Access To Knowledge (A2K)

Campaign against curbs on websites gathers steam

praskrishna — 2012-04-25T11:19:29Z

For political cartoonist Aseem Trivedi and his blogger-cum-journalist friend Alok Dixit, who both ran a website against corruption, a tryst with the blind side of law triggered their mission against “gagging” of the new-age Indian Internet user.

The blog post by Arpan Daniel Varghese was published by IBN Live on April 23, 2012.

It all started when they were in Mumbai, taking part in the first public protest seeking a strong Lokpal led by social activist Anna Hazare. “During the course of the protest, we got word that our website had been taken off,” recalls Alok.

The Mumbai Police had banned the website without any prior notice, apparently after a complaint was filed by a Congress leader that some content on the site, CartoonsAgainstCorruption, was objectionable, he says.

“We then contacted Bigrocks, the domain provider, but they did not divulge the exact procedure to restore our website,” he adds.

Kerala High Court lawyer P Jacob, who has a masters in cyber law and is a researcher in the field, clarifies. “Let’s say that you are a website, blog or domain owner... As per the intermediary rules incorporated into the IT laws, introduced through an amendment in 2011, if a third person sends a complaint, be it a frivolous one, to you (the intermediary ) about some objectionable content, you will have to take off the said content within 36 hours.”

This could happen to any one and could be quite dangerous, points out Sunil Abraham, the executive director of The Centre for Internet and Society (CIS-India).� “If a company wants to target your organization’s social media network, they can keep sending fraudulent emails to you and you will have to keep deleting it unless you are ready to face litigation or government action. And then there is no penalty for abusing the provision. There is no transparency, the people who comment will not be told,” says Sunil.

It was this realization that drove Alok, who then quit his job as a reporter, and Aseem Trivedi to start a movement against such blind curbs. ‘Save Your Voice’ was thus born.

A research conducted by the CIS gave further credence to their fears that it was very “easy to ban any website in India.”

“We call it a policy sting operation,” details Sunil. “We sent out fraudulent take- down notices (or complaints) to seven of the largest intermediaries in India. They gladly over-complied and promptly took off the material in question. You can try this. You could look at a legitimate comment and complain that this is blasphemous, offensive or plain annoying. And without questioning your locus standi, the intermediary sites will have to take it off.”

For more details visit https://cis-india.org/news/campaign-against-curbs-on-websites

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

Cambridge Analytica row: Facebook data breach hit 560K Indian users

Admin — 2018-04-07T16:01:10Z

Facebook said that data and information of 87 million users globally were compromised.

The article by Vidhi Choudhury and Yashwant Raj was published in the Hindustan Times on April 5, 2018.

User data of more than 560,000 Indians may have been harvested from Facebook Inc. by British researcher Cambridge Analytica, at the centre of a recent storm over data breaches and potential privacy violations on the social media network.

Only 335 users in India installed the thisisyourdigitallife app developed by academic Aleksandr Kogan and his company Global Science Research Ltd that may have been possibly at the centre of the data breaches, according to Facebook.. The 335 people make up just 0.1% of the app’s total worldwide installs.

Users agreed to take a personality test and have their data collected by the app, which then went on to also access information about the test-takers’ Facebook friends, leading to the accumulation of a much larger data pool. “ We further understand that 562,120 additional people in India were potentially affected, as friends of people who installed the App. This yields a total of 562,455 potentially affected people in India, which is 0.6% of the global number of potentially affected people,” a Facebook spokesperson said.

This week, Facebook said data on as many as 87 million people, most of them in the US, may have been improperly shared with Cambridge Analytica, increasing the figure from a previously estimated 50 million.

“Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. Cambridge Analytica’s acquisition of Facebook data through the app developed by Dr. Aleksandr Kogan and his company Global Science Research Limited (“GSR”) happened without our authorization and was an explicit violation of our Platform policies. At no time did Facebook agree to Cambridge Analytica’s use of any Facebook user data that may have been collected by this app, including with respect to users located in India,” the company spokesperson said n an emailed response.

This app first became active on Facebook in November 2013. Facebook removed the app in 2015 when it learnt of violations of its platform policies.

India is a key market for Facebook with 217 million people using the platform every month.

Details of the number of users in India whose data was compromised was shared by Facebook as part of its response to the government of India. On 28 March, the Ministry of Electronics and Information Technology sent a letter to Facebook asking if data of Indian voters and users had been compromised by Cambridge Analytica or any other affiliate. The government also asked what proactive measures were being taken to ensure the safety, security and privacy of such large user data and to prevent its misuse by any third party. Facebook was asked to respond to the questions by April 7.

Facebook’s chief technology officer Mike Schroepfer said in a blog that ran under his byline on the company’s website that the number of subscribes whose data was shared with the controversial firm was much higher at 87 million than the 50 million it had conceded earlier, “mostly” in the United States.

Subscribers in the Philippines, Indonesia, UK, Mexico and Canada were ahead of Indians, and behind American, in the list of Facebook’s new revelations about compromised information.

These details came ahead of a conference call with reporters in which Facebook CEO Mark Zuckerberg said he had made a “huge mistake” personally by not focussing on data privacy. Zuckerberg also faced questions for the first time about his suitability to run the company he founded as a college student — dropped out of Harvard. He answered in the affirmative, but questions are beginning to be raised.

Sunil Abraham, founder of the think tank Centre for Internet and Society, said the thisisyourdigitallife app was one of the many apps that access Facebook’s application programming interface. “What Facebook isn’t telling us yet is what are the other apps , (whether they) had the same modus operandi and how much data did they manage to scrape,” he added. The company said on April 4 that it would display a link on the top of users’ News Feed so they can see what apps they use and the information they have shared with those apps. Facebook will also tell people if their information may have been improperly shared with Cambridge Analytica.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-vidhi-choudhary-and-yashwant-raj-facebook-data-breach-hit-over-5-6-lakh-users-in-india

Calls for law change after Indians left in dark over data leaks

Admin — 2017-07-20T14:38:51Z

Fears Indian telecom upstart Reliance Jio suffered a major data breach, compromising the personal data of over 100 million customers, have prompted calls for India to adopt more robust laws to protect consumers.

The blog post by Rahul Bhatia and Sankalp Phartiyal was published by Reuters on July 14, 2017.

Jio has repeatedly denied any breach took place and said that names, telephone numbers and email addresses of Jio users on a website called "Magicapk" appeared to be "unauthentic." The website was later shut down.

The company, part of conglomerate Reliance Industries Ltd, said on Monday that its subscriber data was safe and protected by the highest levels of security.

However, Jio filed a complaint the same day alleging unlawful access to its systems, police have told Reuters.

Jio did not respond to requests for comment.

In contrast to companies in the European Union, which has stringent data protection standards, companies in India do not have to disclose data breaches to clients, information security professionals said.

"It raises questions of security and accountability," said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), a research organization.

People complained on Twitter about personal information of Jio users being available on the Magicapk site. Several local news outlets said their checks had led them to believe a leak had occurred.

"A rule to report breaches exists, but it is unenforceable," says Prakash. "It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined."

Advocates of stronger laws in India say a data breach in countries with more stringent cyber laws, such as Britain or the United States, would prompt an inquiry by regulators.

After reports of a data leak at Verizon earlier this week, for example, the U.S. telecoms firm quickly responded with an explanation of what had occurred, how it had happened and the extent of the problem.

"India is at a nascent stage. For good norms in Asia, look to Singapore. It's been praised for not having cyber security issues by the UN," Srinivas Kodali, an independent security researcher, said.

Not a Priority

"We don't have full-menu data protection laws," said Apar Gupta, a Supreme Court lawyer working on data privacy issues. "We don't even have an institutional framework or expert body to implement the limited data protection regulations that do exist. It's so limited it's more accurate to say no law exists."

In May alone, there were two data security incidents in India.

The records of 17 million customers of Zomato, a popular food-delivery app, were put on sale online. Zomato initially advised customers that their passwords were secure, but later advised users to change them.

