Centre for Internet and Society

IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:47:46Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69B Rules and official 69B Rules under Section 69B in order to better understand how the two are similar and how they differ. Notes have been included on some changes we deemed to be important.

There has been a considerable amount of re-arrangement and re-structuring of the various clauses between the 69B Draft Rules and the official Rules, as can be seen in the comparison chart, but very little content has been changed. The majority of the changes made to the official Rules are changes in wording and language that serve to provide some much-needed clarification to the Draft Rules (see the differences between Clause (9) of the Draft Rules and sub-section (4) of Clause (3) of the official Rules as an example). Language redundancies, as well as full clauses (Clause [6] of the Draft Rules) have been thankfully removed in the official Rules.

Aside from the addition of four definitions, including a definition for a “security policy”, a phrase which appears in the Draft Rules without being defined, Clause (2) contains what is most likely one of the more noteable changes between the two definitions: under sub-section (g) in the 69 Rules, the words “or unauthorised use” have been added to the definition of “cyber security breaches”, which significantly increases the scope of what can be considered a cyber security breach under the Rules.

A significant change between the two sets of rules can be found in sub-section (2) of Clause (8) of the official rules, which states that, “save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information”. The section in italics has been added to the original Clause (22) of the Draft Rules, meaning that when the Rules were originally drawn up, no exceptions were to be made for the destructions of the records for the issuing of directions for monitoring and/or the collected information. They would simply have to be destroyed within six months of the discontinuance of the monitoring/collection.

One change that may or may not be significant is the replacement of the words “established violations” in the Draft Rules to simply “violation” in the official Rules in Clauses (19)/(6), which deal with the responsibility of the intermediary. This could be taken to mean that suspected and/or perceived violations may also be punishable under this clause, but this is a hard stance to argue. Most likely the adjustment was made when those superfluous and/or convoluted parts of the Draft rules were being removed.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-b-draft-and-final-version-comparison

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison

jdine — 2013-04-30T10:10:48Z

Jadine Lannon has performed a clause-by-clause comparison of the 69A draft rules and 69A rules for Section 69A of the IT Act in order to better understand how the two differ. While there has been reshuffling of the clauses in the official rules, the content itself has not changed significantly. Notes have been included on some changes we deemed to be important.

Below is a chart depicting the 69A Draft Rules and the 69A Rules:

There was a lot of structural change between the draft rules and the official rules—many of the draft clauses were shuffled around and combined—but not a lot of change in content. Many of the changes that appear in the official rules serve to clarify parts of the draft rules.

Three definitions were added under clause (2), two to clarify later references to a “designated officer” and a “nodal officer” and the third to indicate a form appended to the official Rules.

Clause (3) of the official rules then clarifies who shall be named the “designated officer”, which was not done in the draft rules as there was no inclusion of an official title of the officer who would have the responsibilities of the “designated officer”. Interestingly, clause (3) of the draft rules requires the Secretary of the Department of Information Technology, Ministry of Communications & Information Technology, Government of India to name an officer, whereas clause (3) of the official rules states that the “Central Government” shall designate an officer, a change in language that allows for much more flexibility on the government's part.

Clause (5) in the draft rules and clause (4) in the official rules deal with the designation of a Nodal Officer, but omitted in the official rules are responsibilities of the designated officer, which includes acting on the “direction of the indian competent court”. This responsibility does not appear in any part of the official rules. Further, clause (4) of the official rules requires the organizations implicated in the rules to publish the name of the Nodal Officer on their website; this is an addition to the draft rules, and a highly useful one at that. This is an important move towards some form of transparency in this contentious process.

Clause (5) of the official rules significantly clarifies clause (4) of the draft rules by stating that the designated officer may direct any Agency of the Government or intermediary to block access once a request from the Nodal Officer has been received.

Clause (7) of the official rules uses the word “information” instead of “computer resource”, which is used in the corresponding clause (12) in the draft rules, when referring to the offending object. This change in language significantly widens the scope of what can be considered offending under the rules.

