The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 31 to 45.
IT companies in Bengaluru on high alert over WannaCry ransomware
http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware
<b>In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.</b>
<p style="text-align: justify; ">The article by <span><a href="http://www.newindianexpress.com/author/Kiran-Parashar-K-M-&-Shruthi-H-M" target="_blank">Kiran Parashar K M & Shruthi H M</a> was published in the <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/17/it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware-1605705--1.html">New Indian Express</a> on May 17, 2017. Pranesh Prakash was quoted.<br /></span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.</p>
<p style="text-align: justify; ">A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”<br /> “Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.</p>
<p style="text-align: justify; ">Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”</p>
<p style="text-align: justify; ">Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.<br /> “Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.</p>
<p style="text-align: justify; ">Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”</p>
<p style="text-align: justify; "><b>WannaCry under reported</b></p>
<p style="text-align: justify; ">The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware'>http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceDigital Media2017-05-19T09:05:46ZNews ItemIs the new ‘interception’ order old wine in a new bottle?
http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle
<b>The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.</b>
<p style="text-align: justify; ">An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in <a class="external-link" href="https://www.newslaundry.com/2018/12/27/is-the-new-interception-order-old-wine-in-a-new-bottle">Newslaundry.com</a> on December 27, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">On December 20, 2018, through an <a href="http://egazette.nic.in/WriteReadData/2018/194066.pdf" target="_blank">order</a> issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.</p>
<p style="text-align: justify; ">On December 21, the Press Information Bureau published a <a href="http://www.pib.nic.in/PressReleseDetail.aspx?utm_campaign=fullarticle&utm_medium=referral&PRID=1556945" target="_blank">press release</a> providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.</p>
<p style="text-align: justify; ">Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.</p>
<p style="text-align: justify; ">As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.</p>
<p style="text-align: justify; ">When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.</p>
<p style="text-align: justify; ">- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.</p>
<p style="text-align: justify; ">- Condition 42 of the <a href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf" target="_blank">Unified Licence for Access Services</a>, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.</p>
<p style="text-align: justify; ">- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.</p>
<p style="text-align: justify; ">- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.</p>
<p style="text-align: justify; ">- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.</p>
<p style="text-align: justify; ">Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—<a href="https://mha.gov.in/MHA1/Par2017/pdfs/par2013-pdfs/ls-110214/294.pdf" target="_blank">nine Central Government agencies and one State Government agency</a> have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:</p>
<p style="text-align: justify; ">- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.</p>
<p style="text-align: justify; ">- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.</p>
<p style="text-align: justify; ">That said, the<a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009" target="_blank"> IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 </a>under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government <a href="http://meity.gov.in/writereaddata/files/69B%20Notification%20-April%202016.pdf" target="_blank">authorised</a> the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.</p>
<p style="text-align: justify; ">While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are <a href="https://thewire.in/government/narendra-modi-snooping-it-act-home-ministry" target="_blank">constitutionally</a> valid, the lack of t<a href="https://cis-india.org/internet-governance/blog/transparency-in-surveillance" target="_blank">ransparency</a> by the government and the prohibition of transparency by service providers, <a href="https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations" target="_blank">heavy handed </a>penalties on service providers for non-compliance, and a lack of legal backing and <a href="https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance" target="_blank">oversight</a> mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .</p>
<p style="text-align: justify; ">The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On <a href="https://barandbench.com/ministry-of-home-affairs-surveillance-order-challenged-in-supreme-court/" target="_blank">December 24</a>, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.</p>
<p style="text-align: justify; ">But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle'>http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle</a>
</p>
No publisherElonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. BidareIT ActPrivacyInternet GovernanceCyber SecurityInformation Technology2018-12-29T16:02:00ZBlog EntryIs India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No
http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks
<b>From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.</b>
<p style="text-align: justify; ">The article by Sushil Kambampati was <a class="external-link" href="http://thewire.in/67398/india-is-unprepared-for-future-cyber-attacks/">published in the Wire</a> on September 21, 2016. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.</p>
<p style="text-align: justify; "><span>However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On </span><span>May 17, the cyber-security firm Symantec </span><a href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" rel="external nofollow" target="_blank" title="stated"><span>stated</span></a><span> in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.</span></p>
<p style="text-align: justify; "><span>A week later, another cyber-security firm, Kaspersky Lab, </span><a href="http://www.kaspersky.co.in/about/news/virus/2016/Danti-and-Co" rel="external nofollow" target="_blank" title="announced"><span>announced</span></a><span> that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities. </span></p>
<p style="text-align: justify; "><span>Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators </span><a href="http://arstechnica.com/security/2016/04/how-hacking-team-got-hacked-phineas-phisher/" rel="external nofollow" target="_blank" title="reveal"><span>reveal</span></a><span> the attack, the target of the attack </span><a href="http://www.forbes.com/sites/davelewis/2014/10/14/sears-owned-kmart-discloses-data-breach/#3755df43540d" rel="external nofollow" target="_blank" title="discloses"><span>discloses</span></a><span> the breach, or because the leaked data </span><a href="https://www.washingtonpost.com/news/the-intersect/wp/2015/08/19/how-to-see-if-you-or-your-spouse-appear-in-the-ashley-madison-leak/" rel="external nofollow" target="_blank" title="shows"><span>shows</span></a><span> up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations </span><a href="http://tech.firstpost.com/biztech/cyberespionage-group-suckfly-targeted-indian-govt-e-commerce-organisations-symantec-315538.html" rel="external nofollow" target="_blank" title="received"><span>received</span></a><span> tepid </span><a href="http://timesofindia.indiatimes.com/tech/tech-news/Cyber-spy-group-Suckfly-to-continue-targeting-Indian-government-Symantec/articleshow/52326126.cms" rel="external nofollow" target="_blank" title="coverage"><span>coverage</span></a><span> in India. A few news organisations </span><a href="http://www.hindustantimes.com/tech/cyber-spy-group-suckfly-to-keep-targeting-indian-government-symantec/story-F50rNLT2zYhkG90o7DGKaN.html" rel="external nofollow" target="_blank" title="published"><span>published</span></a><span> the same wire </span><a href="http://economictimes.indiatimes.com/tech/ites/government-units-top-it-firm-among-cyber-espionage-targetssymantec/articleshow/52312952.cms" rel="external nofollow" target="_blank" title="story"><span>story</span></a><span> that basically </span><a href="http://tech.firstpost.com/biztech/kaspersky-reports-cyber-espionage-attacks-on-indian-government-in-2016-317107.html" rel="external nofollow" target="_blank" title="rewrote"><span>rewrote</span></a><span> information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause. </span></p>
<p style="text-align: justify; "><span>Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.</span></p>
<p style="text-align: justify; "><span>This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government </span><a href="http://zeenews.india.com/news/gujarat-on-high-alert-after-intelligence-input-on-infiltration-of-terrorists_1862830.html" rel="external nofollow" target="_blank" title="goes"><span>goes</span></a><span> on high alert, resources are </span><a href="http://timesofindia.indiatimes.com/india/Additional-BSF-battalion-on-Pakistan-border-to-avert-infiltration/articleshow/42081166.cms" rel="external nofollow" target="_blank" title="mobilised"><span>mobilised</span></a><span> and the public is </span><a href="http://timesofindia.indiatimes.com/city/ahmedabad/IB-warns-Gujarat-about-possible-infiltration-bid-at-Kutch/articleshow/50495655.cms" rel="external nofollow" target="_blank" title="warned"><span>warned</span></a><span>. The government then tries to identify the threat and stop it from doing any harm. Citizens </span><a href="http://idsa.in/idsacomments/IndiasCounterTerrorismPoliciesareMiredinSystemicWeaknesses_gkanwal_140512" rel="external nofollow" target="_blank" title="demand"><span>demand</span></a><span> that in the future the government take proactive steps to catch infiltrators and prevent any future threats.</span></p>
<p style="text-align: justify; "><b>Weak government response</b></p>
<p style="text-align: justify; "><span>One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was </span><a href="http://bits.blogs.nytimes.com/2015/10/14/deadline-to-disclose-data-breaches-raises-concerns-in-europe/" rel="external nofollow" target="_blank" title="used"><span>used</span></a><span> to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange. </span></p>
<p style="text-align: justify; "><span>All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values. </span></p>
<p style="text-align: justify; "><span>Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, </span><a href="http://www.idsa.in/system/files/book/book_indiacybersecurity.pdf" rel="external nofollow" target="_blank" title="disrupt"><span>disrupt</span></a><span> control systems of electrical grids or nuclear facilities and gain access to everything the government </span><a href="https://incometaxindiaefiling.gov.in/e-Filing/Services/KnowYourPanLink.html" rel="external nofollow" target="_blank" title="knows"><span>knows</span></a><span> about its citizens, including personal details, financial information and </span><a href="https://uidai.gov.in/beta/enrolment-update/aadhaar-enrolment.html" rel="external nofollow" target="_blank" title="identity information"><span>identity information</span></a><span>. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent </span><a href="http://gizmodo.com/bangladesh-bank-hackers-created-malware-to-target-the-g-1772834299" rel="external nofollow" target="_blank" title="attempt"><span>attempt</span></a><span> to heist $800 million from the central bank of Bangladesh.</span></p>
<p style="text-align: justify; "><span>A report on risks facing India, </span><a href="https://home.kpmg.com/in/en/home/insights/2016/08/de-risking-india-in-the-new-age-of-technology.html" rel="external nofollow" target="_blank" title="published"><span>published</span></a><span> in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.” </span></p>
<p style="text-align: justify; "><span>In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/copy_of_Network.jpg" alt="Network" class="image-inline" title="Network" /></span></p>
<p style="text-align: justify; "><span>In the Suckfly case, it took a right-to-information </span><a href="https://yourti.in/document/gu9wgny7" rel="external nofollow" target="_blank" title="query"><span>query</span></a><span> from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.</span></p>
<p style="text-align: justify; "><span>The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s </span><a href="http://www.cert-in.org.in" rel="external nofollow" target="_blank" title="Computer Emergency Response Team"><span>Computer Emergency Response Team</span></a><span> (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.</span></p>
<p style="text-align: justify; "><span>CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is </span><a href="http://pgp.mit.edu/pks/lookup?search=cert-in.org.in&op=index" rel="external nofollow" target="_blank" title="registered"><span>registered</span></a><span> in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative. </span></p>
<p style="text-align: justify; "><span>The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification </span><a href="https://rbidocs.rbi.org.in/rdocs/notification/PDFs/LBS300411F.pdf" rel="external nofollow" target="_blank" title="issued"><span>issued</span></a><span> on </span><span>June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an </span><a href="https://yourti.in/document/ien8cd4r" rel="external nofollow" target="_blank" title="RTI query "><span>RTI query </span></a><span>to get a statement from the RBI, and there it responded that it had no information on the matter. </span></p>
<p style="text-align: justify; "><span>The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack. </span></p>
<p style="text-align: justify; "><span>SEBI also </span><a href="about:blank" target="_blank"><span>issued</span></a><span> a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.</span></p>
<p style="text-align: justify; "><span>What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.</span></p>
<p style="text-align: justify; "><b>Right or wrong?</b></p>
<p style="text-align: justify; "><span>The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec. </span></p>
<p style="text-align: justify; "><span>On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach. </span></p>
<p style="text-align: justify; "><span>If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India </span><a href="http://money.cnn.com/news/economy/world_economies_gdp/index.html" rel="external nofollow" target="_blank" title="is one"><span>is one</span></a><span> of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.</span></p>
<p style="text-align: justify; "><span>According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”</span></p>
<p style="text-align: justify; "><span>Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know. </span></p>
