The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 1 to 8.
Online outcry forces government to withdraw draft encryption policy
https://cis-india.org/internet-governance/news/first-post-naina-khedekar-september-23-2015-online-outcry-forces-government-to-withdraw-draft-encryption-policy
<b>The article by Naina Khedekar discussing encryption policy was published in First Post on September 23, 2015. Pranesh Prakash has been quoted.</b>
<p style="text-align: justify; ">Read the original published by First Post <a class="external-link" href="http://tech.firstpost.com/news-analysis/online-backlash-forces-government-to-withdraw-draft-encryption-policy-282106.html">here</a>.</p>
<hr />
<p style="text-align: justify; ">Yesterday, the government <a href="http://tech.firstpost.com/news-analysis/after-backlash-govt-exempts-whatsapp-facebook-payment-gateways-from-encryption-policy-282095.html" target="_blank"><b>released a draft encryption policy</b></a> aimed at keeping a tab on the use of technology by specifying algorithms and length of encryption keys used by ‘all’. It wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Moreover, failing to do so would mean legal action as per the laws of the country.</p>
<p style="text-align: justify; ">After a huge outcry, most of us woke up to the new proposed addendum this morning wherein the government has clarified to exempt products such as social media sites including WhatsApp, Facebook and Twitter; payment gateways; e-commerce and password based transactions and more from the draft policy.</p>
<p style="text-align: justify; ">Finally, the government has decided to <a href="http://tech.firstpost.com/news-analysis/government-withdraws-controversial-draft-encryption-policy-reports-282170.html"><b>withdraw the draft encryption policy</b></a>.</p>
<blockquote class="twitter-tweet" style="text-align: justify; ">
<p dir="ltr">I have written for that draft to be withdrawn, made changes to and then re-released: RS Prasad : ANI <a href="http://t.co/W2IP4meEGb" rel="nofollow">pic.twitter.com/W2IP4meEGb</a></p>
<p>— Firstpost (@firstpost) <a href="https://twitter.com/firstpost/status/646221371932962816" rel="nofollow">September 22, 2015</a></p>
</blockquote>
<blockquote class="twitter-tweet" style="text-align: justify; ">
<p dir="ltr">Some sort of encryption policy is there all over the world: Ravishankar Prasad <a href="http://t.co/cDvsOWtjcM" rel="nofollow">pic.twitter.com/cDvsOWtjcM</a></p>
<p>— Firstpost (@firstpost) <a href="https://twitter.com/firstpost/status/646222621495812096" rel="nofollow">September 22, 2015</a></p>
</blockquote>
<p style="text-align: justify; ">What’s fascinating is how the whole process felt like déjà vu. Haven’t we seen the drama unfold before. While the dust on the net neutrality sage has barely settled, we’re already facing newer issues related to encryption and privacy. We never learn from our mistakes, do we? A new draft policy, public outcry, and then comes the much-needed changes.</p>
<p style="text-align: justify; "><img alt="social_media" class="size-full wp-image-235071" height="360" src="http://tech.firstpost.com/wp-content/uploads/2014/09/social_media.jpg" width="640" /></p>
<p style="text-align: justify; ">The Indian government hasn’t just caused anxiety and chaos among the netizens, but the initial draft completely misguided people. According to <a href="http://thenextweb.com/in/2015/09/21/india-still-doesnt-understand-how-online-security-works/" rel="nofollow" target="_blank"><b>TheNextWeb</b></a>, “The Indian government has made a fool of itself and caused anxiety among citizens with a woefully misguided proposal for a national encryption policy that it’s just released to the public for feedback.”</p>
<p style="text-align: justify; ">While we sit back and talk about Digital India, smarter cities and so on, the makers of the law seem to be clueless about some major by-products concerning these initiatives such as security, privacy and likewise. Each time the government talks about a new initiative meant to bring in some law and order pertaining to digital rights, it somehow manages to come up with implications that could affect us far worse.</p>
<p style="text-align: justify; ">In this case, the Indian government is trying to ensure that its law enforcement agencies have easy access to encrypted information whenever required, but this could easily compromise security and privacy in the process.</p>
<p style="text-align: justify; ">Moreover, each time the government releases a proposal for our digital lives, it’s people who remind the government about the adverse implications it could have. Does the expert panel writing these reports know nothing about privacy and how it possibly works? Or is the government simply looking at a trial balloon policy to gauge reactions by people. So, next time we don’t react, a draconian rule might just be governing our digital lives.</p>
<p style="text-align: justify; ">The whole net neutrality saga continued for months with assurance from the government on how it supports free and equal Internet, and eventually made ‘certain changes’. This seems headed on a similar path. Though the new addendum comes with changes, it still leaves us as muddled as before.</p>
<p style="text-align: justify; ">Pranesh Prakash of the CIS has tweeted out how the new clarification clarifies nothing.</p>
<blockquote class="twitter-tweet" style="text-align: justify; ">
<p dir="ltr">This clarification by the govt does not clarify anything, but further muddles the encryption policy. <a href="http://t.co/1KK8AFRp6Q" rel="nofollow">pic.twitter.com/1KK8AFRp6Q</a></p>
<p>— Pranesh Prakash (@pranesh_prakash) <a href="https://twitter.com/pranesh_prakash/status/646164649436549120" rel="nofollow">September 22, 2015</a></p>
</blockquote>
<blockquote class="twitter-tweet" style="text-align: justify; ">
<p dir="ltr">All OSes will be illegal in India (IV.6 + V.3 of draft encryption policy) unless Microsoft, Apple, Red Hat, etc, sign agreement w/ govt.</p>
<p>— Pranesh Prakash (@pranesh_prakash) <a href="https://twitter.com/pranesh_prakash/status/645871490408255489" rel="nofollow">September 21, 2015</a></p>
</blockquote>
<blockquote class="twitter-tweet" style="text-align: justify; ">
<p dir="ltr">If India enacts that National Encryption Policy, their global back-end and support business will be drastically reduced. If it survives.</p>
<p>— Lin S (@Just_this_time) <a href="https://twitter.com/Just_this_time/status/645781278244012033" rel="nofollow">September 21, 2015</a></p>
</blockquote>
<p style="text-align: justify; ">A new <a href="http://www.medianama.com/2015/09/223-india-draft-encryption-policy/" rel="nofollow" target="_blank"><b>Medianama</b></a> report also points out loopholes in the changes announced. The report adds how any encrypted service would have to sign an agreement with the government. With the heavy mobile penetration and increasing number of encrypted mobile services that people use, it is really feasible for the government to ink an agreement with all the services that are based outside the country.</p>
<blockquote class="twitter-tweet" style="text-align: justify; ">
<p dir="ltr">Problems with the update to India's draft anti-privacy policy <a href="http://t.co/gKus1o3uaC" rel="nofollow">http://t.co/gKus1o3uaC</a> <a href="http://t.co/adqVJTedFI" rel="nofollow">pic.twitter.com/adqVJTedFI</a></p>
<p>— Nikhil Pahwa (@nixxin) <a href="https://twitter.com/nixxin/status/646153774231228416" rel="nofollow">September 22, 2015</a></p>
</blockquote>
<p style="text-align: justify; ">In the past, we’ve seen the blame game around the laws, usually the ‘hurriedly’ changed laws passed (after the inability to monitor encrypted messages during the Mumbai terrorist attacks) in the winter session of 2008 without any debate or discussion by bears the brunt. Earlier this year, we saw the government crack down the Section 66A of the 2008 Information Technology Act describing it “unconstitutional” and “hit at the root of liberty and freedom of expression, the two cardinal pillars of democracy.”</p>
<p style="text-align: justify; ">Why can’t all the thinking be done before drafts are penned down for public review. A well thought out report would help avoid retractions later.</p>
<p style="text-align: justify; "><a href="http://tech.firstpost.com/wp-content/uploads/2014/09/social_media.jpg"></a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/first-post-naina-khedekar-september-23-2015-online-outcry-forces-government-to-withdraw-draft-encryption-policy'>https://cis-india.org/internet-governance/news/first-post-naina-khedekar-september-23-2015-online-outcry-forces-government-to-withdraw-draft-encryption-policy</a>
</p>
No publisherpraskrishnaEncryptionEncryption PolicyInternet Governance2015-10-01T02:05:01ZNews ItemBowing to public pressure, govt withdraws draft encryption policy
https://cis-india.org/internet-governance/news/hindustan-times-september-22-2015-bowing-to-public-pressure-govt-withdraws-draft-encryption-policy
<b>Bowing to pressure from the public, the government on Tuesday withdrew a draft policy that sought to control secured online communication, including through mass-use social media and web applications such as WhatsApp and Twitter.</b>
<p style="text-align: justify; ">The article was published by the <a class="external-link" href="http://www.hindustantimes.com/tech/bowing-to-public-pressure-govt-withdraws-draft-encryption-policy/story-kOVNjpFZIuzyuQZGqv4JSN.html;jsessionid=C7FD668754FD1868D4BFE90D6D3C98B5">Hindustan Times</a> on September 22, 2015. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">Communications and information technology minister Ravi Shankar Prasad announced the government’s decision at a news conference, saying the draft National Encryption Policy will be reviewed before it is again presented to the public for their suggestions.</p>
<p style="text-align: justify; ">“I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,” Prasad said. He said the draft would be re-released, but did not say when it would be made public.</p>
<p style="text-align: justify; ">“Experts had framed a draft policy...This draft policy is not the government’s final view,” he added. “There were concerns in some quarters. There were some words (in the draft policy) that caused concern.”</p>
<p style="text-align: justify; ">The draft will be reviewed and experts will be asked to specify to whom the policy will be applicable, Prasad said. He did not say when the new draft will be made public.</p>
<p style="text-align: justify; ">Those using social media platforms and web applications fell outside the scope of an encryption policy, Prasad said.</p>
<p style="text-align: justify; ">Several countries have felt the need for an encryption policy because of the boom in e-commerce and e-governance, he remarked. “Cyber space interactions are on the rise. There are concerns about security. We need a sound encryption policy,” he said.</p>
<p style="text-align: justify; ">Before Prasad announced the withdrawal of the draft policy, the government had issued an addendum early on Tuesday to keep social media and web applications like WhatsApp, Twitter and Facebook out of its purview.</p>
<p style="text-align: justify; ">Secure banking transactions and password protected e-commerce businesses too will be kept out of the ambit of the proposed policy, the addendum said.</p>
<p style="text-align: justify; ">The climb down by the government came following a storm of protests from users who objected to any stringent state controls on the use of email, social media accounts and apps.</p>
<p style="text-align: justify; ">According to the original draft, users of apps such as WhatsApp and Snapchat would be required to save all messages for up to 90 days and be able to produce them if asked by authorities.</p>