Separately, a CIS report said the Aadhaar numbers of as many as 135 million Indians had leaked from government databases and could be found online. (bit.ly/2tOseSV)

The number, similar to a U.S. social security number, is unique to each Indian citizen and the Aadhaar database also stores a user's biometric data. The government is pushing for Aadhaar numbers to be used in everything from opening bank accounts to filing tax returns.

For India, data privacy is not a priority, said Amry Junaideen, a risk advisor at audit firm Deloitte.

"From an organizational perspective there's really no incentive other than being a good corporate citizen, to report a breach," he said, noting that in the European Union and United States the regulatory framework is basically for the good of the consumer, but that this is not the case in India.

India, home to the back offices of many large multinationals and outsourcing companies, has also unsuccessfully sought "data-secure" status from the European Union since 2012.

The status is vital for information sharing between entities in the EU and India, because it means the EU is satisfied that data protection rules in a country meet its standards, so data of EU citizens can be sent to that jurisdiction.

Raman Chima, policy director at Access Now, which advocates stronger digital rights, says weak data privacy laws are likely the main stumbling block to "data-secure" status.

In 2010, a European Union study of data protection in India noted there were "no aspects of India's data protection which would unequivocally be regarded as 'adequate' by European Union standards as yet".

Reporting by Rahul Bhatia and Sankalp Phartiyal; Editing by Euan Rocha and Neil Fullick

For more details visit https://cis-india.org/internet-governance/news/reuters-july-14-2017-rahul-bhatia-and-sankalp-phartiyal-calls-for-law-change-after-indians-left-in-dark-over-data-leaks

Call, text, email complaint against rogue auto driver

praskrishna — 2011-04-02T10:45:39Z

Harassed by an auto driver? Helplines give you no relief? Here's the people's way to help you out. Just report your issue online, call or even SMS sitting in a noisy restaurant, and be heard.

Right from drivers with no proper identity cards, to those refusing to ply or those who attempt sexual assault enroute, you can report them all to a team of volunteers who manage a complaint book 24x7. There is also a map online, where you can pinpoint the exact place, time and even upload videos or photographs taken on the spot.

This complaint management system, recently launched by Kiirti (part of the Centre for Internet and Society) is an attempt to help tackle the cases of auto menace in the city. "It's quite like the Fix My Street initiative of the West. This is for the people and maintained by the people. What makes it different from the existing helpline mechanism in Bangalore is that there is better transparency and more options given to people on how they can file their complaint 24x7,'' explains Sudha Nair, project community manager for Kiirti in India.

All the complaints received will be scrutinised and verified by a backend support team of volunteers and then sent across to the department concerned for action. Besides, the complainant will be able to check the status of the complaint.

"Recently, in The Times of India, we read about the sad state of the official helplines provided by the transport department. There is no transparency in it nor is it available all the time, so we decided to launch this system. We are only working as a catalyst. The portal can also be effectively used by various RWAs to help check the problem in their area,'' Sudha added. Various NGOs like Janaagraha, Environment Support Group, Public Affairs Centre and Children's Movement for Civic Action have also come forward to support this initiative.

Read the original in the Times of India

For more details visit https://cis-india.org/news/complaint-against-rogue-auto-driver

Call for Comments: Model Security Standards for the Indian Fintech Industry

pranav — 2019-12-16T13:16:25Z

The Centre for Internet and Society is pleased to make available the Draft document of Model Security Standards for the Indian Fintech Industry, for feedback and comments from all stakeholders. The objective of this document which was first published in November 2019, is to ensure that the data of users is dealt with in a secure and safe manner by the Fintech Industry, and that smaller businesses in the Fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches.

We invite any parties interested in the field of technology policy, including but not limited to lawyers, policy researchers, and engineers, to send in your feedback/comments on the draft document by the 16th of January 2020. We intend to publish our final draft by the end of January 2020. We look forward to receiving your contributions to make this document more comprehensive and effective. Please find a copy of the draft document here.

For more details visit https://cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry

Calcutta High Court Strengthens Whistle Blower Protection

divij — 2014-02-24T06:38:44Z

Calcutta High Court has ordered for protection of whistle blower's privacy in its November 20, 2013 order. The court has directed the government to accept RTI applications without the applicant's personal details.

In the absence of any law for the protection of whistle-blowers in the country, exposing the rampant corruption in our public institutions has become a hazardous occupation, with reports of threat and intimidation and even incidents of murder of whistle-blowers commonplace.[1] With the Whistle blower’s Protection Bill in abeyance and without any strict laws protecting the identities of the whistle-blowers who challenge such a corrupt system, even the mechanisms like the Right to Information Act which are meant to safeguard against systemic abuse and ensure transparency are being severely undermined.

For this reason, the Calcutta High Court’s affirmation of whistle-blowers’ privacy and identity protection is an important development. Through its order on the 20th of November, 2013, the Calcutta High Court held that for the purposes of section 6(2), which requires an application to the Public Information Officer to provide contact details of the applicant, it is sufficient in such application to disclose only the post-box number of the applicant. The court directed the Government to accept RTI applications without personal details or detailed whereabouts, when a post-box number or sufficient detail has been provided to establish contact between the whistle-blower and the authority. However if a public authority has any difficulty contacting the applicant through the Post Box No. the applicant may be asked to provide other contact details. The court further directed that personal details of applicants are not to be posted on the authorities’ websites.

The order, which was notified by the Government last week, ensures to some extent the protection of a whistle-blowers identity, and reduces the chances of the RTI being undermined by threats or acts of violence by those who are a part of the corrupt system, against persons exercising their right to information. However, its implementation is liable to be contingent on the authorities’ interpretation of when it would be “difficult” to establish contact between the authority and the applicant. Certain practical difficulties could also undermine the actual impact of the order, such as the fact that many applications are sent through registered or speed post, which cannot be mailed to a post-box number, especially since ordinary post cannot be tracked online like speed or registered post.[2]

Developing a system in which ordinary citizens do not have to fear retaliation for exposing corruption requires a comprehensive legislation protecting whistle-blowers identities and ensuring data security. However, the important message this judgement sends out is that the judiciary is still committed to protecting whistle-blowers, in lieu of the government’s actions. This is a particularly important stance taken by the Court, considering the Supreme Court in the past has refused to frame guidelines for whistle-blower protection, citing the imperative in enacting a whistle-blower legislation to be the Parliament’s.[3]

A full text of the judgement is available here.

[1].Whistleblower shot dead in Bihar, THE HINDU, available at http://www.thehindu.com/news/national/whistleblower-shot-dead-in-bihar/article4542293.ece; Tamil Nadu Whistleblower alleges death threats; Silence from Government, NDTV, available at http://www.ndtv.com/article/india/tamil-nadu-whistleblower-alleges-death-threats-silence-from-govt-410450.

[2]. Indian Postal Tracking Portal, http://www.indiapost.gov.in/tracking.aspx.

[3]. Supreme Court refuses to frame guidelines for protection of whistleblowers, Daily News and Analysis, available at http://www.dnaindia.com/india/report-supreme-court-refuses-to-frame-guideline-for-protection-of-whistleblowers-1525622.

For more details visit https://cis-india.org/internet-governance/blog/calcutta-hc-strengthens-whistle-blower-protection

ಭಾರತೀಯ ಡಿಎನ್ಎ ಪ್ರೊಫೈಲಿಂಗ್ ಮಸೂದೆಯ ಸೀಳುನೋಟ

praskrishna — 2012-10-03T15:42:54Z

ಭಾರತೀಯ ದಂಡಸಂಹಿತೆಯನ್ನು ೨೦೦೫ರಲ್ಲಿ ತಿದ್ದುಪಡಿ ಮಾಡಲಾಯಿತು. ಇದರ ಉದ್ದೇಶ ಆಪಾದಿತರನ್ನು ಬಂಧಿಸಿದಾಗ ಅವರ ಬಗ್ಗೆ ವಿವಿಧ ವೈದ್ಯಕೀಯ ಮಾಹಿತಿ ಸಂಗ್ರಹಿಸಲು ಕಾನೂನುರೀತ್ಯಾ ಅವಕಾಶ ಕಲ್ಪಿಸುವುದು.