The sub-sections (2), (3) and (4) of clause (9) of the official rules are additions to the draft rules. Sub-section (2) is a significant addition, as it deals with the ability of the Secretary of the Department of Information Technology's ability to block for public access any information or part thereof without granting a hearing to the entity in control of the offending information in a case of emergency nature. The request for blocking will then be brought before the committee of examination of request within 48 hours of the issue of direction, meaning that the offending information could be blocked for two days without giving notice to the owner/controller of the information of the reason for the blockage.

An important clarification has been included in clause (15) of the official rules, which differs from clause (23) of the draft rules through the inclusion of the following phrase: “The Designated Officer shall maintain complete record of the request received and action taken thereof [...] of the cases of blocking for public access”. This is a significant change from clause (23), which simply states that the “Designated Officer shall maintain complete record [...] of the cases of blocking”. This could be seen as an important step towards transparency and accountability in the 69B process of blocking information for public access if clause (16) of the official rules did not state that all requests and complaints received and all actions taken thereof must be kept confidential, so the maintenance of records mentioned in clause (15) of the official rules appears to be only for internal record-keeping. However, just the fact that this information is being recording is a significant change from the draft rules, and may, if the sub-rules relating to confidentiality were to be changed, be useful data for the public.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-a-rules-draft-and-final-version-comparison

A Workshop on "Exploring the Internals of Mobile Technologies"

jdine — 2012-10-25T06:52:50Z

The Centre for Internet and Society invites all individuals interested in investigating and exploring the internal of the Mobile/Hardware Technologies and understanding of capabilities of mobile phones to join our workshop on Saturday, October 27, 2012, at the TERI Southern Regional Centre.

Objective:

Bringing together the technical/hacker community and individuals interested in mobile devices to explore mobile devices internals and capabilities

Scope of Conference and Workshop:

Our proposed topics/areas which we hope to have discussions on are:

Hardware Hacking (Board/Chips Capabilities)
Operating System Internals (Hardware/OS Interfacing)
Software Development Kit (MRE, etc.)
Forensic Analysis
Understanding of Mobile as Telecommunication Device (2G/3G, etc.)
Understanding Mobile/Devices Internals
Working with JTAG/UART Ports
Porting Open Softwares on Mobiles/Hardwares

Expected outcomes:

Understanding of mobile devices internals and capabilities
Documenting mobile devices capabilities and internals
Publishing of blogs on knowledge generated
Exploration/Speculation on research/development avenues

Agenda

I. Core Talks
Tea/Coffee: Time: 9:00 - 9:30 a.m.
1. Arduino Board Capabilities and Playing Around It! Objective: Understanding Arduino board capabilities and playing with it Speaker: Sudar Muthu Level: Introduction Duration: 1 Hour Time: 9:30 - 10:30 a.m.
2. Initiatives@CIS Objective: Discussing the research initiative that has led CIS to become interested in mobile device internals and capabilities Speaker: Jadine Lannon Level: Introduction Duration: 10-15 Minutes Time: 10:30 - 10:45 a.m.
3. Mobile Hacking Through Linux Drivers Objective: Understanding the Linux kernel & driver internals from the perspective of reverse engineering Speaker: Anil Kumar Pugalia Level: Intermediate to Advanced Duration: 1 Hour Time: 10:45 - 11:45 a.m.
4. Hardware Hacking (Board/Chips Capabilities) Objective: Discuss and explore key areas of mobile hardware (power, clock, pin multiplexing, peripherals, etc.) Speaker: Khasim Syed Mohammed Level: Introductory to Advanced Duration: 1 Hour Time: 11:45 - 12:45 p.m.
Lunch Time Time: 12:45 - 1:30 p.m.
5. Porting Open Software on Hardware Objective: Cover porting examples for each type of peripherals Cover Android and Linux bringup as an example Speaker: Khasim Syed Mohammed Level: Intermediate to Advance Duration: 2 Hours Time: 1:30 - 3:30 p.m.
II.Community Knowledge Sharing/Hacking!
Time: 3.30 to 5.30 p.m.
5. Free Slot
6. Free Slot
Tea/Coffee Time
7. Free Slot
8. Free Slot

We are inviting community members to take up Free Slots to share their knowledge in this section. In this section, any person can propose a talk, workshop, or speculation about any device for a duration 30 minutes to 1 hour, as long as the topic falls within broader scope of the focus areas described at the in the “Scope of the Conference and Workshop” section of the workshop objectives.