<p style="text-align: justify; ">Experts told Hindustan Times the draft policy, if implemented in its current form, could compromise the privacy of users and hamper the functioning of several multi-national service providers in India.</p>
<p style="text-align: justify; ">Nikhil Pahwa, editor of the MediaNama website that tracks cyber issues and tech news, said there were several problems even with the addendum to the draft policy.</p>
<p style="text-align: justify; ">“The usage of the phrase ‘currently in use’ renders the policy vague: Firstly, when is ‘currently’?” he questioned in a post on his website.</p>
<p style="text-align: justify; ">“Will a new service that uses a different kind of encryption to protect its users, still be covered? Why should users be ‘restricted to encryption currently in use’? Why should services like Whatsapp, Facebook and Twitter define our security standards?” said Pahwa, who also volunteers for savetheinternet.in.</p>
<p style="text-align: justify; ">Pranesh Prakash, policy director for The Centre for Internet and Society, tweeted that even the addendum “does not clarify anything, but further muddles the encryption policy”.</p>
<p style="text-align: justify; ">Social media users called the draft “draconian” and “delusional”, and Congress leader Manish Tewari too attacked the Union government.</p>
<p style="text-align: justify; ">“The encryption policy (draft) is a snooping and spying orgy. After net chats, the government may want you to keep a video record of what you do in your bedroom for 90 days,” the Congress spokesperson told reporters.</p>
<p style="text-align: justify; ">The draft policy had been posted online last week to seek suggestions from the public.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/hindustan-times-september-22-2015-bowing-to-public-pressure-govt-withdraws-draft-encryption-policy'>https://cis-india.org/internet-governance/news/hindustan-times-september-22-2015-bowing-to-public-pressure-govt-withdraws-draft-encryption-policy</a>
</p>
No publisherpraskrishnaEncryptionInternet GovernanceEncryption Policy2015-10-01T02:15:17ZNews ItemThe State of Secure Messaging
https://cis-india.org/internet-governance/blog/the-state-of-secure-messaging
<b>A look at the protections provided by and threats posed to secure communication online.</b>
<p><em>This blogpost was edited by Gurshabad Grover and Amber Sinha.</em></p>
<p dir="ltr">The current benchmark for secure communication online is
end-to-end encrypted messaging. It refers to a method of encryption
wherein the contents of a message are only readable by the devices of
the individuals, or endpoints, participating in the communication. All
other Internet intermediaries such as internet service providers,
internet exchange points, undersea cable operators, data centre
operators, and even the messaging service providers themselves cannot
read them. This is achieved through cryptographic <a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange">mechanisms</a>
that allow independent devices to establish a shared secret key over an
insecure communication channel, which they then use to encrypt and
decrypt messages. Common examples of end-to-end encrypted messaging are
applications like Signal and WhatsApp.</p>
<p dir="ltr">This post attempts to give at-risk individuals, concerned
citizens, and civil society at large a more nuanced understanding of the
protections provided and threats posed to the security and privacy of
their communications online.</p>
<h4 dir="ltr">Threat Model</h4>
<p dir="ltr">The first step to assessing security and privacy is to
identify and understand actors and risks. End-to-end encrypted messaging
applications consider the following threat model:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Device compromise: Can happen physically through loss or
theft, or remotely. Access to an individual’s device could be gained
through technical flaws or coercion (<a href="https://www.eff.org/wp/digital-privacy-us-border-2017">legal</a>, or <a href="https://xkcd.com/538/">otherwise</a>). It can be temporary or be made persistent by installing <a href="https://citizenlab.ca/2019/10/nso-q-cyber-technologies-100-new-abuse-cases/">malware</a> on the device.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Network monitoring and interference: Implies access to data
in transit over a network. All Internet intermediaries have such
access. They may either actively interfere with the communication or
passively <a href="https://www.theatlantic.com/international/archive/2013/07/the-creepy-long-standing-practice-of-undersea-cable-tapping/277855/">observe</a> traffic.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Server compromise: Implies access to the web server hosting
the application. This could be achieved through technical flaws,
insider access such as an employee, or through coercion (<a href="https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016">legal</a>, or otherwise). </p>
</li></ul>
<p dir="ltr">End-to-end encrypted messaging aims to offer complete
message confidentiality and integrity in the face of server and network
compromise, and some protections against device compromise. These are
detailed below.</p>
<h4 dir="ltr">Protections Provided</h4>
<p dir="ltr">Secure messaging services guarantee certain properties. For
mature services that have received adequate study from researchers, we
can assume them to be sound, barring implementation flaws which are
described later.</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Confidentiality: The contents of a message are kept private and the ciphers used are <a href="https://pthree.org/2016/06/19/the-physics-of-brute-force/">practically</a> unbreakable by adversaries.</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Integrity: The contents of a message cannot be modified in transit.</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Deniability: Aims to mimic unrecorded real-world
conversations where an individual can deny having said something.
Someone in possession of the chat transcript cannot <em>cryptographically</em>
prove that an individual authored a particular message. While some
applications feature such off-the-record messaging capabilities, the
legal applicability of such mechanisms is <a href="https://debian-administration.org/users/dkg/weblog/104">debatable</a>.</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Forward and Future Secrecy: These properties aim to limit
the effects of a temporary compromise of credentials on a device.
Forward secrecy ensures messages collected over the network, which were
sent before the compromise, cannot be decrypted. Future secrecy ensures
messages sent post-compromise are protected. These mechanisms are easily
circumvented in practice as past messages are usually stored on the
device being compromised, and future messages can be obtained by gaining
persistent access during compromise. These properties are meant to
protect individuals <a href="https://hal.inria.fr/hal-01966560/document">aware</a> of these limitations in exceptional situations such as a journalist crossing a border.</p>
</li></ul>
<h4 dir="ltr">Shortcomings</h4>
<p dir="ltr">While secure messaging services offer useful protections
they also have some shortcomings. It is useful to understand these and
their mitigations to minimise risk.</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Metadata: Information about a communication such as <strong>who</strong> the participants are, <strong>when</strong> the messages are sent, <strong>where</strong> the participants are located, and <strong>what</strong>
the size of a message is can offer important contextual information
about a conversation. While some popular messaging services <a href="https://signal.org/blog/sealed-sender/">attempt</a>
to minimize metadata generation, metadata leakage, in general, is still
considered an open problem because such information can be gleaned by
network monitoring as well as from server compromise. Application
policies around whether such data is stored and for how long it is
retained can improve privacy. There are also <a href="https://ricochet.im/">experimental</a> approaches that use techniques like onion routing to hide metadata.</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Authentication: This is the process of asserting whether an
individual sending or receiving a message is who they are thought to
be. Current messaging services trust application servers and cell
service providers for authentication, which means that they have the
ability to replace and impersonate individuals in conversations.
Messaging services offer advanced features to mitigate this risk, such
as notifications when a participant’s identity changes, and manual
verification of participants’ security keys through other communication
channels (in-person, mail, etc.).</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Availability: An individual’s access to a messaging service
can be impeded. Intermediaries may delay or drop messages resulting in
what is called a denial of service attack. While messaging services are
quite resilient to such attacks, governments may censor or completely
shut down Internet access.</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Application-level gaps: Capabilities offered by services in
addition to messaging, such as contact discovery, online status, and
location sharing are often <a href="https://www.forbes.com/sites/thomasbrewster/2017/01/22/whatsapp-facebook-backdoor-government-data-request/">not covered</a>
by end-to-end encryption and may be stored by the application server.
Application policies around how such information is gathered and
retained affect privacy.</p>
</li></ul>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Implementation flaws and backdoors: Software or hardware
flaws (accidental or intentional) on an individual’s device could be
exploited to circumvent the protections provided by end-to-end
encryption. For mature applications and platforms, accidental flaws are
difficult and <a href="https://arstechnica.com/information-technology/2019/09/for-the-first-time-ever-android-0days-cost-more-than-ios-exploits/">expensive</a> to exploit, and as such are only accessible to Government or other
powerful actors who typically use them to surveil individuals of
interest (and not for mass surveillance). Intentional flaws or backdoors
introduced by manufacturers may also be present. The only defence
against these is security researchers who rely on manual inspection to
examine software and network interactions to detect them.</p>
</li></ul>
<h4 dir="ltr">Messaging Protocols and Standards</h4>
<p dir="ltr">In the face of demands for exceptional access to encrypted
communication from governments, and risks of mass surveillance from both
governments and corporations, end-to-end encryption is important to
enable secure and private communication online. The signal protocol,
which is open and adopted by popular applications like WhatsApp and
Signal, is considered a success story as it brought end-to-end
encryption to over a billion users and has become a de-facto standard.</p>
<p dir="ltr">However, it is unilaterally developed and controlled by a single organisation. Messaging Layer Security (or <a href="https://datatracker.ietf.org/wg/mls/about/">MLS</a>)
is a working group within the Internet Engineering Task Force (IETF)
that is attempting to standardise end-to-end encryption through
participation of individuals from corporations, academia, and civil
society. The draft protocol offers the standard security properties
mentioned above, except for deniability which is still being considered.