ದಂಡಸಂಹಿತೆಯ ಸೆಕ್ಷನ್ ೫೩ರ ಪ್ರಕಾರ, ಅಪರಾಧವನ್ನು ಸಾಬೀತು ಪಡಿಸಲು ವೈದ್ಯಕೀಯ ಪರೀಕ್ಷೆ ಸಾಕ್ಷ್ಯ ಒದಗಿಸುತ್ತದೆ ಎಂದು “ನಂಬಲು ತಕ್ಕಮಟ್ಟಿನ ಕಾರಣಗಳಿದ್ದರೆ”, ಆಪಾದಿತನನ್ನು ಬಂಧಿಸಿದಾಗ ಆತನನ್ನು ವೈದ್ಯಕೀಯ ಪರೀಕ್ಷೆಗೆ ಒಳಪಡಿಸಬಹುದು. ೨೦೦೫ರ ತಿದ್ದುಪಡಿಯ ಮೂಲಕ, ಈ ಪರೀಕ್ಷೆಯ ವ್ಯಾಪ್ತಿಯನ್ನು ಇವೆಲ್ಲವನ್ನು ಸೇರಿಸಿಕೊಳ್ಳಲಿಕ್ಕಾಗಿ ವಿಸ್ತರಿಸಲಾಯಿತು: ರಕ್ತದ, ರಕ್ತಕಲೆಗಳ, ವೀರ್ಯದ ಪರೀಕ್ಷೆ, ಲೈಂಗಿಕ ಅಪರಾಧಗಳಲ್ಲಿ ಸ್ವಾಬ್ಗಳ ಪರೀಕ್ಷೆ, ಉಗುಳು, ಬೆವರು, ಕೂದಲಿನ ಸ್ಯಾಂಪಲ್ ಮತ್ತು ಉಗುರಿನ ತುಂಡುಗಳ ಪರೀಕ್ಷೆ. ನಿರ್ದಿಷ್ಟ ಪ್ರಕರಣದಲ್ಲಿ ಅವಶ್ಯವೆಂದು ನೋಂದಾಯಿತ ವೈದ್ಯರು ಭಾವಿಸುವ ಡಿಎನ್ಎ ಪ್ರೊಫೈಲಿಂಗ್ ಹಾಗೂ ಅಂತಹ ಇತರ ಪರೀಕ್ಷೆಗಳ ಸಹಿತವಾಇ ಆಧುನಿಕ ಮತ್ತು ವೈಜ್ನಾನಿಕ ವಿಧಾನಗಳನ್ನು ಬಳಸಿ ವೈದ್ಯಕೀಯ ಪರೀಕ್ಷೆ ನಡೆಸಬೇಕು.

ಕ್ರಿಮಿನಲ್ ಪ್ರಕರಣದಲ್ಲಿ ಆಪಾದಿತ ಷಾಮೀಲಾಗಿರುವುದನ್ನು ತಿಳಿಯಲಿಕ್ಕಾಗಿ ಡಿಎನ್ಎ ಪರೀಕ್ಷೆಗೆ ಆದೇಶ ನೀಡುವುದರ ಕಾನೂನುಬದ್ಧತೆಯನ್ನು ತೊಗೊರಾಣಿ ಅಲಿಯಾಸ್ ಕೆ. ದಮಯಂತಿ ವರ್ಸಸ್ ಒರಿಸ್ಸಾ ಸ್ಟೇಟ್ ಮತ್ತು ಇತರರು (೨೦೦೪ ಕ್ರಿಮಿನಲ್ ಎಲ್ಜೆ ೪೦೦೩ – ಒರಿಸ್ಸಾ) ಪ್ರಕರಣದಲ್ಲಿ ಒರಿಸ್ಸಾ ಹೈಕೋರ್ಟ್ ಎತ್ತಿ ಹಿಡಿದಿದೆ. ಡಿಎನ್ಎ ಪರೀಕ್ಷೆಗೆ ಆಪಾದಿತ ಸಹಕರಿಸದಿದ್ದರೆ, ಅವನ ಬಗ್ಗೆ ವ್ಯತಿರಿಕ್ತ ಅಭಿಪ್ರಾಯ ಮೂಡುತ್ತದೆ.

ಈ ವಿಷಯದಲ್ಲಿ ವೈಯುಕ್ತಿಕ ಗೌಪ್ಯತೆಯ ಅಂಶಗಳನ್ನು ಪರಿಗಣಿಸಿದ ಬಳಿಕ, ಡಿಎನ್ಎ ಪರೀಕ್ಷೆ ಆದೇಶಿಸುವ ಮುನ್ನ, ಈ ವಿಚಾರಗಳನ್ನು ಪರಿಗಣಿಸಬೇಕೆಂದು ಹೈಕೋರ್ಟ್ ನಿರ್ದೇಶನ ನೀಡಿದೆ: (೧) ಅಪರಾಧ ಎಸಗುವುದರಲ್ಲಿ ಆಪಾದಿತನು ಎಷ್ಟರ ಮಟ್ಟಿಗೆ ಭಾಗವಹಿಸಿರಬಹುದು? (೨) ಅಪರಾಧದ ಗಂಭೀರತೆ ಮತ್ತು ಅಪರಾಧ ಎಸಗಿದ ಸಂದರ್ಭ (೩) ಆಪಾದಿತನ ಪ್ರಾಯ, ದೈಹಿಕ ಮತ್ತು ಮಾನಸಿಕ ಆರೋಗ್ಯ (೪) ಅಪರಾಧದಲ್ಲಿ ಆಪಾದಿತ ಭಾಗವಹಿಸಿದ್ದನ್ನು ಖಚಿತಪಡಿಸುವ ಅಥವಾ ಖುಲಾಸೆ ಮಾಡುವ ಸಾಕ್ಷಾಧಾರಗಳನ್ನು ಸಂಗ್ರಹಿಸುವ ಕಡಿಮೆ ಆತಂಕಕಾರಿಯಾದ ಮತ್ತು ಕಾರ್ಯಸಾಧ್ಯವಾದ ಇತರ ವಿಧಾನಗಳು ಇವೆಯೇ? (೫) ಆಪಾದಿತನು ಡಿಎನ್ಎ ಪರೀಕ್ಷೆಗೆ ಒಪ್ಪಿಗೆ ನಿರಾಕರಿಸಲು ಕಾರಣಗಳೇನು?

ಸಂಸತ್ತಿನ ಅನುಮೋದನೆಗಾಗಿ ಕಾದಿರುವ ೨೦೦೭ರ ಡಿಎನ್ಎ ಪ್ರೊಫೈಲಿಂಗ್ ಮಸೂದೆಯ ಉದ್ದೇಶವನ್ನು ಚುಟುಕಾಗಿ ಹೀಗೆ ಹೇಳಬಹುದು: “ದೇಶದ ಕ್ರಿಮಿನಲ್ ನ್ಯಾಯವ್ಯವಸ್ಥೆಯ ಕಿಂಚಿತ್ ಸಂಪರ್ಕಕ್ಕೆ ಬಂದವರೆಲ್ಲರ ಡಿಎನ್ಎ ವಿವರಗಳನ್ನು ದಾಖಲಿಸುವ “ಕೇಂದ್ರ ಡಿಎನ್ಎ ಮಾಹಿತಿ ಬ್ಯಾಂಕನ್ನು” ರಚಿಸುವ ಮಹತ್ವಾಕಾಂಕ್ಷಿ ಪ್ರಯತ್ನ.” ಅಂದರೆ, ಸಂಶಯಕ್ಕೆ ಒಳಗಾದ ವ್ಯಕ್ತಿಗಳು, ಕಾನೂನು ಮುರಿಯುವವರು, ಕಾಣೆಯಾದ್ವರು ಮತ್ತು ಸ್ವ-ಇಚ್ಚೆಯವರು – ಇವರ ಡಿಎನ್ಎ ವಿವರಗಳ ಡಿಎನ್ಎ ಮಾಹಿತಿ

For more details visit https://cis-india.org/news/cadcbecb0ca4caf-ca1cbfc8eca8ccdc8e-caaccdcb0cabcb2cbfc82c97ccd-caecb8cc2ca6cc6caf-cb8cb3cc1ca8c9f

C-DoT's surveillance system making enemies on internet

praskrishna — 2014-04-04T09:45:37Z

Reporters Without Boundaries says it gives unbridled power to law- enforcement agencies to snoop on citizens.