<p style="text-align: justify; "><span>What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first </span><a href="http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/" rel="external nofollow" target="_blank" title="revealed"><span>revealed</span></a><span> by security reporter Michael Krebs. Target was </span><a href="http://mashable.com/2014/01/17/retailers-security-breach-timing/#XN.TRtygnEqf" rel="external nofollow" target="_blank" title="criticised"><span>criticised</span></a><span> for not coming forth itself and </span><a href="https://topclassactions.com/lawsuit-settlements/lawsuit-news/32647-target-data-breach-class-action-lawsuit-trial-set-april-2016/" rel="external nofollow" target="_blank" title="faced"><span>faced</span></a><span> several lawsuits. In the US, most states and jurisdictions </span><a href="http://www.reuters.com/article/us-target-data-notification-idUSBREA0F1LO20140116" rel="external nofollow" target="_blank" title="have"><span>have</span></a><span> laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must </span><a href="http://bits.blogs.nytimes.com/2015/10/14/deadline-to-disclose-data-breaches-raises-concerns-in-europe/" rel="external nofollow" target="_blank" title="report"><span>report</span></a><span> a breach within 24 hours and other organisations have 72 hours.</span></p>
<p style="text-align: justify; "><span>India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added. </span></p>
<p style="text-align: justify; "><span>According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.</span></p>
<p style="text-align: justify; "><span>Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has </span><a href="http://www.assocham.org/newsdetail.php?id=5669" rel="external nofollow" target="_blank" title="grown"><span>grown</span></a><span> rapidly in India, a study in 2014 by <i>YourStory</i> and Kalaari Capital </span><a href="http://yourstory.com/2014/06/infographic-indian-e-commerce-consumers-want-2014/" rel="external nofollow" target="_blank" title="found"><span>found</span></a><span> that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase. </span></p>
<p style="text-align: justify; "><span>When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.</span></p>
<p style="text-align: justify; "><span>As the KPMG report states, cyber attacks are only going to become more common. Despite </span><a href="http://thediplomat.com/2014/06/india-scrambles-on-cyber-security/" rel="external nofollow" target="_blank" title="multiple"><span>multiple</span></a> <a href="http://www.firstpost.com/business/danger-india-faces-shortage-lakh-cyber-security-pros-2482958.html" rel="external nofollow" target="_blank" title="warnings"><span>warnings</span></a><span>, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks'>http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-09-22T00:57:02ZNews ItemInternational Cooperation in Cybercrime: The Budapest Convention
http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention
<b>In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.</b>
<p><a class="external-link" href="http://cis-india.org/internet-governance/files/budapest-convention-paper.pdf"><b>Click to download the file here </b></a></p>
<hr />
<p style="text-align: justify; "><span>However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“</span><strong>Budapest</strong><span> </span><strong>Convention</strong><span>”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn1"><sup><sup>[1]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Extradition</strong></p>
<p style="text-align: justify; ">Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn2"><sup><sup>[2]</sup></sup></a> In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn3"><sup><sup>[3]</sup></sup></a> Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn4"><sup><sup>[4]</sup></sup></a> The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn5"><sup><sup>[5]</sup></sup></a></p>
<p style="text-align: justify; ">The Convention also recognises the principle of "<em>aut dedere aut judicare</em>" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn6"><sup><sup>[6]</sup></sup></a> then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn7"><sup><sup>[7]</sup></sup></a> The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Mutual Assistance Requests</strong></p>
<p style="text-align: justify; ">The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn9"><sup><sup>[9]</sup></sup></a> Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn10"><sup><sup>[10]</sup></sup></a> However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.</p>
<p style="text-align: justify; ">The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn11"><sup><sup>[11]</sup></sup></a> Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn12"><sup><sup>[12]</sup></sup></a></p>
<p style="text-align: justify; ">Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn13"><sup><sup>[13]</sup></sup></a> (ii) the request concerns an offence considered as a political offence by the requested Party;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn14"><sup><sup>[14]</sup></sup></a> or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, <em>ordre public </em>or other essential interests.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn15"><sup><sup>[15]</sup></sup></a> The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn16"><sup><sup>[16]</sup></sup></a> In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn17"><sup><sup>[17]</sup></sup></a></p>
<p style="text-align: justify; ">In practice it has been found that though States refuse requests on a number of grounds,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn18"><sup><sup>[18]</sup></sup></a> some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn19"><sup><sup>[19]</sup></sup></a> A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:</p>
<p style="text-align: justify; ">“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.</p>
<p style="text-align: justify; ">British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.</p>
<p style="text-align: justify; ">Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.</p>
<p style="text-align: justify; ">A.T. was extradited to Norway and prosecuted.”<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn20"><sup><sup>[20]</sup></sup></a></p>
<p style="text-align: justify; ">It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.</p>
<p style="text-align: justify; ">In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn21"><sup><sup>[21]</sup></sup></a> On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn22"><sup><sup>[22]</sup></sup></a> If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn23"><sup><sup>[23]</sup></sup></a></p>
<p style="text-align: justify; ">In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn24"><sup><sup>[24]</sup></sup></a> Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn25"><sup><sup>[25]</sup></sup></a></p>
<p style="text-align: justify; ">The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn26"><sup><sup>[26]</sup></sup></a> (ii) provide real time collection of traffic data with specified communications in its territory;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn27"><sup><sup>[27]</sup></sup></a> and (iii) provide real time collection or recording of content data of specified communications.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn28"><sup><sup>[28]</sup></sup></a> The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.</p>
<p style="text-align: justify; ">The procedure for sending mutual assistance requests under the Convention is usually the following:</p>
<ol style="text-align: justify; ">
<li>Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.</li>
<li>Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).</li>
<li>The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.</li>
</ol>
<p style="text-align: justify; "><span>The following procedure is then followed in the corresponding receiving Party:</span></p>
<ol style="text-align: justify; ">
<li>Receipt of the request by the Central Authority.</li>
<li>Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).</li>
<li>Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).</li>
<li>Issuance of a court order (if needed).</li>
<li>Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.</li>
<li>Data obtained is examined against the MLA request, which may entail translation or</li>
</ol>
<p style="text-align: justify; ">using a specialist in the language.</p>
<ol style="text-align: justify; ">
<li>The information is then transmitted to requesting State via MLA channels.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn29"><sup><sup>[29]</sup></sup></a></li>
</ol>
<p style="text-align: justify; "><span>In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn30"><sup><sup>[30]</sup></sup></a><span> Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn31"><sup><sup>[31]</sup></sup></a></p>
<p style="text-align: justify; "><span>Preservation Requests</span></p>
<p style="text-align: justify; ">The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.</p>
<p style="text-align: justify; ">The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn32"><sup><sup>[32]</sup></sup></a> However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn33"><sup><sup>[33]</sup></sup></a> In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, <em>ordre public </em>or other essential interests of the requested Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn34"><sup><sup>[34]</sup></sup></a></p>
<p style="text-align: justify; ">In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn35"><sup><sup>[35]</sup></sup></a> Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn36"><sup><sup>[36]</sup></sup></a> If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn37"><sup><sup>[37]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Jurisdiction and Access to Stored Data </strong></p>
<p style="text-align: justify; ">The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn38"><sup><sup>[38]</sup></sup></a> The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn39"><sup><sup>[39]</sup></sup></a> These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn40"><sup><sup>[40]</sup></sup></a></p>
<p style="text-align: justify; ">Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn41"><sup><sup>[41]</sup></sup></a> It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.</p>
<p style="text-align: justify; ">The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn42"><sup><sup>[42]</sup></sup></a> The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn43"><sup><sup>[43]</sup></sup></a> The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn44"><sup><sup>[44]</sup></sup></a></p>
<p style="text-align: justify; ">The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn45"><sup><sup>[45]</sup></sup></a> The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn46"><sup><sup>[46]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Production Order</strong></p>
<p style="text-align: justify; ">A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn47"><sup><sup>[47]</sup></sup></a> It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn48"><sup><sup>[48]</sup></sup></a> Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn49"><sup><sup>[49]</sup></sup></a> However subscriber information<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn50"><sup><sup>[50]</sup></sup></a> can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn51"><sup><sup>[51]</sup></sup></a></p>
<p style="text-align: justify; ">Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn52"><sup><sup>[52]</sup></sup></a> Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.</p>
<p style="text-align: justify; ">Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn53"><sup><sup>[53]</sup></sup></a></p>
<p style="text-align: justify; ">The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn54"><sup><sup>[54]</sup></sup></a> A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn55"><sup><sup>[55]</sup></sup></a> The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn56">[56]</a></sup></sup></p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td colspan="3">
<p align="center"><strong>PRODUCTION ORDER CAN BE SERVED</strong></p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">IF</p>
<p>The criminal justice authority has jurisdiction over the offence</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
<p>The service provider is in possession or control of the subscriber information</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
</td>
</tr>
<tr>
<td>
<p>The service provider is in the territory of the Party</p>
<p>(<em>Article 18(1)(a)</em>)</p>
</td>
<td>
<p>Or</p>
</td>
<td>
<p>A Party considers that a service provider is “offering its services in the territory of the Party” when, for example:</p>
<p>- the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services);</p>
<p>and</p>
<p>- the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party.</p>
<p>(<em>Article 18(1)(b)</em>)</p>
</td>
</tr>
<tr>
<td colspan="3">
<p align="center">AND</p>
</td>
</tr>
<tr>
<td colspan="2">
<p> </p>
</td>
<td>
<p>the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn57"><sup><sup>[57]</sup></sup></a><span> or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn58"><sup><sup>[58]</sup></sup></a><span> Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn59"><sup><sup>[59]</sup></sup></a><span> and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.</span><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn60"><sup><sup>[60]</sup></sup></a><span> </span></p>
<p style="text-align: justify; "><strong>Language of Requests</strong></p>
<p style="text-align: justify; ">It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn61"><sup><sup>[61]</sup></sup></a> Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn62"><sup><sup>[62]</sup></sup></a></p>
<p style="text-align: justify; "><strong>24/7 Network</strong></p>
<p style="text-align: justify; ">Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn63"><sup><sup>[63]</sup></sup></a> The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn64"><sup><sup>[64]</sup></sup></a> In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn65"><sup><sup>[65]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Drawbacks and Improvements</strong></p>
<p style="text-align: justify; ">The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:</p>
<p style="text-align: justify; "><em><span>Weakness and Delays in Mutual Assistance:</span></em> In practice it has been found that though States refuse requests on a number of grounds,<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn66"><sup><sup>[66]</sup></sup></a> some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn67"><sup><sup>[67]</sup></sup></a> The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.</p>
<p style="text-align: justify; "><em><span>Access to data stored outside the territory:</span></em> Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn68"><sup><sup>[68]</sup></sup></a> It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn69"><sup><sup>[69]</sup></sup></a> or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn70"><sup><sup>[70]</sup></sup></a> Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.</p>
<p style="text-align: justify; "><em><span>Language of requests:</span></em> Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn71"><sup><sup>[71]</sup></sup></a></p>
<p style="text-align: justify; "><em><span>Bypassing of 24/7 points of contact:</span></em> Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn72"><sup><sup>[72]</sup></sup></a></p>
<p style="text-align: justify; "><strong>India and the Budapest Convention </strong></p>
<p style="text-align: justify; ">Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:</p>
<ul>
<li>India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn73">[73]</a></sup></sup></li>
<li>Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn74" style="text-align: justify; ">[74]</a></sup></sup></li>
<li>The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn75" style="text-align: justify; ">[75]</a></sup></sup></li>
<li>It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.<sup><sup><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn76" style="text-align: justify; ">[76]</a></sup></sup></li>
<li>Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn77" style="text-align: justify; "><sup><sup>[77]</sup></sup></a></li>
</ul>
<p style="text-align: justify; ">Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn78"><sup><sup>[78]</sup></sup></a></p>