It incorporates novel research that allows it to scale efficiently for
large groups up to thousands of participants, which is an improvement
over the signal protocol. MLS aims to increase adoption further by
creating open standards and implementations, similar to the Transport
Layer Security (TLS) protocol used to encrypt much of the web today.
There is also a need to look beyond end-to-end encryption to address its
shortcomings, particularly around authentication and metadata leakage.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-state-of-secure-messaging'>https://cis-india.org/internet-governance/blog/the-state-of-secure-messaging</a>
</p>
No publisherdivyankFreedom of Speech and ExpressionEncryptionIETF2020-07-17T08:12:15ZBlog EntryHow India Regulates Encryption
https://cis-india.org/internet-governance/blog/how-india-regulates-encryption
<b></b>
<p style="text-align: justify; "><span>Governments across the globe have been arguing for the need to regulate the use of encryption for law enforcement and national security purposes. Various means of regulation such as backdoors, weak encryption standards and key escrows have been widely employed which has left the information of online users vulnerable not only to uncontrolled access by governments but also to cyber-criminals. The Indian regulatory space has not been untouched by this practice and constitutes laws and policies to control encryption. The regulatory requirements in relation to the use of encryption are fragmented across legislations such as the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) and several sector-specific regulations. The regulatory framework is designed to either </span><i>limit encryption or gain access to the means of decryption or decrypted information</i><span>.</span></p>
<p style="text-align: justify; "><span style="text-decoration: underline;"> </span></p>
<p style="text-align: justify; "><span style="text-decoration: underline;"><strong>Limiting encryption</strong></span></p>
<p style="text-align: justify; "><span>The IT Act does not prescribe the level or type of encryption to be used by online users. Under Section 84A, it grants the Government the authority to prescribe modes and methods of encryption. The Government has not issued any rules in exercise of these powers so far but had released a draft encryption policy on September 21, 2015. Under the draft policy, only those encryption algorithms and key sizes were permitted to be used as were to be notified by the Government. The draft policy was withdrawn due to widespread criticism of various requirements under the policy of which retention of unencrypted user information for 90 days and mandatory registration of all encryption products offered in the country were noteworthy.</span></p>
<p style="text-align: justify; "><span>The Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), permits the use of encryption up to 40 bit key length in the symmetric algorithms or its equivalent in others.</span><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftn1">[1]</a><span> The restriction applies not only to the ISPs but also to individuals, groups and organisations that use encryption. In the event an individual, group or organisation decides to deploy encryption that is higher than 40 bits, prior permission from the DoT must be obtained and the decryption key must be deposited with the DoT. There are, however no parameters laid down for use of the decryption key by the Government. </span><span>Several issues arise in relation enforcement of these license conditions.</span></p>
<p><span> </span></p>
<ol>
<li><span>While this requirement is applicable to all individuals, groups and organisations using encryption it is difficult to enforce it as the ISP License only binds DoT and the ISP and cannot be enforced against third parties.</span></li>
<li><span>Further, a 40 bit symmetric key length is considered to be an extremely weak standard</span><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftn2">[2]</a><span> and is inadequate for protection of data stored or communicated online. </span><span style="text-align: justify; ">Various sector-specific regulations that are already in place in India prescribe encryption of more than 40 bits. </span></li>
<ul>
<li style="text-align: justify; "><span>The Reserve Bank of India has issued guidelines for Internet banking</span><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftn3"><sup><sup>[3]</sup></sup></a><span> where it prescribes 128-bit as the minimum level of encryption and acknowledges that constant advances in computer hardware and cryptanalysis may induce use of larger key lengths. The Securities and Exchange Board of India also prescribes</span><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftn4">[4]</a><span> a 64-bit/128-bit encryption for standard network security and use of secured socket layer security preferably with 128-bit encryption, for securities trading over a mobile phone or a wireless application platform. Further, under Rule 19 (2) of the Information Technology (Certifying Authorities) Rules, 2000 (CA Rules), the Government has prescribed security guidelines for management and implementation of information technology security of the certifying authorities. Under these guidelines, the Government has suggested </span><i>the use of suitable security software or even encryption software</i><span> to protect sensitive information and devices that are used to transmit or store sensitive information such as routers, switches, network devices and computers (also called information assets). The guidelines acknowledge the need to use</span><i> internationally proven encryption techniques</i><span> to encrypt stored passwords </span><i>such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard</i><span> as mentioned under Rule 6 of the CA Rules. These encryption algorithms are very strong and secure as compared to a 40 bit encryption key standard.</span></li>
<li style="text-align: justify; "><span style="text-align: justify; ">T</span><span style="text-align: justify; ">he ISP License also contains a clause which provides that use of any hardware or software that may render the network security vulnerable would be considered a violation of the license conditions.</span><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftn5" style="text-align: justify; ">[5]</a><span style="text-align: justify; "> Network security may be compromised by using a weak security measure such as the 40 bit encryption or its equivalent prescribed by the DoT but the liability will be imputed to the ISP. As a result, an ISP which is merely complying with the license conditions by employing not more than a 40 bit encryption may be liable for what appears to be contradictory license conditions.</span></li>
<li style="text-align: justify; "><span style="text-align: justify; ">It is noteworthy that the restriction on the key size under the ISP License has not been imported to the Unified Service License Agreement (UL Agreement) that has been formulated by the DoT. The UL Agreement does not prescribe a specific level of encryption to be used for provision of services. Clause 37.5 of the UL Agreement however makes it clear that use of encryption will be governed by the provisions of the IT Act. As noted earlier, the Government has not specified any limit to level and type of encryption under the IT Act however it had released a draft encryption policy that has been suspended due to widespread criticism of its mandate.</span></li>
</ul>
</ol>
<p> </p>
<p style="text-align: justify; "><span>The Telecom Licenses (ISP License, UL Agreement, and Unified Access Service License) prohibit the use of bulk encryption by the service providers but they continue to remain responsible for maintaining privacy of communication and preventing unauthorized interception.</span></p>
<ol style="text-align: justify; "> </ol>
<p style="text-align: justify; "><span style="text-decoration: underline;"> </span></p>
<p style="text-align: justify; "><span style="text-decoration: underline;"><strong>Gaining access to means of decryption or decrypted information</strong></span></p>
<p style="text-align: justify; "><span style="text-decoration: underline;"><strong> </strong></span><span>Besides restrictions on the level of encryption, the ISP License and the UL Agreement make it mandatory for the service providers including ISPs to provide to the DoT all details of the technology that is employed for operations and furnish all documentary details like concerned literature, drawings, installation materials and tools and testing instruments relating to the system intended to be used for operations as and when required by the DoT.</span><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftn6">[6]</a><span> While these license conditions do not expressly lay down that access to means of decryption must be given to the government the language is sufficiently broad to include gaining such access as well. Further, ISPs are required to take prior approval of the DoT for installation of any equipment or execution of any project in areas which are sensitive from security point of view. The ISPs are in fact subject to and further required to facilitate continuous monitoring by the DoT. </span><span>These obligations ensure that the Government has complete access to and control over the infrastructure for providing internet services which includes any installation or equipment required for the purpose of encryption and decryption.</span></p>
<p><span style="text-align: justify; ">The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.</span></p>
<ol>
<li style="text-align: justify; "><span>A decryption order usually entails a direction to a decryption key holder to disclose a decryption key, allow access to or facilitate conversion of encrypted information and must contain reasons for such direction. In fact, Rule 8 of the Decryption Rules makes it mandatory for the authority to consider other alternatives to acquire the necessary information before issuing a decryption order.</span></li>
<li style="text-align: justify; "><span style="text-align: justify; "> </span><span style="text-align: justify; ">The Secretary in the Ministry of Home Affairs or the Secretary in charge of the Home Department in a state or union territory is authorised to issue an order of decryption in the </span><i style="text-align: justify; ">interest of sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence</i><span style="text-align: justify; ">. It is useful to note that this provision was amended in 2009 to expand the grounds on which a direction for decryption can be passed. Post 2009, the Government can issue a decryption order for investigation of any offence. In the absence of any specific process laid down for collection of digital evidence do we follow the procedure under the criminal law or is it necessary that we draw a distinction between the investigation process in the digital and the physical environment and see if adequate safeguards exist to check the abuse of investigatory powers of the police herein.</span></li>
<li style="text-align: justify; "><span style="text-align: justify; "> </span><span style="text-align: justify; ">The orders for decryption must be examined by a review committee constituted under Rule 419A of the Indian Telegraph Rules, 1951 to ensure compliance with the provisions under the IT Act. The review committee is required to convene atleast once in two months for this purpose. However, we have been informed in a response by the Department of Electronics and Information Technology to an RTI dated April 21, 2015 filed by our organisation that since the constitution of the review committee has met only once in January 2013.</span></li>
</ol>
<p style="text-align: justify; "><strong> </strong><strong><span style="text-decoration: underline;">Conclusion</span></strong></p>
