing to use bilateral treaties to enable them to better fight cybercrime, the United States CLOUD Act, being one such effort. In the backdrop of these novel efforts the role to be played by older instruments such as the Convention on Cybercrime as well as by important States such as India is extremely crucial.</p>
<hr />
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b.</p>
<p><a href="#_ftnref2" name="_ftn2">[2]</a> The analysis here has been limited to only Chapter I and Chapter II of the Convention, as it is only adherence to these two chapters that is required under the CLOUD Act.</p>
<p><a href="#_ftnref3" name="_ftn3">[3]</a> The only possible enforcement that may be done with regard to the Convention on Cybercrime is that the Council of Europe may put pressure on the signatory State to amend its local laws (if it is refusing to do so) otherwise it would be in violation of its obligations as a member of the European Union.</p>
<p><a href="#_ftnref4" name="_ftn4">[4]</a> Alexander Seger, “India and the Budapest Convention: Why Not?”, <a href="https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/">https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/</a></p>
<p><a href="#_ftnref5" name="_ftn5">[5]</a> Explanatory Report to the Convention on Cybercrime, Para 50, https://rm.coe.int/16800cce5b.</p>
<p><a href="#_ftnref6" name="_ftn6">[6]</a> India is a party to the Berne Convention on Literary and Artistic Works, the Agreement on Trade Related Intellectual Property Rights and the Rome Convention. India has also recently (July 4, 2018) announced that it will accede to the WIPO Copyright Treaty as well as the WIPO Performances and Phonographs Treaty.</p>
<p><a href="#_ftnref7" name="_ftn7">[7]</a> The test under the Convention is that the relevant person would be the one who has a leading position within the company, based on:</p>
<ul>
<li>a power of representation of the legal person;</li>
<li>an authority to take decisions on behalf of the legal person;</li>
<li>an authority to exercise control within the legal person.</li>
</ul>
<p><a href="#_ftnref8" name="_ftn8">[8]</a>Vipul Kharbanda and Elonnai Hickock, “MLATs and the proposed Amendments to the US Electronic Communications Privacy Act”, <a href="https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act">https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act</a></p>
<p><a href="#_ftnref9" name="_ftn9">[9]</a> The term “human rights” has been defined in the Act as “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”.</p>
<p><a href="#_ftnref10" name="_ftn10">[10]</a> Explanatory Report to the Convention on Cybercrime, Para 151, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>. .</p>
<p><a href="#_ftnref11" name="_ftn11">[11]</a> A similar power of interception is available under section 5 of the Telegraph Act, 1885, but that extends only to interception of telegraphic communication and does not extend to communications exchanged through computer networks.</p>
<p><a href="#_ftnref12" name="_ftn12">[12]</a> Explanatory Report to the Convention on Cybercrime, Para 244, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act'>http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act</a>
</p>
No publishervipulCyber SecurityInternet Governance2018-11-20T16:18:51ZBlog EntryLessons from US response to cyber attacks
http://editors.cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks
<b>Publicly attributing the attacks to a state or non-state actor is vital for building a credible cyber deterrence strategy.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.thehindubusinessline.com/opinion/lessons-from-us-response-to-cyber-attacks-ep/article25372326.ece">Hindu Businessline</a> on October 30, 2018. The article was edited by Elonnai Hickok.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In September, amidst the brewing of a new found cross-continental romance between Kim Jong-Un and Donald Trump, the US Department of Justice filed a criminal complaint indicting North Korean hacker Park Jin Hyok for playing a role in at least three massive cyber operations against the US. This included the Sony data breach of 2014; the Bangladesh bank heist of 2016 and the WannaCry ransomware attack in 2017. This indictment was followed by one on October 4, of seven officers in the GRU, Russia’s military agency, for “persistent and sophisticated computer intrusions.” Evidence adduced in support included forensic cyber evidence like similarities in lines of code or analysis of malware and other factual details regarding the relationship between the employers of the indicted individuals and the state in question.</p>
<p style="text-align: justify; ">While it is unlikely that prosecutions will ensue, indicting individuals responsible for cyber attacks offers an attractive option for states looking to develop a credible cyber deterrence strategy.</p>
<h2 style="text-align: justify; ">Attributing cyber attacks</h2>
<p style="text-align: justify; ">Technical uncertainty in attributing attacks to a specific actor has long fettered states from adopting defensive or offensive measures in response to an attack and garnering support from multilateral fora. Cyber attacks are multi-stage, multi-step and multi-jurisdictional, which complicates the attribution process and removes the attacker from the infected networks.</p>
<p style="text-align: justify; ">Experts at the RAND Corporation have argued that technical challenges to attribution should not detract from international efforts to adopt a robust, integrated and multi-disciplinary approach to attribution, which should be seen as a political process operating in symbiosis with technical efforts. A victim state must communicate its findings and supporting evidence to the attacking state in a bid to apply political pressure.</p>
<p style="text-align: justify; ">Clear publication of the attribution process becomes crucial as it furthers public credibility in investigating authorities; enables information exchange among security researchers and fosters deterrence by the adversary and potential adversaries.</p>
<p style="text-align: justify; ">Although public attributions need not take the form of a formal indictment and are often conducted through statements by foreign ministries, a criminal indictment is more legitimate as it needs to comply with the rigorous legal and evidentiary standards required by the country’s legal system. Further, an indictment allows for the attack to be conceptualised as a violation of the rule of law in addition to being a geopolitical threat vector.</p>