The article by Krishna Bahirwani was published in DNA on March 21, 2014. Sunil Abraham is quoted.

The Central Monitoring System (CMS) developed by the Centre for Development of Telematics (C-DoT) has come under fire from a France based non-profit organisation, which claims the system has the capacity to directly snoop on all forms of communications over phone and internet, without involving telecom operators.

The NGO's Reporters Without Boundaries report 2014, 'Enemies Of The Internet' has equated C-DoT with Government Communications Headquarters (GCHQ) in the UK, and the US's National Security Agency (NSA), which recently came under criticism for spying on citizens.

CMS, India's mass electronic surveillance system, was rolled out in 2013.

Before the CMS, tapping was done by the telecom operators, but not before taking prior permission. The CMS gives direct access to C-DoT employees and law-enforcement agencies.

CMS has created an automated front containing central and regional databases, which central and state government agencies can use to intercept and monitor any landline, mobile or internet connection in India.

Minister of state for information technology Milind Deora said, "The new data collection system will actually improve citizens' privacy because telecommunications companies would no longer be directly involved in the surveillance."

Asked what would prevent C-DoT employees, who would have access to data, from misusing it, Deora said, "There is a switching mechanism (that) diverts the call to law-enforcement agencies and eliminates layers. The existing surveillance and interception system is actually insecure as the operator, people from the home ministry and other government officials have access to the data. The CMS will erase such people from play."

"I want the people to know the design aspects and how the system is being used for lawful interceptions, so that they can shed their inhibitions We do not want to put power in the hands of the bureaucrats" he said.

Harold Dcosta, a cyber security expert who trains Maharashtra and Goa police, said, "It's possible that employees of CDoT/law enforcement agencies could use the information gathered by CMS for personal or political use although 43 and 43 A of the IT Act would protect people when something like that happens and will give the person compensation.

He said, "There should be more transparency with regard to CMS".

Sunil Abraham, executive director of Bangalore-based non-profit Centre for Internet and Society said the mistaken assumption in their thinking is technology will serve as a check and balance.

"Technology can always be compromised," he said. There is no way to find out about what is actually going on. If the CMS is abused it is very difficult to prove."

Deora said a privacy law is being drafted to address these issues. Last month, a parliamentary standing committee rejected the government claim that IT Act protects citizens' privacy. The committee, chaired by former Congress MP Rao Inderjit Singh, said, "The committee is extremely unhappy to note that the government is yet to institute a legal framework on privacy."

For more details visit https://cis-india.org/news/dna-march-21-2014-krishna-bahirwani-c-dots-surveillance-system-making-enemies-on-internet

Bye Bye email?

nishant — 2011-08-23T07:31:51Z

Email might be the default method of communication for most of us, but could it be going the telegram way.

I grew up with the internet in India. I remember the first time I heard the strange and harsh sounds of a dial-up modem back in 1996 and my friend helping me create an email account. It was my first digital identity online — a name and an address to call my own. Cost of internet access was prohibitive and email time was limited to 15 minutes a day. One logged in, downloaded all the emails and immediately disconnected. After reading through the emails off-line, I would write down the replies to all the mails, go online again, send all the mails and then wait for the next day, so that I could see what was in store for me in my inbox.

The World Wide Web has changed a lot since those first interactions with email, on black-and-white monitors. Speed, portability, access and costs have changed the nature of the Net, which is slowly becoming ubiquitous. Trends and fashions of social interaction and information exchange have changed drastically. From social media to professional networking, from discussion boards to micro-blogs, from geo-tagged services to mobile phone-based apps, the topography of the internet has undergone drastic revisions. However, the one thing that has remained constant is the email.

Sure, the email in itself has changed in texture and volume. The emailing services from the early days of AOL to the current trends of Gmail and Facebook messages, have been the backbone of Web 2.0. You needed an email as the primary identity to remain connected with social media, blogs, news services and indeed, with other friends and peers using emails. Notification on the email, for me, is still the primary gateway to the many digital worlds that I occupy, including gaming, digital networks, reading lists et al. For most people who grew up with me, email was here forever.

This faith in the email as the spine of the internet received a rude jolt when I was recently in Mumbai, working with undergraduate students, exploring relationships between digital technologies and social justice. The workshops spanned six days, and looked at how young people from socially and economically disadvantaged classes and communities could use the powers of digital and participatory technologies to effect a change in their environments. Our role as facilitators was to introduce them to new usages of their existing practices and show them the potential for social transformation and civic action in their everyday use of technology. We began, like Maria, in The Sound of Music, at the very beginning — with the email. Which is when the world started unravelling, because, as the participants in the workshop pointed out, email is a thing of the past.

I was suddenly faced with a group of urban youngsters who are all a part of the digital revolution, using Facebook, writing blogs, searching for information online, and keeping in touch through Voice over IP services and Instant Messenger. Their access is through shared public access in college libraries and cybercafés, and for many, also on their smartphones. They log in regularly into their various social media networks and use them for playing games, sending messages, chatting and updating their statuses. And yet, when it came to using the email, they were noobs, some of them didn’t remember their passwords, some had never sent an email, attachments were things they don’t understand and they logged in to their email only when necessary.

This behaviour perplexed me because I had always imagined that the otherwise ethereal world of the cyberspace was held together by the strong and dependable emails. But evidently, for the new kids on the block, email is something that belonged to the world before it went mobile. They do not understand the communication patterns that emails are structured around. The narrative expectations, waiting for replies, accessing it via services, archiving information through attachments are things that don’t make sense to this generation that is growing up with cloud computing. They use emails only as the first source of authentication for different services that demand it. And even there, as one of the students said, "You just need email to open your Facebook account. After that, you just F-connect".

As the interface between mobile phones and the internet strengthens, more and more users seem to be depending on phone-based communication methods. They accept the newer ways of messaging, like IMing, texting. But for digital dinosaurs like me, who were there at the beginning of (digital) time, the world is beginning to look slightly blurred. I shudder to think that in two decades, email might be obsolete because though I complain of information overload, I still cannot imagine what a world without email would look like.

This article by Nishant Shah was published in the Indian Express on August 21, 2011. The original story can be read here

For more details visit https://cis-india.org/internet-governance/bye-bye-email

Business Woes from Saharanpur's Internet Ban

Mahesh Kumar Shiva — 2017-12-29T13:24:35Z

Strap: Three businessmen reveal the price they paid

Saharanpur: The violence between groups of Thakurs and Dalits that engulfed Saharanpur district in Uttar Pradesh between April and June 2017 continues to haunt its residents. The UP administration had ordered an internet shutdown for 10 days, reportedly to prevent the spread of rumours that had erupted after another caste clash on May 23 in Shabbirpur.

Those running businesses in Saharanpur say they were affected in unexpected ways. They struggled to make regular transactions and incurred losses they haven't yet recovered from.

Forty-eight-year-old Rajkumar Jatav has been manufacturing ladies' shoes for 25 years in Saharanpur town. Helped by his sons Sushant and Rajkkumar, he runs a small-scale factory which employs 15 workers who make flat slippers, sandals, heeled shoes and joothis for the local market. Jatav says he suffered a loss of about Rs 1.25 lakh ($2000) during the 10-day internet shutdown.

"I did not get raw materials like paste solutions, synthetic leather, heels and sequins from my suppliers based in Kanpur and Agra when I failed to pay them the 50% advance through online transfer," says Jatav. "The situation outside the town was also tense. So there was no chance I could go or send someone to the banks either."

Jatav had started using the digital payment system only after demonetisation. "I started doing online payments after November 8, 2016, after I faced a lot of problems with cash availability during that time. Internet payments came as a boon for me and also for my suppliers," he says. But within six months of getting used to online transactions, Jatav faced this new hurdle: an internet shutdown. "To complete the shoe order, we have to invest from our pocket first, but when I couldn't, my suppliers refused to send me the material, which meant I could not complete a big order," he says. He calculates that the cancelled order cost him Rs 2 lakhs. In addition, a few of Jatav's reliable and talented shoe workers quit because he was unable to pay their wages on time.