<p style="text-align: justify; "><span style="text-decoration: underline;"> </span></p>
<p style="text-align: justify; ">While studying a regulatory framework for encryption it is necessary that we identify the lens through which encryption is looked at i.e. whether encryption is considered as a means of information security or a threat to national security. As noted earlier, the encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules. Would it help to analyse whether the prevailing scepticism of the Government is well founded against the need to have strong encryption? It would be useful to survey the statistics of cyber incidents where strong encryption was employed as well as look at instances that reflect on whether strong encryption has made it difficult for law enforcement agencies to prevent or resolve crimes. It would also help to record cyber incidents that have resulted from vulnerabilities such as backdoors or key escrows deliberately introduced by law. These statistics would certainly clear the air about the role of encryption in securing cyberspace and facilitate appropriate regulation.</p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><br clear="all" /></p>
<hr size="1" style="text-align: justify; " width="33%" />
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftnref1">[1]</a> Clause 2.2 (vii) of the ISP License</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftnref2">[2]</a> Schneier, Bruce (1996). Applied Cryptography (Second ed.). John Wiley & Sons</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftnref3">[3]</a> Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations, 2011</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftnref4">[4]</a> Report on Internet Based Trading by the SEBI Committee on Internet based Trading and Services, 2000; It is useful to note that subsequently SEBI had acknowledged that the level of encryption would be governed by DoT policy in a SEBI circular no CIR/MRD/DP/25/2010 dated August 27, 2010 on Securities Trading using Wireless Technology</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftnref5">[5]</a> Clause 34.25 of the ISP License</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/How%20India%20regulates%20encryption.docx#_ftnref6">[6]</a> Clauses 22 and 23 of Part IV of the ISP License</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/how-india-regulates-encryption'>https://cis-india.org/internet-governance/blog/how-india-regulates-encryption</a>
</p>
No publisherPranesh Prakash & Japreet GrewalEncryptionInternet Governance2016-07-23T13:24:58ZBlog EntrySummary Report Internet Governance Forum 2015
https://cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015
<b>Centre for Internet and Society (CIS), India participated in the Internet Governance Forum (IGF) held at Poeta Ronaldo Cunha Lima Conference Center, Joao Pessoa in Brazil from 10 November 2015 to 13 November 2015. The theme of IGF 2015 was ‘Evolution of Internet Governance: Empowering Sustainable Development’. Sunil Abraham, Pranesh Prakash & Jyoti Panday from CIS actively engaged and made substantive contributions to several key issues affecting internet governance at the IGF 2015. The issue-wise detail of their engagement is set out below. </b>
<p align="center" style="text-align: left;"><strong>INTERNET
GOVERNANCE</strong></p>
<p align="justify">
I. The
Multi-stakeholder Advisory Group to the IGF organised a discussion on
<em><strong>Sustainable
Development Goals (SDGs) and Internet Economy</strong></em><em>
</em>at
the Main Meeting Hall from 9:00 am to 12:30 pm on 11 November, 2015.
The
discussions at this session focused on the importance of Internet
Economy enabling policies and eco-system for the fulfilment of
different SDGs. Several concerns relating to internet
entrepreneurship, effective ICT capacity building, protection of
intellectual property within and across borders were availability of
local applications and content were addressed. The panel also
discussed the need to identify SDGs where internet based technologies
could make the most effective contribution. Sunil
Abraham contributed to the panel discussions by addressing the issue
of development and promotion of local content and applications. List
of speakers included:</p>
<ol>
<li>
<p align="justify">
Lenni
Montiel, Assistant-Secretary-General for Development, United Nations</p>
</li><li>
<p align="justify">
Helani
Galpaya, CEO LIRNEasia</p>
</li><li>
<p align="justify">
Sergio
Quiroga da Cunha, Head of Latin America, Ericsson</p>
</li><li>
<p align="justify">
Raúl
L. Katz, Adjunct Professor, Division of Finance and Economics,
Columbia Institute of Tele-information</p>
</li><li>
<p align="justify">
Jimson
Olufuye, Chairman, Africa ICT Alliance (AfICTA)</p>
</li><li>
<p align="justify">
Lydia
Brito, Director of the Office in Montevideo, UNESCO</p>
</li><li>
<p align="justify">
H.E.
Rudiantara, Minister of Communication & Information Technology,
Indonesia</p>
</li><li>
<p align="justify">
Daniel
Sepulveda, Deputy Assistant Secretary, U.S. Coordinator for
International and Communications Policy at the U.S. Department of
State </p>
</li><li>
<p align="justify">
Deputy
Minister Department of Telecommunications and Postal Services for
the republic of South Africa</p>
</li><li>
<p align="justify">
Sunil
Abraham, Executive Director, Centre for Internet and Society, India</p>
</li><li>
<p align="justify">
H.E.
Junaid Ahmed Palak, Information and Communication Technology
Minister of Bangladesh</p>
</li><li>
<p align="justify">
Jari
Arkko, Chairman, IETF</p>
</li><li>
<p align="justify">
Silvia
Rabello, President, Rio Film Trade Association</p>
</li><li>
<p align="justify">
Gary
Fowlie, Head of Member State Relations & Intergovernmental
Organizations, ITU</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">http</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">://</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">www</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">.</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">intgovforum</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">.</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">org</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">/</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">cms</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">/</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">igf</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">2015-</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">main</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">-</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">sessions</a><u>
</u></p>
<p align="justify">
Transcript
of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2327-2015-11-11-internet-economy-and-sustainable-development-main-meeting-room">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2327-2015-11-11-internet-economy-and-sustainable-development-main-meeting-room</a></u></p>
<p align="justify">
Video
link Internet
economy and Sustainable Development here
<a href="https://www.youtube.com/watch?v=D6obkLehVE8">https://www.youtube.com/watch?v=D6obkLehVE8</a></p>
<p align="justify"> II.
Public
Knowledge organised a workshop on <em><strong>The
Benefits and Challenges of the Free Flow of Data </strong></em>at
Workshop Room
5 from 11:00 am to 12:00 pm on 12 November, 2015. The discussions in
the workshop focused on the benefits and challenges of the free flow
of data and also the concerns relating to data flow restrictions
including ways to address
them. Sunil
Abraham contributed to the panel discussions by addressing the issue
of jurisdiction of data on the internet. The
panel for the workshop included the following.</p>
<ol>
<li>
<p align="justify">
Vint
Cerf, Google</p>
</li><li>
<p align="justify">
Lawrence
Strickling, U.S. Department of Commerce, NTIA</p>
</li><li>
<p align="justify">
Richard
Leaning, European Cyber Crime Centre (EC3), Europol</p>
</li><li>
<p align="justify">
Marietje
Schaake, European Parliament</p>
</li><li>
<p align="justify">
Nasser
Kettani, Microsoft</p>
</li><li>
<p align="justify">
Sunil
Abraham, CIS
India</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">://</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">www</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">intgovforum</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">org</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">cms</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">workshops</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">list</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">of</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">published</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">workshop</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">proposals</a><u>
</u></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2467-2015-11-12-ws65-the-benefits-and-challenges-of-the-free-flow-of-data-workshop-room-5">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2467-2015-11-12-ws65-the-benefits-and-challenges-of-the-free-flow-of-data-workshop-room-5</a></p>
<p align="justify">
Video link https://www.youtube.com/watch?v=KtjnHkOn7EQ</p>
<p align="justify"> III.
Article
19 and
Privacy International organised a workshop on <em><strong>Encryption
and Anonymity: Rights and Risks</strong></em>
at Workshop Room 1 from 11:00 am to 12:30 pm on 12 November, 2015.
The
workshop fostered a discussion about the latest challenges to
protection of anonymity and encryption and ways in which law
enforcement demands could be met while ensuring that individuals
still enjoyed strong encryption and unfettered access to anonymity
tools. Pranesh
Prakash contributed to the panel discussions by addressing concerns
about existing south Asian regulatory framework on encryption and
anonymity and emphasizing the need for pervasive encryption. The
panel for this workshop included the following.</p>
<ol>
<li>
<p align="justify">
David
Kaye, UN Special Rapporteur on Freedom of Expression</p>
</li><li>
<p align="justify">
Juan
Diego Castañeda, Fundación Karisma, Colombia</p>
</li><li>
<p align="justify">
Edison
Lanza, Organisation of American States Special Rapporteur</p>
</li><li>
<p align="justify">
Pranesh
Prakash, CIS India</p>
</li><li>
<p align="justify">
Ted
Hardie, Google</p>
</li><li>
<p align="justify">
Elvana
Thaci, Council of Europe</p>
</li><li>
<p align="justify">
Professor
Chris Marsden, Oxford Internet Institute</p>
</li><li>
<p align="justify">
Alexandrine
Pirlot de Corbion, Privacy International</p>
</li></ol>
<p align="justify"><a name="_Hlt435412531"></a>
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">://</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">www</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">intgovforum</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">org</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">cms</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">worksh</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">o</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">ps</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">list</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">of</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">published</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">workshop</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">proposals</a><u>
</u></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2407-2015-11-12-ws-155-encryption-and-anonymity-rights-and-risks-workshop-room-1">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2407-2015-11-12-ws-155-encryption-and-anonymity-rights-and-risks-workshop-room-1</a></p>
<p align="justify">
Video link available here https://www.youtube.com/watch?v=hUrBP4PsfJo</p>
<p align="justify"> IV.