<h2 style="text-align: justify; ">Lessons for India</h2>
<p style="text-align: justify; ">India is yet to publicly attribute a cyber attack to any state or non-state actor. This is surprising given that an overwhelming percentage of attacks on Indian websites are perpetrated by foreign states or non-state actors, with 35 per cent of attacks emanating from China, as per a report by the Indian Computer Emergency Response Team (CERT-IN), the national nodal agency under the Ministry of Electronics and Information Technology (MEITY) which deals with cyber threats.</p>
<p style="text-align: justify; ">Along with other bodies, such as the National Critical Information Protection Centre (NCIIPC) which is the nodal central agency for the protection of critical information infrastructure, CERT-IN forms part of an ecosystem of nodal agencies designed to guarantee national cyber security.</p>
<p style="text-align: justify; ">There are three key lessons that policy makers involved in this ecosystem can take away from the WannaCry attribution process and the Park indictment. First, there is a need for multi-stakeholder collaboration through sharing of research, joint investigations and combined vulnerability identification among the various actors employed by the government, law enforcement authorities and private cyber security firms.</p>
<p style="text-align: justify; ">The affidavit suggested that the FBI had used information from various law enforcement personnel, computer scientists at the FBI; Mandiant — a cyber security firm retained by the US Attorney’s Office and publicly available materials produced by cyber security companies. Second, the standards of attribution need to demonstrate compliance both with the evidentiary requirements of Indian criminal law and the requirements in the International Law on State Responsibility. The latter requires an attribution to demonstrate that a state had ‘effective control’ over the non-state actor.</p>
<p style="text-align: justify; ">Finally, the attribution must be communicated to the adversary in a manner that does not risk military escalation. Despite the delicate timing of the indictment, Park’s prosecution by the FBI did not dampen the temporary thaw in relations between US and North Korea.</p>
<p style="text-align: justify; ">While building capacity to improve resilience, detect attacks and improve attribution capabilities should be a priority, we need to remember that regardless of the breakthrough in both human and infrastructural capacities, attributing cyber attacks will never be an exercise in certainty.</p>
<p style="text-align: justify; ">India will need to marry its improved capacity with strategic geopolitical posturing. Lengthy indictments may not deter all potential adversaries but may be a tool in fostering a culture of accountability in cyberspace.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks'>http://editors.cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks</a>
</p>
No publisherArindrajit BasuCyber SecurityInternet Governance2018-11-01T05:53:42ZBlog EntryConceptualizing an International Security Regime for Cyberspace
http://editors.cis-india.org/internet-governance/blog/conceptualizing-an-international-security-regime-for-cyberspace
<b>This paper was published as part of the Briefings from the Research and Advisory Group (RAG) of the Global Commission on the Stability of Cyberspace (GCSC) for the Full Commission Meeting held at Bratislava in 2018.</b>
<p style="text-align: justify; ">Policy-makers often use past analogous situations to reshape questions and resolve dilemmas in current issues. However, without sufficient analysis of the present situation and the historical precedent being considered, the effectiveness of the analogy is limited.This applies across contexts, including cyber space. For example, there exists a body of literature, including The Tallinn Manual, which applies key aspects (structure, process, and techniques) of various international legal regimes regulating the global commons (air, sea, space and the environment) towards developing global norms for the governance of cyberspace.</p>
<p style="text-align: justify; ">Given the recent deadlock at the Group of Governmental Experts (GGE), owing to a clear ideological split among participating states, it is clear that consensus on the applicability of traditional international law norms drawn from other regimes, will not emerge if talks continue without a major overhaul of the present format of negotiations. The Achilles Heel of the GGE thus far has been a deracinated approach to the norms formulation process. There has been excessive focus on the content and the language of the applicable norm rather than the procedure underscoring its evolution, limited state and non state participation, and a lack of consideration for social, cultural, economic and strategic contexts through which norms emerge at the global level. Even if the GGE process became more inclusive and included all United Nations members, strategies preceding the negotiation process must be designed in a manner to facilitate consensus.</p>
<p style="text-align: justify; ">There exists to date, no scholarship that traces the negotiation processes that lead to the forging of successful analogous universal regimes or an investigation into the nature of normative contestation that enabled the evolution of the core norms that shaped these regimes. To develop an effective global regime governing cyberspace, we must consider if and how existing international law or norms for other global commons might also apply to ‘cyberspace’, but also transcend this frame into more nuanced thinking around techniques and frameworks that have been successful in consensus building. This paper focuses on the latter and embarks on an assessment of how regimes universally maximized functional utility through global interactions and shaped legal and normative frameworks that resulted, for some time, at least, in broad consensus.</p>
<hr />
<p style="text-align: justify; "><b><a class="external-link" href="http://cis-india.org/internet-governance/files/gcsc-research-advisory-group.pdf">Click to read more</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/conceptualizing-an-international-security-regime-for-cyberspace'>http://editors.cis-india.org/internet-governance/blog/conceptualizing-an-international-security-regime-for-cyberspace</a>
</p>
No publisherElonnai Hickok and Arindrajit BasuCyber SecurityInternet Governance2018-10-26T15:09:23ZBlog Entry