Jatav's annual business turnover is around Rs 24 lakh (Rs 200,000 a month), and he gets his raw material from the markets of New Delhi, Bareilly and Agra. "I even tried to give my suppliers an account payee cheque but they declined it saying that it will take a lot of time to clear. I requested them again and again but to no use. For a supplier there are thousands of Rajkumar Jatavs. I am no special client to get the raw materials on credit," he says. Jatav admits that he is not prepared for another shutdown, and he would not be able to run his business if it happened again.

Many traders in Saharanpur city say narrate similar experiences. In May, a family business of trading edible oil wholesale saw its most unfamiliar financial challenge yet. It had been only three years since Shailendra Bhushan Gupta had taken over his elder brother's 26-year-old store. Gupta started to expand and diversify too, by launching an agency to trade the Fortune brand of oils. He employs five people, and his monthly turnover ranges between Rs 30-40 lakhs ($46,600-62,200). The 40-year-old also modernised some of the business practices, shifting much of the payments to suppliers online, for speed and ease of use.

During the internet shutdown in Saharanpur, Gupta did not expect to be affected, given the stability of his store and the large sale volume of his agency. But unexpectedly, his supplying company cancelled his order of 1000 litres of oil when he could not make the payment. "As per the agreement, I have to deposit at least 50% of the order amount in advance, and the rest of the payment is made when the oil is delivered to us. But during those 10 days, I could not make payment through any means, and my order was declined by the supplying company," he says. Gupta also tried to make the payment through RTGS but couldn't do that. The oil trader says that he ended up suffering a jolt of Rs 18 lakhs ($28,000).

Gupta is slowly trying to make up for the monetary loss and credit worthiness with his suppliers. "How can an internet shutdown be a solution for anything?" he asks. "I seriously don't know what to do if it happens again."

A property dealer in same central market faced a direct hit during the internet ban. Ashok Pundeer, who has been selling and renting commercial and residential properties for the past five years, estimates that he suffered a loss of Rs 22 lakhs ($34,200) during the internet shutdown as he could not get many properties registered in that period. "I had to return the token money to many buyers because there was no internet," he says. "All of us know that registry (property) and documentation is now done online in Uttar Pradesh. The clients were new and they refused to take the deal forward."

A property dealer is not easily trusted, admits Pundeer. This means he is paid only after the deal is done, and a lot of word-of-mouth business depends on his image and credibility. Every lost client is a potential loss of more. "It's not just me, but many dealers have incurred huge losses due to shutdown," says Pundeer. "Koi ration ki dukaan to hai nahi property dealing. Jo kuch hona hai online hi hona hai. Ab kya batayein, dekha jayega jo hona hoga," he throws his hand up in frustration, saying the real estate business is no grocery shop, and if there's no access to online transactions, then very little can be done.

Trying to keep an optimistic outlook, Pundeer says, "Jitna kuan khodo, utna paani milega". For his business to recover, he will have to double down with more focus and effort.

(With inputs from Saurabh Sharma)

Mahesh Kumar Shiva is a Saharanpur-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters. has been reporting for 23 years on crime, healthcare, society, politics, culture, sports, agriculture and tourism in his city. He has previously worked with publications like Dainik Janwani, Dainik Jagran, Amar Ujala, Ajit Samachar and more.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

Video

Rajkumar Jatav talks about the challenges his shoe manufacturing business faced during the shutdown. Video Courtesy: Mahesh Kumar Shiva

For more details visit https://cis-india.org/internet-governance/blog/business-woes-from-saharanpurs-internet-ban

Burma to host first Internet freedom forum

praskrishna — 2013-06-05T07:10:38Z

Myanmar ICT Development Organisation (MIDO) will host “Myanmar Internet Freedom Forum” in Yangon from June 1-2. In the first forum of its kind in Burma, MIDO aims to raise awareness of Internet freedom in a country that has endured decades of media censorship.

Chan Myae Khine's post was published in Asian Correspondent on May 22, 2013. The Centre for Internet and Society will be joining local netizens and organisations for discussion.

In a country with a notoriously low Internet penetration rate, MIDO has been conducting Internet and communications technology (ICT) training in cities and remote areas “to empower citizens using ICT to address core development and poverty-reduction goals.” It is involved in BarCamps and government organized forums as well.

“As our organisation focuses on ICT4D and Internet Policy, Internet freedom is also a vital issue that we look on,” said Htaike Htaike Aung, Program Manager of MIDO.

The major goal of the Myanmar Internet Freedom Forum is to advocate for Internet freedom in Burma (Myanmar). “As the media and policy makers do not have awareness on Internet Governance Forum and its agenda, the issues have not been addressed and lack media attention,” said MIDO in its proposal submission. “Not having local resources on Internet Governance is also a cause for the lack of advocacy groups and campaigns.”

MIDO also aims to promote “access” and “digital rights” with a multi-stakeholderism approach involving government, journalists, bloggers, social media activists, netizens and international experts so that all voices are allowed and heard. Various topics such as Cyber Law, Digital Security, E-education and Netizen Empowerment will be discussed during panel discussions and breakout sessions at the event.

MIDO expects 300 attendees for Day 1 of the forum, when the Center for Internet and Society, the Thai Netizen Network and other regional groups will be joining local netizens and organisations for discussion. “For the government representatives, we’re still trying to get confirmation,” explained Htaike Htaike.

MIDO will invite about 20 netizens from around the country to join interested participants from Yangon to discuss how to effectively monitor Internet freedom on the second day of the forum. The aim is to establish a network to monitor and report on Internet censorship in Burma. MIDO hopes to publish Internet Censorship Index each year with help of the reports generated from the network.

With a 7% of Internet penetration rate, this is a problematic area in Burma, though there has been some progress and Internet business opportunities have begun to emerge. The Internet Freedom Forum, as an all-inclusive platform, has potential to bring necessary knowledge to the public, such as awareness of rights when accessing Internet and other privacy issues which are vital for new netizens.

For more details visit https://cis-india.org/news/asian-correspondent-chan-myae-khine-may-22-2013-burma-to-host-internet-freedom-forum

Bumpy road ahead for RFID Tags in vehicles

praskrishna — 2016-12-10T04:31:11Z

The government plans to make digital tags in vehicles mandatory to ensure seamless passage at the toll booths, but the implementation of the proposed move may not be so smooth.

The article by Smriti Sharma Vasudeva was published in the Statesman on December 7, 2016. Pranesh Prakash was quoted.

On one hand, the digital tags stand to compromise the safety of the vehicle and the owners, while on the other, majority of automobiles manufacturing companies claim that the vehicles are being equipped with the digital tags since 2013 and it is the implementation of the order that has been grossly ineffective.

Post the recent demonetisation, as a part of the government’s efforts towards a cashless society, Economic Affairs Secretary Shaktikanta Das stated that the union government has advised the automobile manufacturers to provide a digital identity tag in all new vehicles, including cars, to enable electronic payment at all toll plazas and ensure seamless movement at check posts.

He said the provision of Electronics Product Code Global Incorporated (EPCG)-compliant Radio Frequency Identification (RFID) facility in all new vehicles will ensure payment of toll digitally and also avoid the waiting time, and the vehicles will move seamlessly without having to wait at check posts. “This will improve the functioning of toll plaza, digital payments,” Das said.

In fact, the move to mandate all the vehicles with RFID tags was first made in 2013 when the then government made it compulsory to install Radio Frequency Identification (RFID) tags on the medium and heavy motor vehicles through the proposed rule 138A of the Central Motor Vehicle Rules, 1989. However, the same could not be fully implemented for several reasons and was also opposed by public and advocacy groups alike.

In 2013, the Centre for Internet and Society (CIS), a non-profit organisation sent an open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to install RFID tags in vehicles in India as the legality; necessity and utility of RFID tags had not been adequately proven.

The letter stated that such technologies raise major ethical concerns, since India lacks privacy legislation, which could safeguard individual’s data. The letter added that the proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India.

However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.