<p style="text-align: justify; "><strong>Conclusion</strong></p>
<p style="text-align: justify; ">The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.<a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftn79"><sup><sup>[79]</sup></sup></a> This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.</p>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref1"><sup><sup>[1]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 304.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref2"><sup><sup>[2]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref3"><sup><sup>[3]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref4"><sup><sup>[4]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(3).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref5"><sup><sup>[5]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(2).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref6"><sup><sup>[6]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 251.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref7"><sup><sup>[7]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref8"><sup><sup>[8]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 24(7).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref9"><sup><sup>[9]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(1).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref10"><sup><sup>[10]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref11"><sup><sup>[11]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(2).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref12"><sup><sup>[12]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref13"><sup><sup>[13]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 25(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref14"><sup><sup>[14]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(4)(a).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref15"><sup><sup>[15]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(4)(b).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref16"><sup><sup>[16]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref17"><sup><sup>[17]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref18"><sup><sup>[18]</sup></sup></a> Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “<em>Ne bis in idem</em>”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref19"><sup><sup>[19]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref20"><sup><sup>[20]</sup></sup></a> Pedro Verdelho, <em>Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice</em>, 2008, pg. 5, <a href="https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF">https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF</a>, accessed on March 28, 2019.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref21"><sup><sup>[21]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(8).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref22"><sup><sup>[22]</sup></sup></a> However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. <em>See</em> para 278 of the the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref23"><sup><sup>[23]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 28.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref24"><sup><sup>[24]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(9)(a) and (b).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref25"><sup><sup>[25]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref26"><sup><sup>[26]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 31.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref27"><sup><sup>[27]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 33.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref28"><sup><sup>[28]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref29"><sup><sup>[29]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 37.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref30"><sup><sup>[30]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 123.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref31"><sup><sup>[31]</sup></sup></a> <em>Ibid</em> at 124.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref32"><sup><sup>[32]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref33"><sup><sup>[33]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(4).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref34"><sup><sup>[34]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(5).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref35"><sup><sup>[35]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(6).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref36"><sup><sup>[36]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 29(7).</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref37"><sup><sup>[37]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 30.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref38"><sup><sup>[38]</sup></sup></a> Anna-Maria Osula, <em>Accessing Extraterritorially Located Data: Options for States</em>, <a href="http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf">http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf</a>, accessed on March 28, 2019.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref39"><sup><sup>[39]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 32.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref40"><sup><sup>[40]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 293.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref41"><sup><sup>[41]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, <em>Transborder access and jurisdiction: What are the options?</em>, December 2012, para 310.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref42"><sup><sup>[42]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref43"><sup><sup>[43]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref44"><sup><sup>[44]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref45"><sup><sup>[45]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref46"><sup><sup>[46]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref47"><sup><sup>[47]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 18.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref48"><sup><sup>[48]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 170.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref49"><sup><sup>[49]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 173.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref50"><sup><sup>[50]</sup></sup></a> Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:</p>
<p>a. the type of communication service used, the technical provisions taken thereto and the period of service;</p>
<p>b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;</p>
<p>c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref51"><sup><sup>[51]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 173.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref52"><sup><sup>[52]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref53"><sup><sup>[53]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref54"><sup><sup>[54]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref55"><sup><sup>[55]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref56"><sup><sup>[56]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref57"><sup><sup>[57]</sup></sup></a> Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref58"><sup><sup>[58]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref59"><sup><sup>[59]</sup></sup></a> Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, <em>Criminal justice access to data in the cloud: challenges (Discussion paper)</em>, May 2015, pgs 10-14.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref60"><sup><sup>[60]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref61"><sup><sup>[61]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 35.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref62"><sup><sup>[62]</sup></sup></a> <a href="https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1">https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref63"><sup><sup>[63]</sup></sup></a> Council of Europe, <em>Convention on Cybercrime</em>, 23 November 2001, Article 35.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref64"><sup><sup>[64]</sup></sup></a> Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>, para 298.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref65"><sup><sup>[65]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 86.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref66"><sup><sup>[66]</sup></sup></a> Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “<em>Ne bis in idem</em>”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 34.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref67"><sup><sup>[67]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 7.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref68"><sup><sup>[68]</sup></sup></a> Giovanni Buttarelli, <em>Fundamental Legal Principles for a Balanced Approach</em>, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at <a href="http://ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf">ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref69"><sup><sup>[69]</sup></sup></a> Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref70"><sup><sup>[70]</sup></sup></a> Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref71"><sup><sup>[71]</sup></sup></a> <a href="https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1">https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref72"><sup><sup>[72]</sup></sup></a> Council of Europe, <em>Cybercrime Convention</em> <em>Committee assessment</em> <em>report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime</em>, December 2014, pg. 86.</p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref73"><sup><sup>[73]</sup></sup></a> Dr. Anja Kovaks, <em>India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders</em>, available at <a href="https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/">https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref74"><sup><sup>[74]</sup></sup></a> Alexander Seger, <em>India and the Budapest Convention: Why not?</em>, Digital Debates: The CyFy Journal, Vol III, available at <a href="https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/">https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/</a></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref75"><sup><sup>[75]</sup></sup></a> <em>Id</em><em>.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref76"><sup><sup>[76]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref77"><sup><sup>[77]</sup></sup></a> <em>Id.</em></p>
</div>
<div>
<p><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref78"><sup><sup>[78]</sup></sup></a> <a href="https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/">https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/</a></p>
</div>
<div>
<p style="text-align: justify; "><a href="file:///E:/Editorial/2019/Website/Budapest%20Convention%20paper.docx#_ftnref79"><sup><sup>[79]</sup></sup></a> Elonnai Hickok and Vipul Kharbanda, <em>Cross Border Cooperation on Criminal Matters - A perspective from India</em>, available at <a href="https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters">https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention'>http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention</a>
</p>
No publishervipulInternational CooperationBudapest ConventionInternet GovernanceMLATCyber SecurityCyber Crime2019-04-29T22:35:37ZBlog EntryIndia’s Role in Global Cyber Policy Formulation
http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation
<b>The past year has seen vigorous activity on the domestic cyber policy front in India. On key issues—including intermediary liability, data localization and e-commerce—the government has rolled out a patchwork of regulatory policies, resulting in battle lines being drawn by governments, industry and civil society actors both in India and across the globe.</b>
<p>The article by Arindrajit Basu was <a class="external-link" href="https://www.lawfareblog.com/indias-role-global-cyber-policy-formulation">published in Lawfare</a> on November 7, 2019. The article was reviewed and edited by Elonnai Hickok and Justin Sherman.</p>
<hr />
<p style="text-align: justify; ">The onslaught of recent developments demonstrates how India can shape cyber policy debates. Among emerging economies, India is uniquely positioned to exercise leverage over multinational tech companies due to its sheer population size, combined with a rapid surge in users coming online and the country’s large gross domestic product. India occupies a key seat at the <a href="https://www.theatlantic.com/international/archive/2019/06/g20-data/592606/">data governance table</a> alongside other players like the EU, China, Russia and the United States — a position the country should use to promote its interests and those of other similarly placed emerging economies.</p>
<p style="text-align: justify; ">For many years, the Indian population has served as an economic resource for foreign, largely U.S.-based tech giants. Now, however, India is moving toward a regulatory strategy that reduces the autonomy of these companies in order to pivot away from a system that recently has been termed “<a href="https://swarajyamag.com/magazine/colonialism-20-truly">data colonialism</a>”—in which Western technologies use data-driven revenue bolstered by information extracted from consumers in the Global South to consolidate their global market power. The policy thinking underpinning India’s new grand vision still has some gaps, however.</p>
<h3 style="text-align: justify; ">Data Localization</h3>
<p style="text-align: justify; ">Starting with a circular from the Reserve Bank of India in April 2018, the Indian government has <a href="https://twitter.com/cis_india/status/1143096429298085889">introduced a range of policy instruments</a> mandating “<a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">data localization</a>”—that is, requiring that certain kinds of data must be stored in servers located physically within India. A snapshot of these policies is summarized in the table below.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/IndianLaws.jpg" alt="Indian Laws" class="image-inline" title="Indian Laws" /></p>
<p style="text-align: justify; "><span style="text-align: -webkit-center; ">(</span><em>Source </em><a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf" style="text-align: -webkit-center; "><em>here</em></a><em>. Design credit: Saumyaa Naidu</em><span style="text-align: -webkit-center; ">)</span></p>
<p style="text-align: justify; "><span style="text-align: -webkit-center; ">While there are <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">a number of</a> reasons for this maneuver, two in particular are in line with India’s broader vision of data sovereignty—broadly defined as the sovereign right of nations to govern data within their territory and/or jurisdiction in order to support their national interest for the welfare of their citizens. First, there is an incentive to keep data within India’s jurisdiction because of the cumbersome process through which Indian law enforcement agencies must go during criminal investigations in order to access data stored in the U.S. Second, data localization undercuts the <a href="https://theprint.in/tech/digital-colonialism-why-countries-like-india-want-to-take-control-of-data-from-big-tech/298217/">extractive economic models</a> used by U.S. companies operating in India by which the data generated by Indian citizens is collected in India, stored in data centers located largely in the U.S., and processed and analyzed to derive commercially valuable insights.</span></p>