Chalmers
& Associates organised a session on <em><strong>A
Dialogue on Zero Rating and Network Neutrality</strong></em>
at the Main Meeting Hall from 2:00 pm to 4:00 pm on 12 November,
2015. The Dialogue provided access to expert insight on zero-rating
and a full spectrum of diverse
views on this issue. The Dialogue also explored alternative
approaches to zero rating such as use of community networks. Pranesh
Prakash provided
a
detailed explanation of harms and benefits related to different
approaches to zero-rating. The
panellists for this session were the following.</p>
<ol>
<li>
<p align="justify">
Jochai
Ben-Avie, Senior Global Policy Manager, Mozilla, USA</p>
</li><li>
<p align="justify">
Igor
Vilas Boas de Freitas, Commissioner, ANATEL, Brazil</p>
</li><li>
<p align="justify">
Dušan
Caf, Chairman, Electronic Communications Council, Republic of
Slovenia</p>
</li><li>
<p align="justify">
Silvia
Elaluf-Calderwood, Research Fellow, London School of Economics,
UK/Peru</p>
</li><li>
<p align="justify">
Belinda
Exelby, Director, Institutional Relations, GSMA, UK</p>
</li><li>
<p align="justify">
Helani
Galpaya, CEO, LIRNEasia, Sri Lanka</p>
</li><li>
<p align="justify">
Anka
Kovacs, Director, Internet Democracy Project, India</p>
</li><li>
<p align="justify">
Kevin
Martin, VP, Mobile and Global Access Policy, Facebook, USA</p>
</li><li>
<p align="justify">
Pranesh
Prakash, Policy Director, CIS India</p>
</li><li>
<p align="justify">
Steve
Song, Founder, Village Telco, South Africa/Canada</p>
</li><li>
<p align="justify">
Dhanaraj
Thakur, Research Manager, Alliance for Affordable Internet, USA/West
Indies</p>
</li><li>
<p align="justify">
Christopher
Yoo, Professor of Law, Communication, and Computer & Information
Science, University of Pennsylvania, USA</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">http://www.intgovforum.org/cms/igf2015-main-sessions</a></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2457-2015-11-12-a-dialogue-on-zero-rating-and-network-neutrality-main-meeting-hall-2">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2457-2015-11-12-a-dialogue-on-zero-rating-and-network-neutrality-main-meeting-hall-2</a></p>
<p align="justify"> V.
The
Internet & Jurisdiction Project organised a workshop on
<em><strong>Transnational
Due Process: A Case Study in MS Cooperation</strong></em>
at Workshop Room
4 from 11:00 am to 12:00 pm on 13 November, 2015. The
workshop discussion focused on the challenges in developing an
enforcement framework for the internet that guarantees transnational
due process and legal interoperability. The discussion also focused
on innovative approaches to multi-stakeholder cooperation such as
issue-based networks, inter-sessional work methods and transnational
policy standards. The panellists for this discussion were the
following.</p>
<ol>
<li>
<p align="justify">
Anne
Carblanc Head of Division, Directorate for Science, Technology and
Industry, OECD</p>
</li><li>
<p align="justify">
Eileen
Donahoe Director Global Affairs, Human Rights Watch</p>
</li><li>
<p align="justify">
Byron
Holland President and CEO, CIRA (Canadian ccTLD)</p>
</li><li>
<p align="justify">
Christopher
Painter Coordinator for Cyber Issues, US Department of State</p>
</li><li>
<p align="justify">
Sunil
Abraham Executive Director, CIS India</p>
</li><li>
<p align="justify">
Alice
Munyua Lead dotAfrica Initiative and GAC representative, African
Union Commission</p>
</li><li>
<p align="justify">
Will
Hudsen Senior Advisor for International Policy, Google</p>
</li><li>
<p align="justify">
Dunja
Mijatovic Representative on Freedom of the Media, OSCE</p>
</li><li>
<p align="justify">
Thomas
Fitschen Director for the United Nations, for International
Cooperation against Terrorism and for Cyber Foreign Policy, German
Federal Foreign Office</p>
</li><li>
<p align="justify">
Hartmut
Glaser Executive Secretary, Brazilian Internet Steering Committee</p>
</li><li>
<p align="justify">
Matt
Perault, Head of Policy Development Facebook</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2475-2015-11-13-ws-132-transnational-due-process-a-case-study-in-ms-cooperation-workshop-room-4">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2475-2015-11-13-ws-132-transnational-due-process-a-case-study-in-ms-cooperation-workshop-room-4</a></p>
<p align="justify">
Video
link Transnational
Due Process: A Case Study in MS Cooperation available here <a href="https://www.youtube.com/watch?v=M9jVovhQhd0">https://www.youtube.com/watch?v=M9jVovhQhd0</a></p>
<p align="justify"> VI.
The Internet Governance Project organised a meeting of the
<em><strong>Dynamic
Coalition on Accountability of Internet Governance Venues</strong></em>
at Workshop Room 2 from 14:00
– 15:30 on
12 November, 2015. The coalition
brought together panelists to highlight the
challenges in developing an accountability
framework
for internet governance
venues that include setting up standards and developing a set of
concrete criteria. Jyoti Panday provided the perspective of civil
society on why acountability is necessary in internet governance
processes and organizations. The panelists for this workshop included
the following.</p>
<ol>
<li>
<p>
Robin
Gross, IP Justice</p>
</li><li>
<p>
Jeanette
Hofmann, Director
<a href="http://www.internetundgesellschaft.de/">Alexander
von Humboldt Institute for Internet and Society</a></p>
</li><li>
<p>
Farzaneh
Badiei,
Internet Governance Project</p>
</li><li>
<p>
Erika
Mann,
Managing
Director Public PolicyPolicy Facebook and Board of Directors
ICANN</p>
</li><li>
<p>
Paul
Wilson, APNIC</p>
</li><li>
<p>
Izumi
Okutani, Japan
Network Information Center (JPNIC)</p>
</li><li>
<p>
Keith
Drazek , Verisign</p>
</li><li>
<p>
Jyoti
Panday,
CIS</p>
</li><li>
<p>
Jorge
Cancio,
GAC representative</p>
</li></ol>
<p>
Detailed
description of the workshop is available here
<a href="http://igf2015.sched.org/event/4c23/dynamic-coalition-on-accountability-of-internet-governance-venues?iframe=no&w=&sidebar=yes&bg=no">http://igf2015.sched.org/event/4c23/dynamic-coalition-on-accountability-of-internet-governance-venues?iframe=no&w=&sidebar=yes&bg=no</a></p>
<p>
Video
link https://www.youtube.com/watch?v=UIxyGhnch7w</p>
<p> VII.
Digital
Infrastructure
Netherlands Foundation organized an open forum at
Workshop Room 3
from 11:00
– 12:00
on
10
November, 2015. The open
forum discussed the increase
in government engagement with “the internet” to protect their
citizens against crime and abuse and to protect economic interests
and critical infrastructures. It
brought
together panelists topresent
ideas about an agenda for the international protection of ‘the
public core of the internet’ and to collect and discuss ideas for
the formulation of norms and principles and for the identification of
practical steps towards that goal.
Pranesh Prakash participated in the e open forum. Other speakers
included</p>
<ol>
<li>
<p>
Bastiaan
Goslings AMS-IX, NL</p>
</li><li>
<p>
Pranesh
Prakash CIS, India</p>
</li><li>
<p>
Marilia
Maciel (FGV, Brasil</p>
</li><li>
<p>
Dennis
Broeders (NL Scientific Council for Government Policy)</p>
</li></ol>
<p>
Detailed
description of the open
forum is available here
<a href="http://schd.ws/hosted_files/igf2015/3d/DINL_IGF_Open%20Forum_The_public_core_of_the_internet.pdf">http://schd.ws/hosted_files/igf2015/3d/DINL_IGF_Open%20Forum_The_public_core_of_the_internet.pdf</a></p>
<p>
Video
link available here <a href="https://www.youtube.com/watch?v=joPQaMQasDQ">https://www.youtube.com/watch?v=joPQaMQasDQ</a></p>
<p>
VIII.
UNESCO, Council of Europe, Oxford University, Office of the High
Commissioner on Human Rights, Google, Internet Society organised a
workshop on hate speech and youth radicalisation at Room 9 on
Thursday, November 12. UNESCO shared the initial outcome from its
commissioned research on online hate speech including practical
recommendations on combating against online hate speech through
understanding the challenges, mobilizing civil society, lobbying
private sectors and intermediaries and educating individuals with
media and information literacy. The workshop also discussed how to
help empower youth to address online radicalization and extremism,
and realize their aspirations to contribute to a more peaceful and
sustainable world. Sunil Abraham provided his inputs. Other speakers
include</p>
<p>
1.
Chaired by Ms Lidia Brito, Director for UNESCO Office in Montevideo</p>
<p>
2.Frank
La Rue, Former Special Rapporteur on Freedom of Expression</p>
<p>
3.
Lillian Nalwoga, President ISOC Uganda and rep CIPESA, Technical
community</p>
<p>
4.
Bridget O’Loughlin, CoE, IGO</p>
<p>
5.
Gabrielle Guillemin, Article 19</p>
<p>
6.
Iyad Kallas, Radio Souriali</p>
<p>
7.
Sunil Abraham executive director of Center for Internet and Society,
Bangalore, India</p>
<p>
8.
Eve Salomon, global Chairman of the Regulatory Board of RICS</p>
<p>
9.