Speaking to The Statesman, Pranesh Prakash, Policy Director, Centre for Internet and Society said, “Our stand remains the same as it was three years ago when we spoke out against this move: mandating RFID tags in all vehicles is a terrible idea, and a privacy and security nightmare. “It is important to ensure that RFID tagging (and other similar technologies, like automated licence plate readers) do not end up as a means of engaging in mass surveillance and tracking, which would be contrary to the judgments of the Supreme Court in cases like Kharak Singh vs the Union Government.

“The government has not provided any safeguards — such as mandating non-storage of any vehicle-identifying data. The government has asked manufacturers of all vehicles to include trackers, not just for goods vehicles or mass transport vehicles.

“Nor has the government come up with any standards to ensure security of the RFID tags — to prevent unauthorized third parties from tracking you or deducting money from your account. In short, the government should immediately retract its advice to vehicle manufacturers, and should work with experts to fix these problems,” Prakash said.

For more details visit https://cis-india.org/internet-governance/news/statesman-december-7-2016-smriti-sharma-vasudeva-bumpy-road-ahead-for-rfid-tags-in-vehicles

Building a Community of Practice: Reflections from 2nd All Partners

Admin — 2018-12-01T04:18:52Z

On Wednesday, November 14th, the Partnership on AI held its 2nd annual All Partners Meeting in San Francisco, California. Representatives from our 80+ member organizations – for-profit companies, civil society organizations, academic institutions, and advocacy groups – traveled from across the globe to reflect on 2018 progress, and to plan for the future.

Elonnai Hickok participated in the event held in San Francisco on November 14 and 15, 2018. The event was organized by Partnership on AI. On November 14, Elonnai spoke on the panel on the PAI working groups and on November 15 she co-lead the AI Labor and Economy working group meeting as co-chair of the group. More details can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/building-a-community-of-practice-reflections-from-2nd-all-partners

Budapest Convention and the Information Technology Act

vipul — 2018-11-20T16:18:51Z

The Convention on Cybercrime adopted in Budapest (“Convention”) is the fist and one of the most important multilateral treaties addressing the issue of internet and computer crimes.

Introduction
It was drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America.[1] The importance of the Convention is also indicated by the fact that adherence to it (whether by outright adoption or by otherwise making domestic laws in compliance with it) is one of the conditions mentioned in the Clarifying Lawful Overseas Use of Data Act passed in the USA (CLOUD Act) whereby a process has been established to enable security agencies of in India and the United States to directly access data stored in each other’s territories. Our analysis of the CLOUD Act vis-à-vis India can be found here. It is in continuation of that analysis that we have undertaken here a detailed comparison of the Information Technology Act, 2000 (“IT Act”) and how it stacks up against the provisions of Chapter I and Chapter II of the Convention.^{^[2]}

Before we get into a comparison of the Convention with the IT Act, we must point out the distinction between the two legal instruments, for the benefit of readers from a non legal background. An international instrument such as the Convention on Cybercrime (generally speaking) is essentially a promise made by the States which are a party to that instrument, that they will change or modify their local laws to get them in line with the requirements or principles laid out in said instrument. In case the signatory State does not make such amendments to its local laws, (usually) the citizens of that State cannot enforce any rights that they may have been granted under such an international instrument. The situation is the same with the Convention on Cybercrime, unless the signatory State amends its local laws to bring them in line with the provisions of the Convention, there cannot be any enforcement of the provisions of the Convention within that State.[3] This however is not the case for India and the IT Act since India is not a signatory to the Convention on Cybercrime and therefore is not obligated to amend its local laws to bring them in line with the Convention.

Although India and the Council of Europe cooperated to amend the IT Act through major amendments brought about vide the Information Technology (Amendment) Act, 2008, India still has not become a signatory to the Convention on Cybercrime. The reasons for this appear to be unclear and it has been suggested that these reasons may range from the fact that India was not involved in the original drafting, to issues of sovereignty regarding the provisions for international cooperation and extradition.[4]

Convention on Cybercrime

Information Technology Act, 2000

Article 2 – Illegal access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(a) accesses or secures access to such computer, computer system or computer network or computer resource

Section 66

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

The Convention gives States the right to further qualify the offence of “illegal access” or “hacking” by adding elements such as infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system.^{^[5]} However, Indian law deals with the distinction by making the act of unathorised access without dishonest or fraudulent intent a civil offence, where the offender is liable to pay compensation. If the same act is done with dishonest and fraudulent intent, it is treated as a criminal offence punishable with fine and imprisonment which may extend to 3 years.

It must be noted that this provision was included in the Act only through the Amendment of 2008 and was not present in the Information Technology Act, 2000 in its original iteration.

Convention on Cybercrime

Information Technology Act, 2000

Article 3 – Illegal Interception

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

Although the Information Technology Act, 2000 does not specifically criminalise the interception of communications by a private person. It is possible that under the provisions of Rule 43(a) the act of accessing a “computer network” could be interpreted as including unauthorised interception within its ambit.

The other way in which illegal interception may be considered to be illegal is through a combined reading of Sections 69 (Interception) and 45 (Residuary Penalty) with Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which prohibits interception, monitoring and decryption of information under section 69(2) of the IT Act except in a manner as provided by the Rules. However, it must be noted that section 69(2) only talks about interception by the government and Rule 3 only provides for procedural safeguards for such an interception. It could therefore be argued that the prohibition under Rule 3 is only applicable to the government and not to private individuals since section 62, the provision under which Rule 3 has been issued, itself is not applicable to private individuals.

Convention on Cybercrime

Information Technology Act, 2000

Article 4 – Data interference

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.

2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;

(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. (change vide ITAA 2008)

Section 66

Damage, deletion, diminishing in value and alteration of data is considered a crime as per Section 66 read with section 43 of the IT Act if done with fraudulent or dishonest intention. While the Convention only requires such acts to be crimes if committed intentionally, however the Information Technology Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

It must be noted that the optional requirement of such an act causing serious harm has not been adopted by Indian law, i.e. the act of such damage, deletion, etc. by itself is enough to constitute the offence, and there is no requirement of such an act causing serious harm.

As per the Explanatory Report to the Convention on Cybercrime, “Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.” Strictly speaking the act of suppression of data in another system is not covered by the language of section 43, but looking at the tenor of the section it is likely that if a court is faced with a situation of intentional/malicious denial of access to data, the court could expand the scope of the term “damage” as contained in sub-section (d) to include such malicious acts.

Convention on Cybercrime

Information Technology Act, 2000

Article 5 – System interference

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(e) disrupts or causes disruption of any computer, computer system or computer network;

Explanation - for the purposes of this section -

(i) "Computer Contaminant" means any set of computer instructions that are designed -

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

(iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

Section 66

The offence of causing hindrance to the functioning of a computer system with fraudulent or dishonest intention is an offence under the IT Act. While the Convention only requires such acts to be crimes if committed intentionally, however the IT Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

The IT Act does not require such disruption to be caused in any particular manner as is required under the Convention, although the acts of introducing computer viruses as well as damaging or deleting data themselves have been classified as offences under the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 6 – Misuse of devices

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.

This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing offences against the confidentiality, the integrity and availability of computer systems or data. While the IT Act does not by itself makes the production, sale, procurement for use, import, distribution of devices designed to be adopted for such purposes, sub-section (g) of section 43 along with section 120A of the Indian Penal Code, 1860 which deals with “conspiracy” could perhaps be used to bring such acts within the scope of the penal statutes.

Convention on Cybercrime

Information Technology Act, 2000

Article 7 – Computer related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

The acts of deletion, alteration and suppression of data by itself is a crime as discussed above, there is no specific offence for doing such acts for the purpose of forgery. However this does not mean that the crime of online forgery is not punishable in India at all, such crimes would be dealt with under the relevant provisions of the Indian Penal Code, 1860 (Chapter 18) read with section 4 of the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 8 – Computer-related fraud

a any input, alteration, deletion or suppression of computer data,

b any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

Just as in the case of forgery, there is no specific provision in the IT Act whereby online fraud would be considered as a crime, however specific acts such as charging services availed of by one person to another (section 43(h), identity theft (section 66C), cheating by impersonation (section 66D) have been listed as criminal offences. Further, as with forgery, fraudulent acts to procure economic benefits would also get covered by the provisions of the Indian Penal Code that deal with cheating.