<p style="text-align: justify; ">Both foreign players and smaller Indian private-sector actors were against this move. A <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">study</a> on the issue that I co-authored earlier this year with Elonnai Hickok and Aditya Chawla found that one of the reasons for this resistance involved the high costs of setting up the data centers that are needed to comply with the requirement. President Trump <a href="https://www.whitehouse.gov/briefings-statements/remarks-president-trump-g20-leaders-special-event-digital-economy-osaka-japan/">echoed</a> this sentiment when he explicitly opposed data localization during a meeting with Prime Minister Narendra Modi on the sidelines of the G-20 in June 2019.</p>
<p style="text-align: justify; ">At the same time, large Indian players such as Reliance and Paytm and Chinese companies like AliBaba and Xilink were in favor of localization—possibly because these companies could absorb the costs of setting up storage facilities while benefiting from the fixed costs imposed on foreign competition. In fact, some companies, such as AliBaba, <a href="https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/alibaba-cloud-opens-second-data-centre-in-india/articleshow/65995570.cms">have already set up storage facilities in India.</a></p>
<p style="text-align: justify; ">As my co-authors and I noted, data localization comes with various risks, both diplomatically and politically. So far, the issue has caused friction in U.S.-India trade relations. For example, before Secretary of State Mike Pompeo's trip to New Delhi in June, the Trump administration <a href="https://thewire.in/diplomacy/us-india-h1b-visa-data-localisation">reportedly</a> contemplated limiting H-1B visas for any country that implements a localization requirement. Further, on his trips to New Delhi, Commerce Secretary Wilbur Ross has <a href="https://www.medianama.com/2019/05/223-us-trade-secretary-wilbur-ross-highlights-data-localisation-high-tariffs-on-electronics-telecom-products-in-india-as-trade-issues/">regularly argued</a> that data localization restrictions are a barrier to U.S. companies and stressed the need to eliminate such barriers. Further, data localization poses several <a href="https://www.lawfareblog.com/where-your-data-really-technical-case-against-data-localization">technical challenges</a> as well as security risks. Mirroring data across multiple locations, as India’s <a href="https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Draft Personal Data Protection Bill</a> mandates, increases the number of physical data centers that need to be protected and thereby the number of vulnerable points that malicious actors can attack.</p>
<p style="text-align: justify; ">Recently, the Indian media have reported <a href="https://economictimes.indiatimes.com/news/economy/policy/policymakers-a-divided-lot-on-personal-data-bill-provisions/articleshow/70404637.cms?from=mdr&utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">disagreements</a> between policymakers over data localization, along with speculation that the data storage requirement in the Draft Personal Data Protection Bill could be limited only to critical data—a term not defined in the bill itself—or be left to sectoral regulators, officials from individual government departments.</p>
<p style="text-align: justify; ">Our paper <a href="https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf">recommended a dual approach</a>. In our view, data localization policy should include mandatory localization for critical sectors such as defense or payments data, while also adopting “conditional” localization for all other data. Under conditional localization, data should only be transferred to countries that (a) agree to share the personal data of Indian citizens with law enforcement authorities based on Indian criminal procedure laws (examples of such a mechanism may be an executive data-sharing agreement under the <a href="https://epic.org/privacy/cloud-act/">CLOUD Act</a>) and (b) have equivalent privacy and security safeguards. This approach would be in line with India’s overarching vision of data sovereignty and the goal of standing up to the hegemony of big tech and of U.S. internet regulations, while avoiding undue collateral damage to India’s global alliances.</p>
<h3 style="text-align: justify; ">Intermediary Liability</h3>
<p style="text-align: justify; ">In line with the goal of ensuring that big tech is answerable to the rule of law, the Indian government has also sought to regulate the adverse social impacts of some speech hosted by platforms. Rule 3(9) of the <a href="https://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf">Draft of the Information Technology Intermediaries Guidelines (Amendment) Rules, 2018,</a> released by the Ministry of Electronics and Information Technology in December 2019, takes up the interventionist mission of laws like the <a href="https://www.lawfareblog.com/germanys-bold-gambit-prevent-online-hate-crimes-and-fake-news-takes-effect">NetzDg</a> in Germany. The regulation would mandate that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.” These regulations have prompted concerns from both the private sector and civil society groups that claim the proposal fails to address <a href="https://cis-india.org/internet-governance/resources/Intermediary%20Liability%20Rules%202018.pdf">constitutional concerns</a> about algorithmic discrimination, excessive censorship and inappropriate delegation of legislative powers under Indian law. Further, some observers object that the guidelines adopt a “one-size-fits-all” approach to classifying intermediaries that does not differentiate between platforms that thrive on end-to-end encryption like WhatsApp and public platforms like Facebook.</p>
<p style="text-align: justify; ">In many ways, these guidelines—likely to be <a href="https://www.medianama.com/2019/10/223-intermediary-guidelines-to-be-notified-by-jan-15-2020-meity-tells-supreme-court/">notified</a><a href="https://www.medianama.com/2019/10/223-intermediary-guidelines-to-be-notified-by-jan-15-2020-meity-tells-supreme-court/"> (as an amendment to the Information Technology Act) as early as January 2020</a>—put the cart before the horse. Before devising regulatory models appropriate for India’s geographic scale and population, it is first necessary to conduct empirical research about the vectors through which misinformation spreads in India and how misinformation impacts different social, economic and linguistic communities, along with pilot programs for potential solutions to the misinformation problem. And it is imperative that these measures be brought in line with constitutional requirements.</p>
<h3 style="text-align: justify; ">Community Data and “Data as a Public Good”</h3>
<p>Another important question involves the precise meaning of “data” itself—an issue on which various policy documents have failed to deliver a consistent stance.</p>
<p style="text-align: justify; ">The first conceptualization of “community data” appears in both the <a href="https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf">Srikrishna Committee Report</a> that accompanied the <a href="https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Draft Personal Data Protection Bill</a> in 2018 and the draft e-commerce policy. However, neither policy provides clarity on the concept of data.</p>
<p style="text-align: justify; ">When defining community data, the Srikrishna Report endorses a collective protection of privacy as protecting an identifiable community that has contributed to community data. According to the Srikrishna Report, receiving collective protection requires the fulfillment of three key aspects. First, the data belong to an identifiable community. Second, the individuals in the community consent to being a part of the community. And third, the community as a whole consents to its data being treated as community data.</p>
<p style="text-align: justify; ">The <a href="https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf">draft e-commerce policy</a> reconceptualizes the notion of community data as “societal commons” or a “national resource,” where the undefined ‘community” has rights to access data but the government has overriding control to utilize the data for welfare purposes. Unlike the Srikrishna Report, the draft e-commerce policy does not outline the key aspects of community data. This approach fails to demarcate a clear line between personal and nonpersonal data or to specify any practical guidelines or restrictions on how the government can use community data. For this reason, implementation of this policy could pose a threat to the right to privacy that the Indian Supreme Court recognized as a <a href="https://thewire.in/law/supreme-court-aadhaar-right-to-privacy">fundamental right</a> in 2017.</p>
<p style="text-align: justify; ">The second idea is that of “data as a public good.” This is described in Chapter 4 of the <a href="https://www.indiabudget.gov.in/economicsurvey/doc/vol1chapter/echap04_vol1.pdf">2019 Economic Survey Report</a>—a document published by the Ministry of Finance along with the Annual Financial Budget. The report explicitly states that any data governance framework needs to be deferential to privacy norms and the soon-to-be-enacted privacy law. The report further states that “personal data” of an individual in the custody of a government is a “public good” once the datasets are anonymized.</p>
<p style="text-align: justify; ">However, the report’s recommendation of setting up a government database that links several individual databases together leads to the <a href="https://thewire.in/government/india-vision-data-republic-dangers-privacy">“triangulation” problem</a>, in which individuals can be identified by matching different datasets together. The report further suggests that the same data can be sold to private firms (though it is unclear whether this includes foreign or domestic firms). This directly contradicts the characterization of a “public good”—which, by definition, must be <a href="https://www.britannica.com/topic/public-good-economics">n</a><a href="https://www.britannica.com/topic/public-good-economics">onexcludable and nonrivalrous</a>—and is also at odds with the government’s vision of reining in big tech. The government has set up an expert committee to look into the scope of nonpersonal data, and the results of the committee’s deliberations <a href="https://www.medianama.com/2019/09/223-meity-non-personal-data-committee/">are likely to</a> influence the shape that India’s data governance framework takes across multiple policy instruments.</p>
<p style="text-align: justify; ">There is obviously a need to reassess and reevaluate the range of governance efforts and gambits that have emerged in the past year. With domestic cyber policy formulation pivots reaching a crescendo, we must consider how domestic cyber policy efforts can influence India’s approach to global debates in this space.</p>
<h3 style="text-align: justify; ">India’s Contribution to Global Cyber Policy Debates</h3>
<p style="text-align: justify; ">As the largest democracy in the world, India is undoubtedly a key <a href="https://www.newamerica.org/cybersecurity-initiative/reports/digital-deciders/">“digital decider”</a> in shaping the future of the internet. Multilateral cyber policy formulation efforts remain <a href="https://cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india">polarized</a>. The U.S. and its European allies continue to advocate for a free, rules-based conception of cyberspace with limited governmental interference. China and Russia, along with their Shanghai Cooperation Organisation allies, are pushing for a tightly regulated internet in which each state has the right to manage and define its “network frontiers” through domestic regulation free from external interference. To some degree, India is already influencing debate over the internet through its various domestic cyber policy movements. However, its participation in international debates has been lacking the vigor or coherence needed to clearly articulate India’s national interests and take up a global leadership role.</p>
<p style="text-align: justify; ">In shaping its contributions to global cyber policy formulation, India should focus its efforts on three key places: (a) internet governance forums that deliberate the governance of the technical architecture of the internet such as domain names, (b) cyber norms formulation processes that seek to establish norms to foster responsible behavior in cyberspace by states and nonstate actors in cyberspace, and (3) global debates on trade and cross-border data flows that seek to conceptualize the future of global digital trade relationships. As I discuss below, there are key divisions in Indian policy in each of these forums. To realize its grand vision in the digital sphere, India needs to do much more to make its presence felt.</p>
<p><em>Internet Governance Forums</em></p>
<p style="text-align: justify; ">India’s stance on a variety of issues at internet governance forums has been inconsistent, switching repeatedly between <a href="https://www.cigionline.org/sites/default/files/documents/GCIG%20Volume%202%20WEB.pdf">multilateral and multistakeholder visions for internet governance.</a> A core reason for this uncertainty <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">is the participation of multiple Indian government</a> ministries, which often disagree with each other. At global internet governance forums, India has been represented either by the Department of Electronics and Information Technology (now renamed to Ministry of Electronics and Information Technoloft or the Department of Telecommunications (under the Ministry of Communications and Information Technology) or by the Ministry of External Affairs (MEA).</p>
<p style="text-align: justify; ">As my colleagues have documented <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">in a detailed paper,</a> India has been vocal in global internet governance debates at forums including the International Telecommunications Union, the Internet Governance Forum and the U.N. General Assembly. However, the Indian stance on <a href="https://www.diplomacy.edu/IGFLanguage/multistakeholderism">multistakeholderism</a> has been complex, with the MEA advocating for a multilateral stance while the other departments switched between multistakeholderism and “nuanced multilateralism”—which calls for multistakeholder participation in policy formulation but multilateral implementation. The paper also argues that there has been a decline recently in the vigor of Indian participation at forums such as the 2018 meeting of the Working Group on Enhanced Co-operation (WGEC 2.0), due to key personnel changes. For <a href="https://cis-india.org/internet-governance/files/indias-contribution-to-internet-governance-debates">example</a>, B.N. Reddy, who was a skilled and experienced negotiator for the MEA in previous forums, was transferred to another position before WGEC 2.0, and the delegation that attended the meeting did not make its presence felt as strongly or skillfully.</p>
<p><em>Cyber Norms for Responsible State Behavior in Cyberspace</em></p>
<p style="text-align: justify; ">With the exception of two broad and unoriginal statements at the <a href="https://unoda-web.s3-accelerate.amazonaws.com/wp-content/uploads/2016/10/India.pdf">70th</a> and <a href="https://undocs.org/A/71/172">71st</a> sessions of the U.N. General Assembly, India has yet to make public its position on the multilateral debate on the proliferation of norms for responsible state behavior in cyberspace. During the <a href="https://dig.watch/events/open-ended-working-group-oewg-first-substantive-session">substantive session</a> of the Open-Ended Working Group held in September, India largely reaffirmed points made by other states, rather than carving out a new or original approach. The silence and ambiguity is surprising, as India has been represented on four of the five Groups of Governmental Experts (GGEs) set up thus far and has also been inducted into the 2019-2021 GGE that is set to revamp the global cyber norms process. (Due to the GGE’s rotational membership policy, India was not a member of the fourth GGE that submitted its report in 2015.)</p>