Javier Lesaca Esquiroz, University of Navarra</p>
<p>
10.
Representative GNI</p>
<p>
11.
Remote Moderator: Xianhong Hu, UNESCO</p>
<p>
12.
Rapporteur: Guilherme Canela De Souza Godoi, UNESCO</p>
<p>
Detailed
description of the workshop
is available here
<a href="http://igf2015.sched.org/event/4c1X/ws-128-mitigate-online-hate-speech-and-youth-radicalisation?iframe=no&w=&sidebar=yes&bg=no">http://igf2015.sched.org/event/4c1X/ws-128-mitigate-online-hate-speech-and-youth-radicalisation?iframe=no&w=&sidebar=yes&bg=no</a></p>
<p>
Video
link to the panel is available here
<a href="https://www.youtube.com/watch?v=eIO1z4EjRG0">https://www.youtube.com/watch?v=eIO1z4EjRG0</a></p>
<p> <strong>INTERMEDIARY
LIABILITY</strong></p>
<p align="justify">
IX.
Electronic
Frontier Foundation, Centre for Internet Society India, Open Net
Korea and Article 19 collaborated to organize
a workshop on the <em><strong>Manila
Principles on Intermediary Liability</strong></em>
at Workshop Room 9 from 11:00 am to 12:00 pm on 13 November 2015. The
workshop elaborated on the Manila
Principles, a high level principle framework of best practices and
safeguards for content restriction practices and addressing liability
for intermediaries for third party content. The
workshop
saw particpants engaged in over lapping projects considering
restriction practices coming togetehr to give feedback and highlight
recent developments across liability regimes. Jyoti
Panday laid down the key details of the Manila Principles framework
in this session. The panelists for this workshop included the
following.</p>
<ol>
<li>
<p align="justify">
Kelly
Kim Open Net Korea,</p>
</li><li>
<p align="justify">
Jyoti
Panday, CIS India,</p>
</li><li>
<p align="justify">
Gabrielle
Guillemin, Article 19,</p>
</li><li>
<p align="justify">
Rebecca
McKinnon on behalf of UNESCO</p>
</li><li>
<p align="justify">
Giancarlo
Frosio, Center for Internet and Society, Stanford Law School</p>
</li><li>
<p align="justify">
Nicolo
Zingales, Tilburg University</p>
</li><li>
<p align="justify">
Will
Hudson, Google</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2423-2015-11-13-ws-242-the-manila-principles-on-intermediary-liability-workshop-room-9">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2423-2015-11-13-ws-242-the-manila-principles-on-intermediary-liability-workshop-room-9</a></p>
<p align="justify">
Video link available here <a href="https://www.youtube.com/watch?v=kFLmzxXodjs">https://www.youtube.com/watch?v=kFLmzxXodjs</a></p>
<p align="justify"> <strong>ACCESSIBILITY</strong></p>
<p align="justify">
X.
Dynamic
Coalition
on Accessibility and Disability and Global Initiative for Inclusive
ICTs organised a workshop on <em><strong>Empowering
the Next Billion by Improving Accessibility</strong></em><em>
</em>at
Workshop Room 6 from 9:00 am to 10:30 am on 13 November, 2015. The
discussion focused on
the need and ways to remove accessibility barriers which prevent over
one billion potential users to benefit from the Internet, including
for essential services. Sunil
Abraham specifically spoke about the lack of compliance of existing
ICT infrastructure with well established accessibility standards
specifically relating to accessibility barriers in the disaster
management process. He discussed the barriers faced by persons with
physical or psychosocial disabilities. The
panelists for this discussion were the following.</p>
<ol>
<li>
<p align="justify">
Francesca
Cesa Bianchi, G3ICT</p>
</li><li>
<p align="justify">
Cid
Torquato, Government of Brazil</p>
</li><li>
<p align="justify">
Carlos
Lauria, Microsoft Brazil</p>
</li><li>
<p align="justify">
Sunil
Abraham, CIS India</p>
</li><li>
<p align="justify">
Derrick
L. Cogburn, Institute on Disability and Public Policy (IDPP) for the
ASEAN(Association of Southeast Asian Nations) Region</p>
</li><li>
<p align="justify">
Fernando
H. F. Botelho, F123 Consulting</p>
</li><li>
<p align="justify">
Gunela
Astbrink, GSA InfoComm</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></u></p>
<p align="justify">
Transcript
of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2438-2015-11-13-ws-253-empowering-the-next-billion-by-improving-accessibility-workshop-room-3">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2438-2015-11-13-ws-253-empowering-the-next-billion-by-improving-accessibility-workshop-room-3</a></u></p>
<p align="justify">
Video
Link Empowering
the next billion by improving accessibility <a href="https://www.youtube.com/watch?v=7RZlWvJAXxs">https://www.youtube.com/watch?v=7RZlWvJAXxs</a></p>
<p align="justify"> <strong>OPENNESS</strong></p>
<p align="justify">
XI.
A
workshop on <em><strong>FOSS
& a Free, Open Internet: Synergies for Development</strong></em>
was organized at Workshop Room 7 from 2:00 pm to 3:30 pm on 13
November, 2015. The discussion was focused on the increasing risk to
openness of the internet and the ability of present & future
generations to use technology to improve their lives. The panel shred
different perspectives about the future co-development
of FOSS and a free, open Internet; the threats that are emerging; and
ways for communities to surmount these. Sunil
Abraham emphasised the importance of free software, open standards,
open access and access to knowledge and the lack of this mandate in
the draft outcome document for upcoming WSIS+10 review and called for
inclusion of the same. Pranesh Prakash further contributed to the
discussion by emphasizing the need for free open source software with
end‑to‑end encryption and traffic level encryption based
on open standards which are decentralized and work through federated
networks. The
panellists for this discussion were the following.</p>
<ol>
<li>
<p align="justify">
Satish
Babu, Technical Community, Chair, ISOC-TRV, Kerala, India</p>
</li><li>
<p align="justify">
Judy
Okite, Civil Society, FOSS Foundation for Africa</p>
</li><li>
<p align="justify">
Mishi
Choudhary, Private Sector, Software Freedom Law Centre, New York</p>
</li><li>
<p align="justify">
Fernando
Botelho, Private Sector, heads F123 Systems, Brazil</p>
</li><li>
<p align="justify">
Sunil
Abraham, CIS
India</p>
</li><li>
<p align="justify">
Pranesh
Prakash, CIS
India</p>
</li><li>
<p align="justify">
Nnenna
Nwakanma- WWW.Foundation</p>
</li><li>
<p align="justify">
Yves
MIEZAN EZO, Open Source strategy consultant</p>
</li><li>
<p align="justify">
Corinto
Meffe, Advisor to the President and Directors, SERPRO, Brazil</p>
</li><li>
<p align="justify">
Frank
Coelho de Alcantara, Professor, Universidade Positivo, Brazil</p>
</li><li>
<p align="justify">
Caroline
Burle, Institutional and International Relations, W3C Brazil Office
and Center of Studies on Web Technologies</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></u></p>
<p align="justify">
Transcript
of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2468-2015-11-13-ws10-foss-and-a-free-open-internet-synergies-for-development-workshop-room-7" target="_top">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2468-2015-11-13-ws10-foss-and-a-free-open-internet-synergies-for-development-workshop-room-7</a></u></p>
<p align="justify">
Video
link available here <a href="https://www.youtube.com/watch?v=lwUq0LTLnDs">https://www.youtube.com/watch?v=lwUq0LTLnDs</a></p>
<p align="justify">
<br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015'>https://cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015</a>
</p>
No publisherjyotiAccess to KnowledgeBig DataFreedom of Speech and ExpressionEncryptionInternet Governance ForumIntermediary LiabilityAccountabilityInternet GovernanceCensorshipCyber SecurityDigital GovernanceAnonymityCivil SocietyBlocking2015-11-30T10:47:13ZBlog EntryIndian companies need to boost encrpytion adoption rate: experts
https://cis-india.org/internet-governance/news/deccan-chronicle-koustav-das-august-9-2016-indian-companies-need-to-boost-encryption-adoption-rate
<b>Most banks do not follow Reserve bank of India’s standard 64/128-bit encryption policy due to laxity and unavailability of funds.</b>
<p style="text-align: justify; ">The article by Koustav Das was published in the <a class="external-link" href="http://www.deccanchronicle.com/technology/in-other-news/090816/weak-encryption-adoption-biggest-threat-to-indian-companies-experts.html">Deccan Chronicle</a> on August 9, 2016. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><b></b>A recent report by security software firm Sophos highlighted the increasing number of online attacks on Indian businesses, suggesting strong encryption policies can change the existing scenario.</p>
<p style="text-align: justify; ">As per a SophosLab research, India’s threat exposure rate has been pegged at 16.7 per cent, ranking <a href="https://www.sophos.com/en-us/press-office/press-releases/2016/05/designer-cyber-threats-on-rise.aspx">fifth</a> in terms of highest percentage of endpoints exposed to malware attack.</p>
<p style="text-align: justify; ">The research said cyber-criminals have developed a keen sense of luring organisations on the basis of location, language and disguise, leading to an acute increase in the number of targeted attacks.</p>
<p style="text-align: justify; ">Global Experts have explained that digital attackers have taken the aid of advanced malware including deadly ransomwares, which involve locking or capturing an organisation’s valued data and demanding money to unlock it.</p>
<p style="text-align: justify; ">In future, ransomware have been predicted to become deadlier, allowing hackers to take control of an organisation’s entire network security.</p>
<p style="text-align: justify; ">Not only financial and IT companies but Government websites also face similar obstructions due to lack of updated security tools.</p>
<p style="text-align: justify; ">Mohit Puri, Head of Pre-sales, Sophos India and SAARC, said, "India faces increased risk from cyber-criminals due to its high economic growth, which has left several companies to re-think their security strategy."</p>
<p style="text-align: justify; "><b>Reactive to attacks, not proactive</b></p>
<p style="text-align: justify; ">Though Puri mentioned that Indian enterprises have been trying to prevent such attacks, large fissures in network security have made the task easier for online criminals.</p>
<p style="text-align: justify; ">One of the major reasons for companies failing to prevent advanced cyber-attacks can be attributed to the lack of pragmatic solutions, albeit their awareness about the situation.</p>
<p style="text-align: justify; ">Puri said, “While companies are aware about security threats to our systems, we are still not there in terms of how we are trying to mitigate these threats.”</p>
<p style="text-align: justify; ">According to Sunil Abraham, Director of The Centre For Internet and Society (CIS), there are manifold issues that have led to the scenario of India’s poor online security.</p>
<p style="text-align: justify; ">He said that Indian businesses and financial organisations recognize the situation but do not want to allocate budget for updating their security infrastructure.</p>
<p style="text-align: justify; ">“The problem with cyber-security is just like smoking; people are aware of it but they do not care about the warnings. Companies know about the looming threats but need an episode to make a move towards updating their network infrastructure,” Abraham added.</p>