Convention on Cybercrime

Information Technology Act, 2000

Article 9 – Offences related to child pornography

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:

a producing child pornography for the purpose of its distribution through a computer system;

b offering or making available child pornography through a computer system;

c distributing or transmitting child pornography through a computer system;

d procuring child pornography through a computer system for oneself or for another person;

e possessing child pornography in a computer system or on a computer-data storage medium.

2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:

a a minor engaged in sexually explicit conduct;

b a person appearing to be a minor engaged in sexually explicit conduct;

c realistic images representing a minor engaged in sexually explicit conduct.

3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.

4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, subparagraphs d and e, and 2, sub-paragraphs b and c.

67 B Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,

shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

The publishing, transmission, creation, collection, seeking, browsing, etc. of child pornography is an offence under Indian law punishable with imprisonment for upto 5 years for a first offence and upto 7 years for a subsequent offence, along with fine.

It is important to note that bona fide depictions for the public good, such as for publication in pamphlets, reading or educational material are specifically excluded from the rigours of the section, Similarly material kept for heritage or religious purposes is also exempted under this section. Such exceptions are in line with the intent of the Convention, since the Explanatory statement itself states that “The term "pornographic material" in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic.

Convention on Cybercrime

Information Technology Act, 2000

Article 10 – Offences related to infringements of copyright and related rights

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as define under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.

81 Act to have Overriding effect

The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970

The use of the term "pursuant to the obligations it has undertaken" in both paragraphs makes it clear that a Contracting Party to the Convention is not bound to apply agreements cited (TRIPS, WIPO, etc.) to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation under the present Convention.

The IT Act does not try to intervene in the existing copyright regime of India and creates a special exemption for the Copyright Act and the Patents Act in the clause which provides this Act overriding effect. India’s obligations under the various treaties and conventions on intellectual property rights are enshrined in these legislations.^{^[6]}

Convention on Cybercrime

Information Technology Act, 2000

Article 11 – Attempt and aiding or abetting

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c of this Convention.

3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article.

84 B Punishment for abetment of offences

Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.

Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.

84 C Punishment for attempt to commit offences

Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.

As can be seen, both attempts as well as abetment of criminal offences under the IT Act have also been criminalised.

Convention on Cybercrime

Information Technology Act, 2000

Article 12 – Corporate liability

1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:

a a power of representation of the legal person;

b an authority to take decisions on behalf of the legal person;

c an authority to exercise control within the legal person.

2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.

3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.

4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.

85 Offences by Companies.

(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.

(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Explanation-

For the purposes of this section

(i) "Company" means any Body Corporate and includes a Firm or other Association of individuals; and

(ii) "Director", in relation to a firm, means a partner in the firm.

The liability of a company or other body corporate has been laid out in the IT Act in a manner similar to the Budapest Convention. While, the test to determine the relationship between the legal entity and the natural person who has committed the act on behalf of the legal entity is a little more detailed[7] in the Convention, the substance of the test is laid out in the IT Act as “a person who is in charge of, and was responsible to, the company”.

Convention on Cybercrime

Information Technology Act, 2000

Article 14

1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.

2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to:

a the criminal offences established in accordance with Articles 2 through 11 of this Convention;

b other criminal offences committed by means of a computer system; and

c the collection of evidence in electronic form of a criminal offence.

3 a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20.

b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system:

i is being operated for the benefit of a closed group of users, and

ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications.

Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21.

This is a provision of a general nature that need not have any equivalence in domestic law. The provision clarifies that all the powers and procedures provided for in this section (Articles 14 to 21) are for the purpose of “specific criminal investigations or proceedings”.

Convention on Cybercrime

Information Technology Act, 2000

Article 15 – Conditions and safeguards

1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.

This again is a provision of a general nature which need not have a corresponding clause in the domestic law. India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India, 1950.^{^[8]}

In addition, India has enacted the Protection of Human Rights Act, 1993 for the constitution of a National Human Rights Commission, State Human Rights Commission in States and Human Rights Courts for better protection of “human rights” and for matters connected therewith or incidental thereto. Thus, there does exist a statutory mechanism for the enforcement of human rights^{^[9]} under Indian law. It must be noted that the definition of human rights also incorporates rights embodied in International Covenants and are enforceable by Courts in India.

Convention on Cybercrime

Information Technology Act, 2000

Article 16 – Expedited preservation of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Article 17 – Expedited preservation and partial disclosure of traffic data

1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:

a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and

b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

29 Access to computers and data.

(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (Amended vide ITAA 2008)

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary.

67 C Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011

3(7) - When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

It must be noted that Article 16 and Article 17 refer only to data preservation and not data retention. “Data preservation” means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to change or deteriorate. Data retention means to keep data, which is currently being generated, in one’s possession into the future.^{^[10]} In short, the article provides only for preservation of existing stored data, pending subsequent disclosure of the data, in relation to specific criminal investigations or proceedings.

The Convention uses the term "order or similarly obtain", which is intended to allow the use of other legal methods of achieving preservation than merely by means of a judicial or administrative order or directive (e.g. from police or prosecutor). In some States, preservation orders do not exist in the procedural law, and data can only be preserved and obtained through search and seizure or production order. Flexibility was therefore intended by the use of the phrase "or otherwise obtain" to permit the implementation of this article by the use of these means.

While Indian law does not have a specific provision for issuing an order for preservation of data, the provisions of section 29 as well as sections 99 to 101 of the Code of Criminal Procedure, 1973 may be utilized to achieve the result intended by Articles 16 and 17. Although section 67C of the IT Act uses the term “preserve and retain such information”, this provision is intended primarily for the purpose of data retention and not data preservation.

Another provision which may conceivably be used for issuing preservation orders is Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011 which requires intermediaries to provide “any such assistance” to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. However, in the absence of a power of preservation in the main statute (IT Act) it remains to be seen whether such an order would be enforced if challenged in a court of law.

Convention on Cybercrime

Information Technology Act, 2000

Article 18 – Production order

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and

b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a the type of communication service used, the technical provisions taken thereto and the period of service;

b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

Section 28(2)

(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-Tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act.

Section 58(2)

(2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely -

(b) requiring the discovery and production of documents or other electronic records;

While the Cyber Appellate Tribunal and the Controller of Certifying Authorities both have the power to call for information under the IT Act, these powers can be exercised only for limited purposes since the jurisdiction of both authorities is limited to the procedural provisions of the IT Act and they do not have the jurisdiction to investigate penal provisions. In practice, the penal provisions of the IT Act are investigated by the regular law enforcement apparatus of India, which use statutory provisions for production orders applicable in the offline world to computer systems as well. It is a very common practice amongst law enforcement authorities to issue orders under the Code of Criminal Procedure, 1973 (section 91) or the relevant provisions of the Income Tax Act, 1961 to compel production of information contained in a computer system. The power to order production of a “document or other thing” under section 91 of the Criminal Procedure Code is wide enough to cover all types of information which may be residing in a computer system and can even include the entire computer system itself.

Convention on Cybercrime

Information Technology Act, 2000

Article 19 – Search and seizure of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

a a computer system or part of it and computer data stored therein; and

b a computer-data storage medium in which computer data may be stored in its territory.

2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.

3 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:

a seize or similarly secure a computer system or part of it or a computer-data storage

medium;

b make and retain a copy of those computer data;

c maintain the integrity of the relevant stored computer data;

d render inaccessible or remove those computer data in the accessed computer system.

4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.

5 The powers and procedures referred to in this article shall be subject to Articles 14 and15.

76 Confiscation

Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation:

Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.

While Article 19 provides for the power to search and seize computer systems for the investigation into criminal offences of any type of kind, section 76 of the IT Act is limited only to contraventions of the provisions of the Act, rules, orders or regulations made thereunder. However, this does not mean that Indian law enforcement authorities do not have the power to search and seize a computer system for crimes other than those contained in the IT Act; just as in the case of Article 18, the authorities in India are free to use the provisions contained in the Criminal Procedure Code and other sectoral legislations which allow for seizure of property to seize computer systems when investigating criminal offences.

Convention on Cybercrime

Information Technology Act, 2000

Article 20 – Real-time collection of traffic data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party; or

ii to co-operate and assist the competent authorities in the collection or recording of,

traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned to it in section 43.