<p style="text-align: justify; ">However, before becoming an evangelist of any particular norms, India has some homework to do domestically. It has yet to advance a clear, coherent and detailed public stance outlining its views on the application of international law to cyberspace. This public stance is necessary for two reasons. First, a well-reasoned statement that explains India’s stance on core security issues—such as the applicability of self-defense, countermeasures and international humanitarian law—would show India’s appetite for offensive and defensive strategies for external adversaries and allies alike. This would serve as the edifice of a potentially credible cyber deterrence strategy. Second, developing a public stance would help India to take advantage of the economic, demographic and political leverage that it holds and to assume a leadership role in discussions. The <a href="https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century">U.K.</a>, <a href="https://www.lawfareblog.com/frances-cyberdefense-strategic-review-and-international-law">France,</a> <a href="https://www.lawfareblog.com/germanys-position-international-law-cyberspace">Germany</a>, <a href="https://www.justsecurity.org/64490/estonia-speaks-out-on-key-rules-for-cyberspace/">Estonia</a>, <a href="https://www.justsecurity.org/wp-content/uploads/2017/06/Cuban-Expert-Declaration.pdf">Cuba</a> (backed by China and Russia) and the <a href="https://www.justsecurity.org/wp-content/uploads/2016/11/Brian-J.-Egan-International-Law-and-Stability-in-Cyberspace-Berkeley-Nov-2016.pdf">U.S.</a> have all made their positions publicly known with varying degrees of detail.</p>
<p><em>Data Transfers</em></p>
<p style="text-align: justify; ">Unlike in other forums, Indian policy has been clearer in the cross-border data transfer debate. This is a foreign policy extension of India’s emphasis on localization and data sovereignty in domestic policy instruments. At the G-20 Summit in Osaka, India and the rest of the BRICS group (Brazil, Russia, China and South Africa) stressed the role that data play in economic development for emerging economies and reemphasized the need for <a href="https://www.youtube.com/watch?v=0a8YsZQ0F6k&feature=youtu.be">data sovereignty</a>. India did not sign the <a href="https://www.international.gc.ca/world-monde/international_relations-relations_internationales/g20/2019-06-29-g20_declaration-declaration_g20.aspx?lang=eng">Osaka Declaration on the Digital Economy</a> that kickstarted the “Osaka Track”—a process whereby the 78 signatories agreed to participate in global policy discussions on international rule-making for e-commerce at the World Trade Organization (WTO). This was a continuation of India’s sustained efforts opposing the e-commerce moratorium at the WTO.</p>
<p style="text-align: justify; ">The importance of cross-border data flows in spurring the global economy found its way into the <a href="https://g20.org/pdf/documents/en/FINAL_G20_Osaka_Leaders_Declaration.pdf">Final G-20 Leaders Declaration</a>—which India signed. Foreign Secretary Vijay Gokhale <a href="https://www.youtube.com/watch?v=0a8YsZQ0F6k&feature=youtu.be">argued</a> that international rule-making on data transfers should not take place in plurilateral forums outside the WTO. Gokhale claimed that limiting the debate to the WTO would ensure that emerging economies have a say in the framing of the rules. The clarity expressed by the Indian delegation at the G-20 should be a model for more confident Indian leadership in this global cyber policy development space.</p>
<h3 style="text-align: justify; ">Looking Forward</h3>
<p style="text-align: justify; ">India is no newcomer to the idea of normative leadership. To overcome material shortcomings in the nation’s early years, Jawaharlal Nehru, the first Indian prime minister, engineered a <a href="https://www.livemint.com/Opinion/h13WRfZP09BWA3Eg68TuVL/What-Narendra-Modi-has-Jawaharlal-Nehru-to-thank-for.html">normative pivot in world affairs</a> by championing the sovereignty of countries that had gained independence from colonial rule. In the years immediately after independence, the Indian foreign policy establishment sought to break the hegemony of the United States and the Soviet Union by advancing a foreign policy rooted in what came to be known as <a href="https://www.foreignaffairs.com/articles/india/2016-09-19/india-after-nonalignment">“nonalignment.”</a></p>
<p style="text-align: justify; ">Making sound contributions to foreign policy in cyberspace requires a variety of experts—international lawyers, computer scientists, geopolitical strategists and human rights advocates. Indian civil society and academia are brimming with tech policy enthusiasts from a variety of backgrounds who could add in-depth substance to the government’s cyber vision. Such engagement has begun to some extent at the domestic level: Most government policies are now opened up to consultation with stakeholders Yet there is still room for greater transparency in this process.</p>
<p style="text-align: justify; ">India's cyber vision is worth fighting for. The continued monetization of data dividends by foreign big tech at the expense of India’s socioeconomic development needs to be countered. This can be accomplished by predictable and coherent policymaking that balances economic growth and innovation with the fundamental rights and values enshrined in the Indian Constitution, including the right to equality, freedom of speech and expression, and the right to life. But inherent contradictions in the conceptualization of personal data, delays in tabling the Personal Data Protection Bill, and uncertain or rushed approaches in several other regulatory policies are all fettering the realization of this vision. On core geopolitical issues, there exists an opportunity to set the rule-shaping agenda to favor India’s sovereign interests. With global cyber policy formulation in a state of flux, India has the economic, demographic and intellectual leverage to have a substantial impact on the debate and recraft the narrative in favor of the rapidly emerging Global South.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation'>http://editors.cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation</a>
</p>
No publisherbasuCyber SecurityInternet Governance2019-11-13T14:13:33ZBlog EntryIndia-China Tech Forum 2018
http://editors.cis-india.org/internet-governance/news/india-china-tech-forum
<b>Arindrajit Basu spoke at the India-China Tech Forum 2018 organised by ORF and Peking University at the Ji Xianlin Centre for India-China Studies, Mumbai on December 11 - 12, 2018. The event functioned as a bi-annual dialogue that fosters co-operation in this space between the two countries.</b>
<p class="moz-quote-pre" style="text-align: justify; ">Arindrajit spoke on the panel 'India, China and the future of cyber norms' along with Saravjit Singh,Liu Ke and Weng Wejia. This was a closed door discussion under Chatham House rules. Click <a class="external-link" href="http://cis-india.org/internet-governance/files/india-china-tech-forum-2018">here</a> to read the agenda.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/india-china-tech-forum'>http://editors.cis-india.org/internet-governance/news/india-china-tech-forum</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-12-26T15:32:20ZNews ItemIndia's National Cyber Security Policy in Review
http://editors.cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review
<b>Earlier this month, the Department of Electronics and Information Technology released India’s first National Cyber Security Policy. Years in the making, the Policy sets high goals for cyber security in India and covers a wide range of topics, from institutional frameworks for emergency response to indigenous capacity building.</b>
<p style="text-align: justify; ">What the Policy achieves in breadth, however, it often lacks in depth. Vague, cursory language ultimately prevents the Policy from being anything more than an aspirational document. In order to translate the Policy’s goals into an effective strategy, a great deal more specificity and precision will be required.</p>
<h3 style="text-align: justify; ">The Scope of National Cyber Security</h3>
<p style="text-align: justify; ">Where such precision is most required is in <i>definitions</i>. Having no legal force itself, the Policy arguably does not require the sort of legal precision one would expect of an act of Parliament, for example. Yet the Policy deals in terms plagued with ambiguity, <i>cyber security</i> not the least among them. In forgoing basic definitions, the Policy fails to define its own scope, and as a result it proves remarkably broad and arguably unfocused.</p>
<p style="text-align: justify; ">The Policy’s preamble comes close to defining <i>cyber security</i> in paragraph 5 when it refers to "cyber related incident[s] of national significance" involving "extensive damage to the information infrastructure or key assets…[threatening] lives, economy and national security." Here at least is a picture of cyber security on a national scale, a picture which would be quite familiar to Western policymakers: computer security practices "fundamental to both protecting government secrets and enabling national defence, in addition to protecting the critical infrastructures that permeate and drive the 21st century global economy."<a href="#fn*" name="fr*">[*]</a> The paragraph 5 definition of sorts becomes much broader, however, when individuals and businesses are introduced, and threats like identity theft are brought into the mix.</p>
<p style="text-align: justify; ">Here the Policy runs afoul of a common pitfall: conflating threats to the state or society writ large (e.g. cyber warfare, cyber espionage, cyber terrorism) with threats to businesses and individuals (e.g. fraud, identity theft). Although both sets of threats may be fairly described as cyber security threats, only the former is worthy of the term <i>national</i> cyber security. The latter would be better characterized as cyber <i>crime</i>. The distinction is an important one, lest cyber crime be “securitized,” or elevated to an issue of national security. National cyber security has already provided the justification for the much decried Central Monitoring System (CMS). Expanding the range of threats subsumed under this rubric may provide a pretext for further surveillance efforts on a national scale.</p>
<p style="text-align: justify; ">Apart from mission creep, this vague and overly broad conception of national cyber security risks overwhelming an as yet underdeveloped system with more responsibilities than it may be able to handle. Where cyber crime might be left up to the police, its inclusion alongside true national-level cyber security threats in the Policy suggests it may be handled by the new "nodal agency" mentioned in section IV. Thus clearer definitions would not only provide the Policy with a more focused scope, but they would also make for a more efficient distribution of already scarce resources.</p>
<h3 style="text-align: justify; ">What It Get Right</h3>
<p style="text-align: justify; ">Definitions aside, the Policy actually gets a lot of things right — at least as an aspirational document. It certainly covers plenty of ground, mentioning everything from information sharing to procedures for risk assessment / risk management to supply chain security to capacity building. It is a sketch of what could be a very comprehensive national cyber security strategy, but without more specifics, it is unlikely to reach its full potential. Overall, the Policy is much of what one might expect from a first draft, but certain elements stand out as worthy of special consideration.</p>
<p style="text-align: justify; ">First and foremost, the Policy should be commended for its commitment to “[safeguarding] privacy of citizen’s data” (sic). Privacy is an integral component of cyber security, and in fact other states’ cyber security strategies have entire segments devoted specifically to privacy. India’s Policy stands to be more specific as to the <i>scope</i> of these safeguards, however. Does the Policy aim primarily to safeguard data from criminals? Foreign agents? Could it go so far as to protect user data even from its <i>own</i> agents? Indeed this commitment to privacy would appear at odds with the recently unveiled CMS. Rather than merely paying lip service to the concept of online privacy, the government would be well advised to pass <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback">legislation</a> protecting citizens’ privacy and to use such legislation as the foundation for a more robust cyber security strategy.</p>
<p style="text-align: justify; ">The Policy also does well to advocate “fiscal schemes and incentives to encourage entities to install, strengthen and upgrade information infrastructure with respect to cyber security.” Though some have argued that such regulation would impose inordinate costs on private businesses, anyone with a cursory understanding of computer networks and microeconomics could tell you that “externalities in cybersecurity are so great that even the freest free market would fail”—to quote expert <a href="http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html">Bruce Schneier</a>. In less academic terms, a network is only as strong as its weakest link. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.</p>
<p style="text-align: justify; ">The Policy also “[encourages] wider usage of Public Key Infrastructure (PKI) within Government for trusted communication and transactions.” It is surprising, however, that the Policy does not <i>mandate</i> the usage of PKI. In general, the document provides relatively few details on what specific security practices operators of Critical Information Infrastructure (CII) can or should implement.</p>
<h3 style="text-align: justify; ">Where It Goes Wrong</h3>
<p style="text-align: justify; ">One troubling aspect of the Policy is its ambiguous language with respect to acquisition policies and supply chain security in general. The Policy, for example, aims to “[mandate] security practices related to the design, <i>acquisition</i>, development, use and operation of information resources” (emphasis added). Indeed, section VI, subsection A, paragraph 8 makes reference to the “procurement of indigenously manufactured ICT products,” presumably to the exclusion of imported goods. Although supply chain security must inevitably factor into overall cyber security concerns, such restrictive acquisition policies could not only deprive critical systems of potentially higher-quality alternatives but—depending on the implementation of these policies—could also <a href="http://csis.org/blog/diffusion-and-discrimination-global-it-marketplace">sharpen the vulnerabilities</a> of these systems.</p>
<p style="text-align: justify; ">Not only do these preferential acquisition policies risk mandating lower quality products, but it is unlikely they will be able to keep pace with the rapid pace of innovation in information technology. The United States provides a cautionary tale. The U.S. National Institute of Standards and Technology (NIST), tasked with producing cyber security standards for operators of critical infrastructure, <a href="http://www.computerweekly.com/news/2240183045/NIST-revises-US-federal-cyber-security-standards">made its first update</a> to a 2005 set of standards earlier this year. Other regulatory agencies, such as the Federal Energy Regulatory Commission (FERC) move at a marginally faster pace yet nevertheless are delayed by bureaucratic processes. FERC has already <a href="http://www.tripwire.com/state-of-security/compliance/nerc-cip/nerc-cip-version-5-one-giant-leap/">moved to implement</a> Version 5 of its Critical Infrastructure Protection (CIP) standards, nearly a year before the deadline for Version 4 compliance. The need for new standards thus outpaces the ability of industry to effectively implement them.</p>