<p style="text-align: justify; ">Enterprises also struggle due to the absence of sufficient cyber-security professionals in the country. Abraham said, “There are uncountable software professionals in India but the story is totally opposite when it boils down to cyber-security professionals.”</p>
<p style="text-align: justify; "><b>Weak encryption adoption</b></p>
<p style="text-align: justify; ">According to technology enthusiast Blaise Crowly, Co-Founder & Head Of Security Design Gladius & Schild, "Cryptography—a broader form of encryption—can be defined as a branch of mathematical algorithms that can be used to securely protect data."</p>
<p style="text-align: justify; ">Crowly added, “It is the one of the strongest form of all defence mechanisms against cyber attacks.”</p>
<p style="text-align: justify; ">However, a Sophos assessment—State of Encryption Today—where 1,700 Indian IT managers were surveyed, showed the ignorance of companies towards integrating strong encryption tools.</p>
<p style="text-align: justify; ">Out of the total number of participants, 61 per cent felt encryption holds significant importance in protecting a company’s proprietary data.</p>
<p style="text-align: justify; ">Others had peculiar reasons—18 per cent felt that encryption would help avoid incurring additional costs after a breach and 23 per cent just wanted to avoid negative publicity of the company.</p>
<p style="text-align: justify; ">Even in case of banks, reports suggested that most banks do not follow Reserve bank of India’s (RBI) standard 64/128 bit encryption policy due to laxity and unavailability of funds.</p>
<p style="text-align: justify; ">“Indian organisations need to take a second look at their security posture and deploy up-to-date synchronized security solutions that are able to combat today’s threats as well as tomorrows,” said Puri.</p>
<p style="text-align: justify; "><b>Government’s role</b></p>
<p style="text-align: justify; ">A 2015 CIS study, titled “How India Regulates Encryption” mentioned that under section 84A of the IT Act, the government has the sole authority to prescribe modes and methods of encryption.</p>
<p style="text-align: justify; ">Though the government has not yet issued any rules in exercise of these powers, it had released earlier released a <a href="https://www.dsci.in/taxonomypage/602">draft encryption policy</a> on September 21, 2015. However, it failed to pass it due to wide-spread criticism regarding certain mandates in the draft.</p>
<p style="text-align: justify; ">In addition, the Internet Service Providers (ISP) License Agreement, between the Department of Telecommunication (DoT) and Internet Service Providers (ISP), limit the use of encryption up to 40-bit key length in symmetric algorithms—an extremely weak standard.</p>
<p style="text-align: justify; ">Although it cannot be enforced if organisations employ third-party encryption systems, it becomes extremely expensive for them. In such a scenario, companies hesitate in using better encryption standards.</p>
<p style="text-align: justify; ">CIS Director Sunil Abraham said, “To solve the issue, the government should work towards incentivising and enforcing strong security infrastructure which will help companies get these features at a lower price.”</p>
<p style="text-align: justify; ">Adding to the aforementioned statement, Crowly highlighted that current security standards set by the government cannot adeptly counter advanced threats.</p>
<p style="text-align: justify; ">“OpenSSL, LibNaCl and similar protocols provide free implementation of encryption schemes that companies can use. The only issue is that companies and government agencies should show proper diligence in hiring experts in this field,” Crowly concluded.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/deccan-chronicle-koustav-das-august-9-2016-indian-companies-need-to-boost-encryption-adoption-rate'>https://cis-india.org/internet-governance/news/deccan-chronicle-koustav-das-august-9-2016-indian-companies-need-to-boost-encryption-adoption-rate</a>
</p>
No publisherpraskrishnaEncryptionInternet Governance2016-08-10T14:36:05ZNews ItemIndia's Broken Internet Laws Need a Shot of Multi-stakeholderism
https://cis-india.org/internet-governance/blog/india-broken-internet-law-multistakeholderism
<b>Cyber-laws in India are severely flawed, with neither lawyers nor technologists being able to understand them, and the Cyber-Law Group in DEIT being incapable of framing fair, just, and informed laws and policies. Pranesh Prakash suggests they learn from the DEIT's Internet Governance Division, and Brazil, and adopt multi-stakeholderism as a core principle of Internet policy-making.</b>
<p>(An edited version of this article was published in the Indian Express as <a href="http://www.indianexpress.com/story-print/941491/">"Practise what you preach"</a> on Thursday, April 26, 2012.)</p>
<p>The laws in India relating to the Internet are greatly flawed, and the only way to fix them would be to fix the way they are made. The <a href="https://cis-india.org/internet-governance/blog/www.mit.gov.in/content/cyber-laws-security">Cyber-Laws & E-Security Group</a> in the <a href="http://www.mit.gov.in">Department of Electronics and Information Technology</a> (DEIT, who refer to themselves as 'DeitY' on their website!) has proven itself incapable of making fair, balanced, just, and informed laws and policies. The Information Technology (IT) Act is filled with provisions that neither lawyers nor technologists understand (not to mention judges). (The definition of <a href="http://www.vakilno1.com/bareacts/informationtechnologyact/s65.htm">"computer source code" in s.65 of the IT Act</a> is a great example of that.)</p>
<p>The Rules drafted under s.43A of the IT Act (on 'reasonable security practices' to be followed by corporations) were so badly formulated that the government was forced to issue a <a href="http://pib.nic.in/newsite/PrintRelease.aspx??relid=74990">clarification through a press release</a>, even though the clarification was in reality an amendment and amendments cannot be carried out through press releases. Despite the clarification, it is unclear to IT lawyers whether the Rules are mandatory or not, since s.43A (i.e., the parent provision) seems to suggest that it is sufficient if the parties enter into an agreement specifying reasonable security practices and procedures. Similarly, the "Intermediary Guidelines" Rules (better referred to as the Internet Censorship Rules) drafted under s.79 of the Act have been called <a href="http://www.indianexpress.com/story-print/940682/">"arbitrary and unconstitutional" by many, including MP P. Rajeev</a>, who has <a href="http://cis-india.org/internet-governance/blog/statutory-motion-against-intermediary-guidelines-rules">introduced a motion in the Rajya Sabha to repeal the Rules</a> ("Caught in a net", Indian Express, April 24, 2012). These Rules give the power of censorship to every citizen and allow them to remove any kind of material off the Internet within 36 hours without anybody finding out. Last year, we at the Centre for Internet and Society used this law to get thousands of innocuous links removed from four major search engines without any public notice. In none of the cases (including one where an online news website removed more material than the perfectly legal material we had complained about) were the content-owners notified about our complaint, much less given a chance to defend themselves.</p>
<p>Laws framed by the Cyber-Law Group are so poorly drafted that they are misused more often than used. There are too many criminal provisions in the IT Act, and their penalties are greatly more than that of comparable crimes in the IPC. Section 66A of the IT Act, which criminalizes "causing annoyance or inconvenience" electronically, has a penalty of 3 years (greater than that for causing death by negligence), and does not require a warrant for arrest. This section has been used in the Mamata Banerjee cartoon case, for arresting M. Karthik, a Hyderabad-based student who made atheistic statements on Facebook, and against former Karnataka Lokayukta Santosh Hegde. Section 66A, I believe, imperils freedom of speech more than is allowable under Art. 19(2) of the Constitution, and is hence unconstitutional.</p>
<p>While <a href="http://indiankanoon.org/doc/1740460/">s.5 of the Telegraph Act</a> only allows interception of telephone conversations on the occurrence of a public emergency, or in the interest of the public safety, the IT Act does not have any such threshold conditions, and greatly broadens the State's interception abilities. Section 69 allows the government to force a person to decrypt information, and might clash with Art.20(3) of the Constitution, which provides a right against self-incrimination. One can't find any publicly-available governmental which suggests that the constitutionality of provisions such as s.66A or s.69 was examined.</p>
<p>Omissions by the Cyber-Law Group are also numerous. The <a href="http://www.cert-in.org.in">Indian Computer Emergency Response Team (CERT-In)</a> has been granted <a href="http://www.cert-in.org.in/">very broad functions</a> under the IT Act, but without any clarity on the extent of its powers. Some have been concerned, for instance, that the broad power granted to CERT-In to "give directions" relating to "emergency measures for handling cyber security incidents" includes the powers of an "Internet kill switch" of the kind that Egypt exercised in January 2011. Yet, they have failed to frame Rules for the functioning of CERT-In. The licences that the Department of Telecom enters into with Internet Service Providers requires them to restrict usage of encryption by individuals, groups or organisations to a key length of only 40 bits in symmetric key algorithms (i.e., weak encryption). The RBI mandates a minimum of 128-bit SSL encryption for all bank transactions. Rules framed by the DEIT under s.84A of the IT Act were to resolve this conflict, but those Rules haven't yet been framed.</p>
<p>All of this paints a very sorry picture. Section 88 of the IT Act requires the government, "soon after the commencement of the Act", to form a "Cyber Regulations Advisory Committee" consisting of "the interests principally affected or having special knowledge of the subject-matter" to advise the government on the framing of Rules, or for any other purpose connected with the IT Act. This body still has not been formed, despite the lag of more than two and a half years since the IT Act came into force. Justice Markandey Katju’s recent letter to Ambika Soni about social media and defamation should ideally have been addressed to this body. </p>