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Section 69B in the IT Act enables the government to authorise the monitoring and collection of traffic data through any computer system. Under the Convention, orders for collection and recording of traffic data can be given for the purposes mentioned in Articles 14 and 15. On the other hand, as per the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, an order for monitoring may be issued for any of the following purposes relating to cyber security:

(a) forecasting of imminent cyber incidents;

(b) monitoring network application with traffic data or information on computer resource;

(d) tracking cyber security breaches or cyber security incidents;

(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;

(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;

(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;

(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;

(i) any other matter relating to cyber security.

As can be seen from the above, the reasons for which an order for monitoring traffic data can be issued are extremely wide, this is in stark contrast to the reasons for which an order for interception of content data may be issued under section 69. The Rules also provide that the intermediary shall not disclose the existence of a monitoring order to any third party and shall take all steps necessary to ensure extreme secrecy in the matter of monitoring of traffic data.

Convention on Cybercrime

Information Technology Act, 2000

Article 21 – Interception of content data

1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party, or

ii to co-operate and assist the competent authorities in the collection or recording of,

content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -

(a) provide access to or secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

There has been a lot of academic research and debate around the exercise of powers under section 69 of the IT Act, but the current piece is not the place for a standalone critique of section 69.[11] The analysis here is limited to a comparison of the provisions of Article 20 vis-à-vis section 69 of the IT Act.

In that background, it needs to be pointed out that two important issues mentioned in Article 20 of the Convention are not specifically mentioned in section 69B, viz. (i) that the order should be only for specific computer data, and (ii) that the intermediary should keep such an order confidential; these requirements are covered by Rules 9 and 20 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, respectively.

Convention on Cybercrime

Information Technology Act, 2000

Article 22 – Jurisdiction

1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:

a in its territory; or

b on board a ship flying the flag of that Party; or

c on board an aircraft registered under the laws of that Party; or

d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.

3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition.

4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law.

5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

1. Short Title, Extent, Commencement and Application

(2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.

75 Act to apply for offence or contraventions committed outside India

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.

(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

The Convention provides for extra territorial jurisdiction only for crimes committed outside the State by nationals of that State. However, the IT Act applies even to offences under the Act committed by foreign nationals outside India, as long as the act involves a computer system or computer network located in India.

Unlike para 3 of Article 22 of the Convention, the IT Act does not touch upon the issue of extradition. Cases involving extradition would therefore be dealt with by the general law of the land in respect of extradition requests contained in the Extradition Act, 1962. The Convention requires that in cases where the state refuses to extradite an alleged offender, it should establish jurisdiction over the offences referred to in Article 21(1) so that it can proceed against that offender itself. In this regard, it must be pointed out that Section 34A of the Extradition Act, 1962 provides that “Where the Central Government is of the opinion that a fugitive criminal cannot be surrendered or returned pursuant to a request for extradition from a foreign State, it may, as it thinks fit, take steps to prosecute such fugitive criminal in India.” Thus the Extradition Act gives the Indian government the power to prosecute an individual in the event that such individual cannot be extradited.

International Cooperation

Chapter III of the Convention deals specifically with international cooperation between the signatory parties. Such co-operation is to be carried out both "in accordance with the provisions of this Chapter" and "through application of relevant international agreements on international cooperation in criminal matters, arrangements agreed to on the basis of uniform or reciprocal legislation, and domestic laws." The latter clause establishes the general principle that the provisions of Chapter III do not supersede the provisions of international agreements on mutual legal assistance and extradition or the relevant provisions of domestic law pertaining to international co-operation.^{^[12]} Although the Convention grants primacy to mutual treaties and agreements between member States, in certain specific circumstances it also provides for an alternative if such treaties do not exist between the member states (Article 27 and 28). The Convention also provides for international cooperation on certain issues which may not have been specifically provided for in mutual assistance treaties entered into between the parties and need to be spelt out due to the unique challenges posed by cyber crimes, such as expedited preservation of stored computer data (Article 29) and expedited disclosure of preserved traffic data (Article 30). Contentious issues such as access to stored computer data, real time collection of traffic data and interception of content data have been specifically left by the Convention to be dealt with as per existing international instruments or arrangements between the parties.

Conclusion

The broad language and wide terminology used IT Act seems to cover a number of the cyber crimes mentioned in the Budapest Convention, even though India has not signed and ratified the same. Penal provisions such as illegal access (Article 2), data interference (Article 4), system interference (Article 5), offence related to child pornography (Article 9), attempt and aiding or abetting (Article 11), corporate liability (Article 12) are substantially covered and reflected in the IT Act in a manner very similar to the requirements of the Convention. Similarly procedural provisions such as search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), interception of content data (Article 21) and Jurisdiction (Article 22) are also substantially reflected in the IT Act.

However certain penal provisions mentioned in the Convention such as computer related forgery (Article 7), computer related fraud (Article 8) are not provided for specifically in the IT Act but such offences are covered when provisions of the Indian Penal Code, 1860 are read in conjugation with provisions of the IT Act. Similarly procedural provisions such as expedited preservation of stored computer data (Article 16) and production order (Article 18) are not specifically provided for in the IT Act but are covered under Indian law through the provisions of the Code of Criminal Procedure, 1973.

Apart from the above two categories there are certain provisions such as misuse of devices (Article 6) and Illegal interception (Article 3) which may not be specifically covered at all under Indian law, but may conceivably be said to be covered through an expansive reading of provisions of the Indian Penal Code and the IT Act. It may therefore be said that even though India has not signed or ratified the Budapest Convention, the legal regime in India is substantially in compliance with the provisions and requirements contained therein.

Thus, the Convention on Cybercrime is perhaps the most important international multi state instruments that may be used to combat cybercrime, not merely because the provisions thereunder may be used as a model to bolster national/local laws by any State, be it a signatory or not (as in the case of India) but also because of the mechanism it lays down for international cooperation in the field of cyber terrorism. In an increasingly interconnected world where more and more information of individuals is finding its way to the cloud or other networked infrastructure the international community is making great efforts to generate norms for increased international cooperation to combat cybercrime and cyber terrorism. While the Convention is one such multilateral effort, States are also proposing to use bilateral treaties to enable them to better fight cybercrime, the United States CLOUD Act, being one such effort. In the backdrop of these novel efforts the role to be played by older instruments such as the Convention on Cybercrime as well as by important States such as India is extremely crucial.

[1] Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b.

[2] The analysis here has been limited to only Chapter I and Chapter II of the Convention, as it is only adherence to these two chapters that is required under the CLOUD Act.

[3] The only possible enforcement that may be done with regard to the Convention on Cybercrime is that the Council of Europe may put pressure on the signatory State to amend its local laws (if it is refusing to do so) otherwise it would be in violation of its obligations as a member of the European Union.

[4] Alexander Seger, “India and the Budapest Convention: Why Not?”, https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

[5] Explanatory Report to the Convention on Cybercrime, Para 50, https://rm.coe.int/16800cce5b.

[6] India is a party to the Berne Convention on Literary and Artistic Works, the Agreement on Trade Related Intellectual Property Rights and the Rome Convention. India has also recently (July 4, 2018) announced that it will accede to the WIPO Copyright Treaty as well as the WIPO Performances and Phonographs Treaty.

[7] The test under the Convention is that the relevant person would be the one who has a leading position within the company, based on:

a power of representation of the legal person;
an authority to take decisions on behalf of the legal person;
an authority to exercise control within the legal person.

[8]Vipul Kharbanda and Elonnai Hickock, “MLATs and the proposed Amendments to the US Electronic Communications Privacy Act”, https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act

[9] The term “human rights” has been defined in the Act as “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”.

[10] Explanatory Report to the Convention on Cybercrime, Para 151, https://rm.coe.int/16800cce5b. .

[11] A similar power of interception is available under section 5 of the Telegraph Act, 1885, but that extends only to interception of telegraphic communication and does not extend to communications exchanged through computer networks.

[12] Explanatory Report to the Convention on Cybercrime, Para 244, https://rm.coe.int/16800cce5b.

For more details visit https://cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act