<p style="text-align: justify; ">Fortunately, U.S. cyber security regulation has so-far been technology-neutral. Operators of Critical Information Infrastructure are required only to ensure certain functionalities and not to procure their hardware and software from any particular supplier. This principle ensures competition and thus security, allowing CII operators to take advantage of the most cutting-edge technologies regardless of name, model, etc. Technology neutrality does of course raise risks, such as those <a href="http://www.businessweek.com/magazine/content/10_20/b4178036082613.htm">emphasized by the Government of India</a> regarding Huawei and ZTE in 2010. Risk assessment must, however, remain focused on the technology in question and avoid politicization. India’s cyber security policy can be technology neutral as long as it follows one additional principle: <i>trust but verify</i>.</p>
<p style="text-align: justify; ">Verification may be facilitated by the use of free and open-source software (FOSS). FOSS provides <i>security through transparency </i>as opposed to <i>security through obscurity</i> and thus enables more agile responses to security responses. Users can identify and patch bugs themselves, or otherwise take advantage of the broader user community for such fixes. Thus open-source software promotes security in much the same way that competitive markets do: by accepting a wide range of inputs.</p>
<p style="text-align: justify; ">Despite the virtues of FOSS, there are plenty of good reasons to run proprietary software, e.g. fitness for purpose, cost, and track record. Proprietary software makes verification somewhat more complicated but not impossible. Source code escrow agreements have recently gained some traction as a verification measure for proprietary software, even with companies like Huawei and ZTE. In 2010, the infamous Chinese telecommunications giants <a href="http://www.ft.com/intl/cms/s/0/bd360448-7733-11e1-baf3-00144feab49a.html#axzz2ZUalpnWq">persuaded the Indian government</a> to lift its earlier ban on their products by concluding just such an agreement. Clearly<i> trust but verify</i> is imminently practicable, and thus technology neutrality.</p>
<h3 style="text-align: justify; ">What’s Missing</h3>
<p style="text-align: justify; ">Level of detail aside, what is most conspicuously absent from the new Policy is any framework for institutional cooperation beyond 1) the designation of CERT-In “as a Nodal Agency for coordination of all efforts for cyber security emergency response and crisis management” and 2) the designation of the “National Critical Information Infrastructure Protection Centre (NCIIPC) to function as the nodal agency for critical information infrastructure protection in the country.” The Policy mentions additionally “a National nodal agency to coordinate all matters related to cyber security in the country, with clearly defined roles & responsibilities.” Some clarity with regard to roles and responsibilities would certainly be in order. Even among these three agencies—assuming they are all distinct—it is unclear who is to be responsible for what.</p>
<p style="text-align: justify; ">More confusing still is the number of other pre-existing entities with cyber security responsibilities, in particular the National Technical Research Organization (NTRO), which in an earlier draft of the Policy was to have authority over the NCIIPC. The Ministry of Defense likewise has bolstered its cyber security and cyber warfare capabilities in recent years. Is it appropriate for these to play a role in securing civilian CII? Finally, the already infamous Central Monitoring System, justified predominantly on the very basis of cyber security, receives no mention at all. For a government that is only now releasing its first cyber security policy, India has developed a fairly robust set of institutions around this issue. It is disappointing that the Policy does not more fully address questions of roles and responsibilities among government entities.</p>
<p style="text-align: justify; ">Not only is there a lack of coordination among government cyber security entities, but there is no mention of how the public and private sectors are to cooperate on cyber security information—other than oblique references to “public-private partnerships.” Certainly there is a need for information sharing, which is currently facilitated in part by the sector-level CERTS. More interesting, however, is the question of liability for high-impact cyber attacks. To whom are private CII operators accountable in the event of disruptive cyber attacks on their systems? This legal ambiguity must necessarily be resolved in conjunction with the “fiscal schemes and incentives” also alluded to in the Policy in order to motivate strong cyber security practices among all CII operators and the public more broadly.</p>
<h3 style="text-align: justify; ">Next Steps</h3>
<p style="text-align: justify; ">India’s inaugural National Cyber Security Policy is by and large a step in the right direction. It covers many of the most pressing issues in national cyber security and lays out a number of ambitious goals, ranging from capacity building to robust public-private partnerships. To realize these goals, the government will need a much more detailed roadmap.</p>
<p style="text-align: justify; ">Firstly, the extent of the government’s proposed privacy safeguards must be clarified and ideally backed by a separate piece of <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="external-link">privacy legislation</a>. As Benjamin Franklin once said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” When it comes to cyberspace, the Indian people must demand both liberty and safety.</p>
<p style="text-align: justify; ">Secondly, the government should avoid overly preferential acquisition policies and allow risk assessments to be technologically rather than politically driven. Procurement should moreover be technology-neutral. Open source software and source code escrow agreements can facilitate the verification measures that make technology neutrality work.</p>
<p style="text-align: justify; ">Finally, to translate this policy into a sound <i>strategy</i> will necessarily require that India’s various means be directed toward specific ends. The Policy hints at organizational mapping with references to CERT-In and the NCIIPC, but the roles and responsibilities of other government agencies as well as the private sector remain underdetermined. Greater clarity on these points would improve inter-agency and public-private cooperation—and thus, one hopes, security—significantly.</p>
<div id="_mcePaste">
<p class="MsoNormal" style="text-align:justify; "><span>Not only is there a lack of coordination among government cyber security entities, but there is no mention of how the public and private sectors are to cooperate on cyber security information—other than oblique references to “public-private partnerships.” Certainly there is a need for information sharing, which is currently facilitated in part by the sector-level CERTS. More interesting, however, is the question of liability for high-impact cyber attacks. To whom are private CII operators accountable in the event of disruptive cyber attacks on their systems? This legal ambiguity must necessarily be resolved in conjunction with the “fiscal schemes and incentives” also alluded to in the Policy in order to motivate strong cyber security practices among all CII operators and the public more broadly.</span></p>
</div>
<hr />
<p style="text-align: justify; ">[<a href="#fr*" name="fn*">*</a>]. Melissa E. Hathaway and Alexander Klimburg, “Preliminary Considerations: On National Cyber Security” in <i>National Cyber Security Framework Manual</i>, ed. Alexander Klimburg, (Tallinn, Estonia: Nato Cooperative Cyber Defence Centre of Excellence, 2012), 13</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review'>http://editors.cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review</a>
</p>
No publisherjonCyber SecurityInternet GovernancePrivacy2013-07-31T10:40:22ZBlog Entry India needs better cyber police
http://editors.cis-india.org/news/business-standard-may-23-2014-surabhi-agarwal-india-needs-better-cyber-police
<b>On Wednesday, one of the largest online shopping and auction portals, eBay, revealed that earlier this year, cybercriminals accessed details of 145 million of its customers.</b>
<p style="text-align: justify; ">The article by Surabhi Agarwal was <a class="external-link" href="http://www.business-standard.com/article/international/india-needs-better-cyber-police-114052201689_1.html">published in the Business Standard</a> on May 23, 2014. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Even though eBay's customers' financial details are said to be safe, the incident is being termed a "historic breach" given the enormity of the data compromised. Globally, eBay is being criticised not just for its laxity in securing the digital perimeter but also for reacting too late. The company has said that it first came to know of the breach "two weeks" ago. Records that have been accessed contain passwords as well as email addresses, birth dates, mailing addresses and other personal information.</p>
<p style="text-align: justify; ">The situation is worse when it comes to reporting such instances in <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=India" target="_blank">India</a>, say <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Cyber+Security" target="_blank">cyber security</a> experts. The Indian Information Technology Act requires companies to adopt "reasonable security measures" to protect consumers' sensitive personal information such as passwords and financial details. It also makes companies duty bound to report breaches and also defines liabilities in case a firm is found not to be adhering to best data security practices. However, implementation is patchy and most such instances go unreported.</p>
<p style="text-align: justify; ">Pavan Duggal, an advocate specialising in cyber security, says most users do not come to know if there has been a breach. "Awareness is also low among consumers about the legal recourse available in case their data has been compromised," he adds. Unlike in the West, lack of a proper data protection and privacy law in India is to be blamed for this. "Companies, too, are inclined not to report such instances as they fear being negatively impacted in the market," he points out.</p>
<p style="text-align: justify; ">In case of a breach, a user can contact the adjudicating officer, which is the state infotech secretary, for legal recourse. However, the onus is on the user to prove the breach. In the US, a consumer can get a subpoena (court order) issued against a company that makes it duty bound to provide details of the breach. "In India, the regime is too lax. It is very difficult to notify the government," says Sunil Abraham, executive director of the Centre for Internet and Society.</p>
<p style="text-align: justify; ">"There are stringent compliance requirements in countries such as the US. The laws in India need to come tougher if we want companies to become more serious about this," adds Duggal.</p>
<p style="text-align: justify; ">eBay has advised consumers, many of whom could be Indians, to immediately change their passwords. While people tend to use the same password across many sites, emails and phones numbers act as verifying tools for several financial transactions and could be misused. Moreover, unlike India, the US does not require additional authentication apart from credit card and CVV number, which makes transactions slightly more vulnerable. "It may be a good idea to include a one-time password as a security layer," says Abraham.</p>
<p style="text-align: justify; ">Over 200 million Indians are online. The Indian <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=E-commerce" target="_blank">e-commerce</a> market is estimated at $2 billion (Rs 12,000 crore) and is expected to cross $20 billion over the next four years.</p>
<p style="text-align: justify; ">"There is no such thing as 100 per cent protection in the digital world. The choice is between transacting online or not," says Akhilesh Tuteja, executive director of consulting firm KPMG. "Technology is becoming so sophisticated that what was good yesterday is not good today." A bigger dialogue is needed on people treating theft of digital assets just as they would physical assets, he adds.</p>
<p style="text-align: justify; ">The last big breach was reported at software maker Adobe Systems in October 2013, when it was uncovered that hackers accessed about 152 million user accounts. Last December Target said some 40 million payment card numbers and another 70 million customer records were hacked into.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/business-standard-may-23-2014-surabhi-agarwal-india-needs-better-cyber-police'>http://editors.cis-india.org/news/business-standard-may-23-2014-surabhi-agarwal-india-needs-better-cyber-police</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2014-06-04T07:56:33ZNews ItemIndia is falling down the facial recognition rabbit hole
http://editors.cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole
<b>Its use as an effective law enforcement tool is overstated, while the underlying technology is deeply flawed.</b>
<p>The article by Prem Sylvester and Karan Saini was published in <a href="https://thewire.in/tech/india-is-falling-down-the-facial-recognition-rabbit-hole">the Wire</a> on July 23, 2019.</p>
<hr />
<p> </p>
<div class="grey-text">
<p>In a
discomfiting reminder of how far technology can be used to intrude on
the lives of individuals in the name of security, the Ministry of Home
Affairs, through the National Crime Records Bureau, <a href="http://ncrb.gov.in/TENDERS/AFRS/RFP_NAFRS.pdf">recently put out a tender</a> for a new Automated Facial Recognition System (AFRS). </p>
<p>The stated objective of this system is to “act as a foundation for a national level searchable platform of facial images,” and to “[improve]
outcomes in the area of criminal identification and verification by
facilitating easy recording, analysis, retrieval and sharing of
Information between different organizations.” </p>
<p>The system will pull facial image
data from CCTV feeds and compare these images with existing records in a
number of databases, including (but not limited to) the Crime and
Criminal Tracking Networks and Systems (or CCTNS), Interoperable
Criminal Justice System (or ICJS), Immigration Visa Foreigner
Registration Tracking (or IVFRT), Passport, Prisons, Ministry of Women
and Child Development (KhoyaPaya), and state police records. </p>
<p>Furthermore, this system of facial
recognition will be integrated with the yet-to-be-deployed National
Automated Fingerprint Identification System (NAFIS) as well as other
biometric databases to create what is effectively a multi-faceted system
of biometric surveillance.</p>
<p>It is rather unfortunate, then, that
the government has called for bids on the AFRS tender without any form
of utilitarian calculus that might justify its existence. The tender
simply states that this system would be “a great investigation
enhancer.” </p>
<p>This confidence is misplaced at best.
There is significant evidence that not only is a facial recognition
system, as has been proposed, <a href="https://www.nytimes.com/2019/07/01/us/facial-recognition-san-francisco.html">ineffective in its application as a crime-fighting tool</a>, but it is a significant <a href="https://www.independent.co.uk/news/uk/home-news/facial-recognition-uk-police-london-trials-inaccurate-legal-results-ethics-a8938851.html">threat to the privacy rights and dignity of citizens</a>.