<p>The only way out of this quagmire is to practise at home that which we preach abroad on matters of Internet governance: multi-stakeholderism. Multi-stakeholderism refers to the need to recognize that when it comes to Internet governance there are multiple stakeholders: government, industry, academia, and civil society, and not just the governments of the world. This idea has gained prominence since it was placed at the core of the "Declaration of Principles" from the first World Summit on Information Society in Geneva in 2003, and has also been at the heart of India's pronouncements at forums like the Internet Governance Forum. Brazil has an <a href="httphttp://www.cgi.br/english/">"Internet Steering Committee"</a> which is an excellent model that practices multi-stakeholderism as a means of framing and working national Internet-related policies. DEIT's <a href="http://www.mit.gov.in/content/internet-governance">Internet Governance Division</a>, which formulates India's international stance on Internet governance, has long recognized that governance of the Internet must be done in an open and collaborative manner. It is time the DEIT's Cyber-Law and E-Security Group, which formulates our national stance on Internet governance, realizes the same.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-broken-internet-law-multistakeholderism'>https://cis-india.org/internet-governance/blog/india-broken-internet-law-multistakeholderism</a>
</p>
No publisherpraneshIT ActFreedom of Speech and ExpressionEncryptionIntermediary LiabilityFacebookInternet GovernanceCensorship2012-04-26T13:45:25ZBlog EntryComments on the Draft Rules under the Information Technology Act
https://cis-india.org/internet-governance/blog/comments-draft-rules
<b>The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.</b>
<h2><em>Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008</em></h2>
<p><em><strong>Submitted by the Centre for Internet and Society, Bangalore</strong></em></p>
<p><em><strong>Prepared by Ananth Padmanabhan, Advocate in the Madras High Court</strong></em></p>
<h2>Interception, Monitoring and Decryption</h2>
<h3>Section 69</h3>
<p>The section says:</p>
<ol><li>Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. </li><li>The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.</li><li>The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-</li></ol>
<p> (a) provide access to or secure access to the computer resource
generating transmitting, receiving or storing such information; or</p>
<p>
(b) intercept, monitor, or decrypt the information, as the case may be; or</p>
(c) provide information stored in computer resource.
<ol><li>The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine. <br /></li></ol>
<p><strong><br /></strong></p>
<p><strong>Recommendation #1</strong><br />Section 69(3) should be amended and the following proviso be inserted:</p>
<p class="callout">Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.</p>
<p><br /><strong>Reasons for the Recommendation </strong><br />In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,</p>
<p class="callout">“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”. </p>
<p><br />The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.</p>
<p>To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary. </p>
<p><br /><strong>Recommendation #2</strong><br />Section 69(4) should be repealed.</p>
<p><br /><strong>Reasons for the Recommendation</strong><br />The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.</p>
<p>Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14. Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.</p>
<p>Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.</p>
<p>This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a). Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.</p>
<p> </p>
<h3>Draft Rules under Section 69 <br /></h3>
<p><strong>Rule 3</strong><br />Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:</p>
<p>Provided that in emergency cases – <br />(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or <br />(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;</p>
<p>the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be. </p>
<p><br /><strong>Recommendation #3</strong><br />In Rule 3, the following proviso may be inserted:</p>
<p class="callout">“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”</p>
<p><strong><br /></strong></p>
<p><strong>Reasons for the Recommendation </strong><br />Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.</p>
<p>Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.</p>
<p><br /><strong>Recommendation #4</strong><br />The following should be inserted after the last line in Rule 22:</p>
<p class="callout">The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.</p>
<p><strong><br /></strong></p>
<p><strong>Reasons for the Recommendation</strong><br />The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69. </p>
<p> </p>
<h2>Blocking of Access to Information</h2>
<h3>Section 69A</h3>
<p>The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section. <br />The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.</p>
<p> </p>
<p><strong>Section 69A(3)</strong><br />The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.</p>
<p> </p>
<p><strong>Recommendation #5</strong><br />The penalty for intermediaries must be lessened.</p>
<p> </p>
<p><strong>Reasons for Recommendations </strong><br />The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.</p>
<p>The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.</p>
<p> </p>
<h3>Draft Rules under Section 69A</h3>
<p><strong>Rule 22: Review Committee</strong><br />The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.</p>
<p><br /><strong>Recommendation #6</strong><br />A permanent Review Committee should be specially for the purposes of examining procedural lapses. </p>
<p><br /><strong>Reasons for Recommendation </strong><br />Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met. <br /><br /></p>
<h2>Monitoring and Collection of Traffic Data</h2>
<h3>Draft Rules under Section 69B</h3>
<p>The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.</p>
<p>The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.</p>
<p><br /><strong>Grounds for Monitoring </strong><br /><strong>Rule 4</strong><br />The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:<br />(a) forecasting of imminent cyber incidents;<br />(b) monitoring network application with traffic data or information on computer resource;<br />(c) identification and determination of viruses/computer contaminant;<br />(d) tracking cyber security breaches or cyber security incidents;<br />(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;<br />(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;<br />(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;<br />(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;<br />(i) any other matter relating to cyber security.</p>
<p><br /><strong>Rule 6</strong><br />No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).</p>
<p><br /><strong>Recommendation #7</strong><br />Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.</p>
<p><br /><strong>Reasons for Recommendations </strong><br />The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition. Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered. <br /><br /><strong>Rule 24: Disclosure of monitored data </strong><br />Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :<br />(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.</p>
<p><br /><strong>Recommendation #8</strong><br />Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi). </p>
<p><br /><strong>Reasons for Recommendations </strong><br />Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended. </p>
<p><br />The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.</p>
<p> </p>
<h2>Manner of Functioning of CERT-In</h2>
<h3>Draft Rules under Section 70B(5)</h3>
<p>Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.<br />The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:</p>
<p><br /><strong>Definitions</strong><br />In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.</p>
<p><br /><strong>Recommendation #9</strong><br />The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.</p>
<p><br /><strong>Reasons for Recommendation</strong><br />“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization. </p>
<p><br />Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.</p>
<p><br /><strong>Rule 13(4): Disclosure of Information </strong><br />Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.</p>
<p><br /><strong>Recommendation #10</strong><br />Burden of necessity for disclosure of information should be made heavier. </p>
<p><br /><strong>Reasons for the Recommendation</strong><br />Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required. </p>
<p><br /><strong>Rule 19: Protection for actions taken in Good Faith </strong><br />All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.</p>
<p><br /><strong>Recommendation #11</strong><br />CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for. </p>
<p><br /><strong>Reasons for the Recommendation </strong><br />Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently. Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.</p>
<p> </p>
<h3>Draft Rules under Section 52</h3>
<p>These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.</p>
<p><br /><strong>Recommendation #12</strong><br />Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.</p>
<p><br /><strong>Reasons for the Recommendation</strong><br />It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.</p>
<p>Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.</p>
<p> </p>
<h3>Draft Rules under Section 54</h3>
<p>These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.</p>
<p> </p>
<h2>Penal Provisions</h2>
<h3>Section 66A</h3>
<p>Any person who sends, by means of a computer resource or a communication device,<br /> (a) any information that is grossly offensive or has menacing character; or<br /> (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,<br /> (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,<br />shall be punishable with imprisonment for a term which may extend to three years and with fine.<br />Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.</p>
<p>While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic. Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2). Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.</p>
<p><br /><strong>Recommendation #13</strong><br />The section should be amended and words which lead to ambiguity must be excluded.</p>
<p><br /><strong>Reasons for the Recommendation </strong><br />A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary. </p>
<p><br /><strong>Recommendation #14</strong><br />A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc. </p>
<p> </p>
<p><strong>Reasons for the Recommendation </strong><br />The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.</p>
<p>Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.</p>
<p> </p>
<h3>Section 66F</h3>
<p>The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character. <br />Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision, <br />“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”</p>
<p>This provision suffers from several defects and hence ought to be repealed. </p>
<p><br /><strong>Recommendation #15</strong><br />Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:</p>
<p class="callout">“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”</p>
<p class="callout"> </p>
<p><strong>Reasons for the Recommendation </strong><br />The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.</p>
<p>To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above. <br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-draft-rules'>https://cis-india.org/internet-governance/blog/comments-draft-rules</a>
</p>
No publisherpraneshIT ActEncryptionIntellectual Property RightsIntermediary LiabilityPublicationsCensorship2011-09-21T06:13:42ZBlog Entry