Notwithstanding the question of whether such a system would ultimately
pass the test of constitutionality – on the grounds that it affects
various freedoms and rights guaranteed within the constitution – there
are a number of faults in the issued tender. </p>
<p>Let us first consider the mechanics of a facial recognition system itself. Facial recognition systems <a href="https://medium.com/@ageitgey/machine-learning-is-fun-part-4-modern-face-recognition-with-deep-learning-c3cffc121d78">chain together a number of algorithms to identify</a>
and pick out specific, distinctive details about a person’s face – such
as the distance between the eyes, or shape of the chin, along with
distinguishable ‘facial landmarks’. These details are then converted
into <a href="https://www.eff.org/pages/face-recognition">a mathematical representation known as a face template</a> for
comparison with similar data on other faces collected in a face
recognition database. There are, however, several problems with facial
recognition technology that employs such methods. </p>
<p>Facial recognition technology depends
on machine learning – the tender itself mentions that the AFRS is
expected to work on neural networks “or similar technology” – which is
far from perfect. At a relatively trivial level, there are several ways
to fool facial recognition systems, including wearing <a href="https://www.theguardian.com/technology/2016/nov/03/how-funky-tortoiseshell-glasses-can-beat-facial-recognition">eyewear</a>, or <a href="https://theoutline.com/post/5172/juggalo-juggalette-facepaint-makeup-hack-beat-facial-recognition-technology?curator=MusicREDEF&zd=4&zi=s7q4e3fe">specific types of makeup</a>. The training sets for the algorithm itself can be deliberately poisoned to recognise objects incorrectly, <a href="https://www.theregister.co.uk/2017/11/06/mit_fooling_ai/">as observed by students at MIT</a>. </p>
<p>More consequentially, these systems
often throw up false positives, such as when the face recognition system
incorrectly matches a person’s face (say, from CCTV footage) to an
image in a database (say, a mugshot), which might result in innocent
citizens being identified as criminals. In a <a href="https://www.bka.de/SharedDocs/Downloads/EN/Publications/Other/photographBasedSearchesFinalReport.pdf?__blob=publicationFile&v=1">real-time experiment</a> set in a train station in Mainz, Germany,
facial recognition accuracy ranged from 17-29% – and that too only for
faces seen from the front – and was at 60% during the day but 10-20% at
night, indicating that environmental conditions play a significant role
in this technology.</p>
<p>Facial recognition software used by the UK’s Metropolitan Police <a href="https://www.independent.co.uk/news/uk/home-news/met-police-facial-recognition-success-south-wales-trial-home-office-false-positive-a8345036.html" rel="noopener" target="_blank">has returned false positives in more than 98% of match alerts generated</a>.</p>
<p>When the American Civil Liberties Union (ACLU) <a href="https://www.aclu.org/blog/privacy-technology/surveillance-technologies/amazons-face-recognition-falsely-matched-28">used</a>
Amazon’s face recognition system, Rekognition, to compare images of
legislative members of the American Congress with a database of
mugshots, the results included 28 incorrect matches.</p>
<p>There is another uncomfortable reason
for these inaccuracies – facial recognition systems often reflect the
biases of the society they are deployed in, leading to problematic
face-matching results. Technological objectivity is largely a myth, and
facial recognition offers a stark example of this. </p>
<p><a href="http://proceedings.mlr.press/v81/buolamwini18a/buolamwini18a.pdf">An MIT study</a> shows that existing facial recognition technology routinely misidentifies
people of darker skin tone, women and young people at high rates,
performing better on male faces than female faces (8.1% to 20.6%
difference in error rate), lighter faces than darker faces (11.8% to
19.2% difference in error rate) and worst on darker female faces (20.8%
to 34.7% error rate). In the aforementioned ACLU study, the false
matches were disproportionately people of colour, particularly
African-Americans. The bias rears its head when the parameters of
machine-learning algorithms, derived from labelled data during a
“supervised learning” phase, adhere to socially-prejudiced ideas of who
might commit crimes. </p>
<p>The implications for facial
recognition are chilling. In an era of pervasive cameras and big data,
such prejudice can be applied at unprecedented scale through facial
recognition systems. By replacing biased human judgment with a machine
learning technique that embeds the same bias, and more reliably, we
defeat any claims of technological neutrality. Worse, because humans
will assume that the machine’s “judgment” is not only consistently fair
on average but independent of their personal biases, they will read
agreement of its conclusions with their intuition as independent
corroboration. </p>
<p>In the Indian context, consider that Muslims, Dalits, Adivasis and other SC/STs are <a href="https://www.newsclick.in/how-caste-plays-out-criminal-justice-system">disproportionately targeted</a> by law enforcement.
The NCRB in its 2015 report on prison statistics in India recorded that
over 55% of the undertrials prisoners in India are either Dalits,
Adivasis or Muslims, a number grossly disproportionate to the combined
population of Dalits, Adivasis and Muslims, which amounts to just 39% of
the total population according to the 2011 Census.</p>
<p>If the AFRS is thus trained on these
records, it would clearly reinforce socially-held prejudices against
these communities, as inaccurately representative as they may be of
those who actually carry out crimes. The tender gives no indication that
the developed system would need to eliminate or even minimise these
biases, nor if the results of the system would be human-verifiable.</p>
<p>This could lead to a runaway effect
if subsequent versions of the machine-learning algorithm are trained
with criminal convictions in which the algorithm itself played a causal
role. Taking such a feedback loop to its logical conclusion, law
enforcement may use machine learning to allocate police resources to
likely crime spots – which would often be in low income or otherwise
vulnerable communities.</p>
<p>Adam Greenfield writes in <em>Radical Machines</em>
on the idea of ‘over transparency,’ that combines “bias” of the
system’s designers as well of the training sets – based as these systems
are on machine learning – and “legibility” of the data from which
patterns may be extracted. The “meaningful question,” then, isn’t
limited to whether facial recognition technology works in identification
– “[i]t’s whether someone believes that they do, and acts on that
belief.”</p>
<p>The question thus arises as to why
the MHA/NCRB believes this is an effective tool for law enforcement.
We’re led, then, to another, larger concern with the AFRS – that it
deploys a system of surveillance that oversteps its mandate of law
enforcement. The AFRS ostensibly circumvents the fundamental right to
privacy, as ratified by the Supreme Court in 2018, through sourcing its
facial images from CCTV cameras installed in public locations, where the
citizen may expect to be observed. </p>
<p>The extent of this surveillance is
made even clearer when one observes the range of databases mentioned in
the tender for the purposes of matching with suspects’ faces extends to
“any other image database available with police/other entity” besides
the previously mentioned CCTNS, ICJS et al. The choice of these
databases makes overreach extremely viable.</p>
<p>This is compounded when we note that
the tender expects the system to “[m]atch suspected criminal face[sic]
from pre-recorded video feeds obtained from CCTVs deployed in various
critical identified locations, or with the video feeds received from
private or other public organization’s video feeds.” There further
arises a concern with regard to the process of identification of such
“critical […] locations,” and if there would be any mechanisms in place
to prevent this from being turned into an unrestrained system of
surveillance, particularly with the stated access to private
organisations’ feeds.</p>
<p><a href="https://www.perpetuallineup.org/sites/default/files/2016-12/The%20Perpetual%20Line-Up%20-%20Center%20on%20Privacy%20and%20Technology%20at%20Georgetown%20Law%20-%20121616.pdf">The Perpetual Lineup report</a>
by Georgetown Law’s Center on Privacy & Technology identifies
real-time (and historic) video surveillance as posing a very high risk
to privacy, civil liberties and civil rights, especially owing to the
high-risk factors of the system using real-time dragnet searches that
are more or less invisible to the subjects of surveillance.</p>
<p>It is also designated a “Novel Use”
system of criminal identification, i.e., with little to no precedent as
compared to fingerprint or DNA analysis, the latter of which was
responsible for countless wrongful convictions during its nascent
application in the science of forensic identification, which have since
then been overturned.</p>
<p>In the <em>Handbook of Face Recognition</em>,
Andrew W. Senior and Sharathchandra Pankanti identify a more serious
threat that may be born out of automated facial recognition, assessing
that “these systems also have the potential […] to make judgments about
[subjects’] actions and behaviours, as well as aggregating this data
across days, or even lifetimes,” making video surveillance “an
efficient, automated system that observes everything in front of any of
its cameras, and allows all that data to be reviewed instantly, and
mined in new ways” that allow constant tracking of subjects.</p>
<p>Such “blanket, omnivident surveillance networks” are a serious possibility through the proposed AFRS. <a href="https://jis-eurasipjournals.springeropen.com/track/pdf/10.1155/2009/865259">Ye et al, in their paper on “Anonymous biometric access control”</a>, show
how automatically captured location and facial image data obtained from
cameras designed to track the same can be used to learn graphs of
social networks in groups of people.</p>
<p>Consider those charged with sedition or similar <em>crimes</em>,
given that the CCTNS records the details as noted in FIRs across the
country. Through correlating the facial image data obtained from CCTVs
across the country – the tender itself indicates that the system must be
able to match faces obtained from two (or more) CCTVs – this system
could easily be used to target the movements of dissidents moving across
locations.</p>
<p><strong>Constantly watched</strong></p>
<p>Further, something which has not been
touched upon in the tender – and which may ultimately allow for a
broader set of images for carrying out facial recognition – is the
definition of what exactly constitutes a ‘criminal’. Is it when an FIR
is registered against an individual, or when s/he is arrested and a
chargesheet is filed? Or is it only when an individual is convicted by a
court that they are considered a criminal?</p>
<p>Additionally, does a person cease to be recognised by the tag of a <em>criminal </em>once
s/he has served their prison sentence and paid their dues to society?
Or are they instead marked as higher-risk individuals who may
potentially commit crimes again? It could be argued that such a
definition is not warranted in a tender document, however, these are
legitimate questions which should be answered prior to commissioning and
building a <em>criminal </em>facial recognition system.</p>
<p>Senior and Pankanti note the generalised metaphysical consequences of pervasive video surveillance in the <em>Handbook of Face Recognition:</em> </p>
<p>“the
feeling of disquiet remains [even if one hasn’t committed a major
crime], perhaps because everyone has done something “wrong”, whether in
the personal or legal sense (speeding, parking, jaywalking…) and few
people wish to live in a society where all its laws are enforced
absolutely rigidly, never mind arbitrarily, and there is always the
possibility that a government to which we give such powers may begin to
move towards authoritarianism and apply them towards ends that we do not
endorse.”</p>
<p>Such a seemingly apocalyptic scenario
isn’t far-fetched. In the section on ‘Mandatory Features of the AFRS’,
the system goes a step further and is expected to integrate “with other
biometric solution[sic] deployed at police department system like
Automatic Fingerprint identification system (AFIS)[sic]” and “Iris.”
This form of linking of biometric databases opens up possibilities of a
dangerous extent of profiling.</p>
<p>While the Aadhaar Act, 2016,
disallows Aadhaar data from being handed over to law enforcement
agencies, the AFRS and its linking with biometric systems (such as the
NAFIS) effectively bypasses the minimal protections from biometric
surveillance the prior unavailability of Aadhaar databases might have
afforded. The fact that India does not have a data protection law yet –
and the Bill makes no references to protection against surveillance
either – deepens the concern with the usage of these integrated
databases. </p>
<p>The Perpetual Lineup report warns
that the government could use biometric technology “to identify multiple
people in a continuous, ongoing manner [..] from afar, in public
spaces,” allowing identification “to be done in secret”. Senior and
Pankanti warn of “function creep,” where the public grows uneasy as
“silos of information, collected for an authorized process […] start
being used for purposes not originally intended, especially when several
such databases are linked together to enable searches across multiple
domains.”</p>
<p>This, as Adam Greenfield points out,
could very well erode “the effectiveness of something that has
historically furnished an effective brake on power: the permanent
possibility that an enraged populace might take to the streets in
pursuit of justice.”</p>
<p>What the NCRB’s AFRS amounts to,
then, is a system of public surveillance that offers little demonstrable
advantage to crime-fighting, especially as compared with its costs to
fundamental human rights of privacy and the freedom of assembly and
association. This, without even delving into its implications with
regard to procedural law. To press on with this system, then, would be
indicative of the government’s lackadaisical attitude towards protecting
citizens’ freedoms. </p>
<hr />
<p><em>The views expressed by the authors in this article are
personal.</em></p>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole'>http://editors.cis-india.org/internet-governance/blog/india-is-falling-down-the-facial-recognition-rabbit-hole</a>
</p>
No publisherPrem Sylvester and Karan SainiCyber SecurityFacial Recognition2019-07-25T13:40:00ZBlog EntryIncident Response Requirements in Indian Law
http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law
<b>Cyber incidents have serious consequences for societies, nations, and those who are victimised by them. The theft, exploitation, exposure or otherwise damage of private, financial, or other sensitive personal or commercial data and cyber attacks that damage computer systems are capable of causing lasting harm. </b>
<p style="text-align: justify; ">A recent example of such an attack that we have seen from India is the recent data breach involving an alleged 3.2 million debit cards in India.<a href="#_ftn1" name="_ftnref1"><sup>[1]</sup></a> In the case of this hack the payment processing networks such as National Payments Corporation of India, Visa and Mastercard, informed the banks regarding the leaks, based on which the banks started the process of blocking and then reissuing the compromised cards. It has also been reported that the banks failed to report this incident to the Computer Emergency Response Team of India (CERT-In) even though they are required by law to do so.<a href="#_ftn2" name="_ftnref2"><sup>[2]</sup></a> Such risks are increasingly faced by consumers, businesses, and governments. A person who is a victim of a cyber incident usually looks to receive assistance from the service provider and government agencies, which are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents. It is essential for an effective response to cyber incidents that authorities have as much knowledge regarding the incident as possible and have that knowledge as soon as possible. It is also critical that this information is communicated to the public. This underlines the importance of reporting cyber incidents as a tool in making the internet and digital infrastructure secure.. Like any other crime, an Internet-based crime should be reported to those law enforcement authorities assigned to tackle it at a local, state, national, or international level, depending on the nature and scope of the criminal act. This is the first in a series of blog posts highlighting the importance of incident reporting in the Indian regulatory context with a view to highlight the Indian regulations dealing with incident reporting and the ultimate objective of having a more robust incident reporting environment in India.</p>
<p style="text-align: justify; "><b>Incident Reporting under CERT Rules</b></p>
<p style="text-align: justify; ">In India, section 70-B of the Information Technology Act, 2000 (the “<b>IT Act</b>”) gives the Central Government the power to appoint an agency of the government to be called the Indian Computer Emergency Response Team. In pursuance of the said provision the Central Government issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “<b>CERT Rules</b>”) which provide the location and manner of functioning of the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the CERT Rules gives every person, company or organisation the option to report cyber security incidents to the CERT-In. It also places an obligation on them to mandatorily report the following kinds of incidents as early as possible:</p>
<ul style="text-align: justify; ">
<li>Targeted scanning/probing of critical networks/systems;</li>
<li>Compromise of critical systems/information;</li>
<li>Unauthorized access of IT systems/data;</li>
<li>Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;</li>
<li>Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;</li>
<li>Attacks on servers such as database, mail, and DNS and network devices such as routers;</li>
<li>Identity theft, spoofing and phishing attacks;</li>
<li>Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;</li>
<li>Attacks on critical infrastructure, SCADA systems and wireless networks;</li>
<li>Attacks on applications such as e-governance, e-commerce, etc.</li>
</ul>
<p style="text-align: justify; ">The CERT Rules also impose an obligation on service providers, intermediaries, data centres and body corporates to report cyber incidents within a reasonable time so that CERT-In may have scope for timely action. This mandatory obligation of reporting incidents casts a fairly wide net in terms of private sector entities, however it is notable that prima facie the provision does not impose any obligation on government entities to report cyber incidents unless they come under any of the expressions “service providers”, “data centres”, “intermediaries” or “body corporate”. This would mean that if the data kept with the Registrar General & Census Commissioner of India is hacked in a cyber incident, then there is no statutory obligation under the CERT Rules on it to report the incident. It is pertinent to mention here that although there is no obligation on a government department under law to report such an incident, such an obligation may be contained in its internal rules and guidelines, etc. which are not readily available.</p>
<p style="text-align: justify; ">It is pertinent to note that although the CERT Rules provide for a mandatory obligation to report the cyber incidents listed therein, the Rules themselves do not provide for any penalty for non compliance. However this does not mean that there are no consequences for non compliance, it just means that we have to look to the parent legislation i.e. the IT Act for the appropriate penalties for non compliance. Section 70B(6) gives the CERT-In the power to call for information and give directions for the purpose of carrying out its functions. Section 70B(7) provides that any service provider, intermediary, data center, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be liable to imprisonment for a period up to 1 (one) year or fine of up to 1 (one) lakh or both.</p>
<p style="text-align: justify; ">It is possible to argue here that sub-section (6) only talks about calls for information by CERT-In and the obligation under Rule 12 of the CERT Rules is an obligation placed by the central government and not CERT-In. It can also be argued that sub-section (6) is only meant for specific requests made by CERT-In for information and sub-section (7) only penalises those who do not respond to these specific requests. However, even if these arguments were to be accepted and we were to conclude that a violation of the obligation imposed under Rule 12 would not attract the penalty stipulated under sub-section (7) of section 70B, that does not mean that Rule 12 would be left toothless. Section 44(b) of the IT Act provides that where any person is required under any of the Rules or Regulations under the IT Act to furnish any information within a particular time and such person fails to do so, s/he may be liable to pay a penalty of upto Rs. 5,000/- for every day such failure continues. Further section 45 provides for a further penalty of Rs.25,000/- for any contravention of any of the rules or regulations under the Act for which no other penalty has been provided.</p>
<p style="text-align: justify; "><b>Incident Reporting under Intermediary Guidelines</b></p>
<p style="text-align: justify; ">Section 2(1)(w) of the IT Act defined the term “intermediary” in the following manner;</p>
<p style="text-align: justify; ">“intermediary” with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.</p>
<p style="text-align: justify; ">Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “<b>Intermediary Guidelines</b>”) also imposes an obligation on any intermediary to report any cyber incident and share information related to cyber security incidents with the CERT-In. Since neither the Intermediary Guidelines not the IT Act specifically provide for any penalty for non conformity with Rule 3(9) therefore any enforcement action against an intermediary failing to report a cyber security incident would have to be taken under section 45 of the IT Act containing a penalty of Rs. 25,000/-.</p>
<p style="text-align: justify; "><b>Incident Reporting under the Unified License</b></p>
<p style="text-align: justify; ">Clause 39.10(i) of the Unified License Agreement obliges the telecom company to create facilities for the monitoring of all intrusions, attacks and frauds on its technical facilities and provide reports on the same to the Department of Telecom (DoT). Further clause 39.11(ii) provides that for any breach or inadequate compliance with the terms of the license, the telecom company shall be liable to pay a penalty amount of Rs. 50 crores (Rs. 50,00,00,000) per breach.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">It is clear from the above discussion that there is a legal obligation service providers to report cyber incidents to the CERT-In. Presently, the penalty prescribed under Indian law may not be enough to incentivise companies to adopt comprehensive and consistent incident response programmes. , except in cases of telecom companies under the Unified License Agreement. A fine of Rs. 25,000/- appears to be inconsequential when compared to the possible dangers and damages that may be caused due to a security breach of data containing, for example, credit card details.. Further, it is also imperative that apart from the obligation to report the cyber incident to the appropriate authorities (CERT-In) there should also be a legal obligation to report it to the data subjects whose data is stolen or is put at risk due to the said breach. A provision requiring notice to the data subjects could go a long way in ensuring that service providers, intermediaries, data centres and body corporates implement the best data security practices since a breach would then be known by general consumers leading to a flurry of bad publicity which could negatively impact the business of the data controller, and for a business entity an economic stimulus may be an effective way to ensure compliance.</p>
<p style="text-align: justify; ">As we continue to research incident response, the questions and areas we are exploring include the ecosystem of incidence response including what is reported, how, and when, appropriate incentives to companies and governments to report incidents, various forms of penalties, the role of cross border sharing of information and jurisdiction and best practices for incident reporting and citizen awareness.</p>
<p style="text-align: justify; "><i>Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document</i></p>
<hr />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup>[1]</sup></a> <a href="http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/">http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup>[2]</sup></a> <a href="http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025">http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law'>http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law</a>
</p>
No publishervipulCyber SecurityInternet GovernancePrivacy2016-12-28T01:19:28ZBlog EntryImproving the Processes for Disclosing Security Vulnerabilities to Government Entities in India
http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india
<b>The aim of this policy brief is to recommend changes pertaining to current legislation, policy and practice to the Government of India regarding external vulnerability reporting and disclosure. The changes we recommend within this brief aim to strengthen the processes around voluntary vulnerability and bug disclosure by third parties. </b>
<div> </div>
<div>This is an update to our previously released paper titled "Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India". The full document can be accessed <a href="https://cis-india.org/internet-governance/resources/Improving%20the%20Processes%20for%20Disclosing%20Security%20Vulnerabilities%20to%20Government%20Entities%20in%20India.pdf">here</a>.</div>
<hr width="50%" />
<div> </div>
<div>
<p id="docs-internal-guid-5561d8e6-7fff-16c2-47f6-6fe5dc991e98" dir="ltr">The ubiquitous adoption and integration of information and communication technologies in almost all aspects of modern life raises with it the importance of being able to ensure the security and integrity of the systems and resources that we rely on. This importance is even more pressing for the Government, which is increasing its push of efforts towards digitising the operational infrastructure it relies on, both at the State as well as the Central level.</p>
<p dir="ltr">This policy brief draws from knowledge that has been gathered from various sources, including information sourced from newspaper and journal articles, current law and policy, as well as from interviews that we conducted with various members of the Indian security community. This policy brief touches upon the issue of vulnerability disclosures, specifically those that are made by individuals to the Government, while exploring prevalent challenges with the same and making recommendations as to how the Government’s vulnerability disclosure processes could potentially be improved.</p>
<br />
<h3 dir="ltr">Key learnings from the research include:</h3>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a noticeable shortcoming in the availability of information with regard to current vulnerability disclosure programmes and process of Indian Government entities, which is only exacerbated further by a lack of transparency;</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is an observable gap in the amount and quality of interaction between security researchers and the Government, which is supported by the lack of proper channels for mediating such communication and cooperation;</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are several sections and provisions within the Information Technology Act, 2000, which have the potential to disincentivise legitimate security research, even if the same has been carried out in good faith.</p>
</li></ul>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india'>http://editors.cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india</a>
</p>
No publisherKaran Saini, Pranesh Prakash and Elonnai HickokCyber SecurityVulnerability Disclosure2019-04-01T12:02:05ZBlog EntryIEEE-SA InDITA Conference 2018
http://editors.cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018
<b>Gurshabad Grover participated in the IEEE-SA InDITA Conference 2018 organized by IEEE Standards Association held IIIT-Bangalore on July 10 and 11, 2018.</b>
<p>Gurshabad gave a brief presentation on how we could apply or reject 'Trust Through Technology' principles in the design of public biometric authentication. The agenda for the event can be <a class="external-link" href="https://ieee-dita.org/indita18/agenda/">accessed here</a>. More details on event <a class="external-link" href="https://ieee-dita.org/indita18/">website here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018'>http://editors.cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-08-01T23:04:18ZNews ItemHow Long Have Banks Known About The Debit Card Fraud?
http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud
<b>The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.</b>
<p>The article was <a class="external-link" href="http://www.bloombergquint.com/opinion/2016/10/21/how-long-have-banks-known-about-the-debit-card-fraud">published by Bloomberg</a> on October 22, 2016.</p>
<hr />
<p style="text-align: justify; ">The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.</p>
<p style="text-align: justify; ">Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.</p>
<h3 style="text-align: justify; ">The Modus Operandi</h3>
<p style="text-align: justify; ">According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Malware.jpg/@@images/13c6e6b2-e9be-4056-bd2d-ad540cff88dc.jpeg" alt="Malware" class="image-inline" title="Malware" /></p>
<p style="text-align: justify; ">The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.</p>
<h3 style="text-align: justify; ">Massive Financial Implications</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p><img src="http://editors.cis-india.org/home-images/Bank.png/@@images/5a9bda35-ccdc-4895-a841-609c4c7c0958.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News) <br /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.</p>
<p style="text-align: justify; ">This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.</p>
<h3 style="text-align: justify; ">Are Banks Concealing Information?</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_Bank.png/@@images/0f5235cb-4909-4885-b12e-d83bb4202230.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.</p>
<p style="text-align: justify; ">Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud'>http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud</a>
</p>
No publishertiwariCyber SecurityInternet GovernancePrivacy2016-10-22T08:06:51ZBlog EntryHakon 2016
http://editors.cis-india.org/internet-governance/news/hakon-2016
<b> Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project. </b>
<p dir="ltr" style="text-align: justify; ">Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at <a href="http://www.hakonindia.org/">http://www.hakonindia.org/</a> for further details, including a look at past editions of the conference.</p>
<p dir="ltr" style="text-align: justify; ">The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for <a class="external-link" href="http://www.chuckeasttom.com/">Chuck Easttom Williams</a>, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hakon-2016'>http://editors.cis-india.org/internet-governance/news/hakon-2016</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-10-15T10:04:41ZNews ItemHacker steals 17 million Zomato users’ data, briefly puts it on dark web
http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web
<b>Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.</b>
<p style="text-align: justify; ">The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was <a class="external-link" href="http://timesofindia.indiatimes.com/india/hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web/articleshow/58742129.cms">published in the Times of India</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">According to information security blog and news website <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/HackRead">HackRead</a>, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/Zomato">Zomato</a> claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".</p>
<p style="text-align: justify; ">In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.</p>
<p style="text-align: justify; ">The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.</p>
<p style="text-align: justify; ">Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.</p>
<p style="text-align: justify; ">However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.</p>
<p style="text-align: justify; ">Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.</p>
<p style="text-align: justify; ">"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.</p>
<p style="text-align: justify; ">Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.</p>
<p style="text-align: justify; ">In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."</p>
<p style="text-align: justify; ">HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.</p>
<p style="text-align: justify; ">According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.</p>
<p style="text-align: justify; ">What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."</p>
<p style="text-align: justify; ">Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web'>http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web</a>
</p>
No publisherpraskrishnaCyber SecurityHackingInternet GovernancePrivacy2017-05-20T05:57:14ZNews Item