Venue, Dates and Logistics

The event will take place on Saturday, October 27, 2012, at the following address:

TERI Southern Regional Centre
4th Main, Domlur II Stage
Bangalore - 560 071
Karnataka

The event will be begin at 9 a.m. on Saturday and end in the evening around 5 p.m. Lunch and snacks will be provided by CIS.

Available Resources:
CIS has purchased 12 gray-market mobile phones with the intent to document as much information about the life-cycles, hardware, software and content of each phone as possible. We request that the producers, make and model of each device be kept anonymous in discussions/publications that take place outside of the workshop.

The Speakers

1. Anil Kumar Pugalia
The author is a freelance trainer in Linux internals, Linux device drivers, embedded Linux & related topics. Prior to this, he was at Intel and Nvidia. He has been working with Linux since 1994. A gold medallist from IISc, Linux & knowledge sharing are two of his many passions. Creating and playing with open source hardware is one of his hobbies, which he materializes through his company eSrijan, which can be accessed at:
Website: http://profession.sarika-pugs.com/

2. Jadine Lannon
Jadine is a research intern at the Centre for Internet and Society. She is currently working on the “Pervasive Technologies: Access to Knowledge in the Marketplace” research project. More information on the research project can be found here: http://cis-india.org/a2k/pervasive-technologies-access-to-knowledge-in-the-market-place

3. Khasim Syed Mohammed
Khasim leads Open Hardware and Software Initiatives at Texas Instruments. Blog: http://www.khasim.in/; http://khasim.blogspot.in/

4. Sudar Muthu
Sudar does open hardware as hobby; Arudino is his playground. He is passionate about programming (particularly web-based) and loves to design and build web sites/services from scratch. AJAX, Web2.0, Semantic Web, Comet, RDF or any of those latest buzz-field jargons.

Blog: http://SudarMuthu.com; http://hardwarefun.com;

Supporting Communities:

NULL: http://null.co.in/
SecurityXploaded: http://securityxploded.com/
Computer Club India: http://computerclub.in/Main_Page

Register at: https://docs.google.com/spreadsheet/viewform?fromEmail=true&formkey=dG1UcHBYR2xRLWhPZ0QwVWlaaEg0SXc6MQ

For more details visit https://cis-india.org/a2k/events/workshop-exploring-the-internals-of-mobile-technologies-1

IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:56:07Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69 Rules and official 69 Rules under Section 69B in order to better understand how the two are similar and how they differ. Very brief notes have been included on some changes we deemed to be important.

Similar to the other comparisons that I have done on the 69A and 69B Draft and official Rules, the majority of the changes between these two sets of rules serves to restructure and clarify various clauses in the Draft 69 Rules.

Three new definitions appear in the Clause (2) of the 69 Rules, including a definition for “communication”, which appears in the Draft Rules but has no associated definition under Clause (2) of the Draft Rules.

Clause (31) of the Draft Rules, which deals with the requirement of security agencies of the State and Union territories to share any information gathered through interception, monitoring and/or decryption with federal agencies, does not make an appearance in the official rules. Further, this necessity does not seem to be implied anywhere in the official 69 Rules.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-rules-draft-and-final-version-comparison

Indian Telegraph Act, 1885, 419A Rules and IT (Amendment) Act, 2008, 69 Rules

jdine — 2013-04-30T10:04:38Z

Jadine Lannon has performed a clause-by-clause comparison of the 419A Rules of the Indian Telegraph Act, 1885 and the 69 Rules under Section 69 of the Information Technology (Amendment) Act, 2008 in order to better understand how the two are similar and how they differ. Though they are from different Acts entirely, the Rules are very similar. Notes have been included on some changes we deemed to be important.

Though they are from different Acts entirely, the 419A Rules from the Indian Telegraph Act of 1885 and the 69 Rules from the Information Technology (Amended) Act, 2008 are very similar. In fact, much of the language that appears in the official 69 rules is very close, if not the same in many places, as the language found in the 419A rules. The majority of the change in language between the 419A Rules and the equivalent 69 Rules acts to clarify statements or wordings that may appear vague in the former. Aside from this, it appears that many of the 69 Rules have been cut-and-pasted from the 419A Rules.

Arguably the most important change between the two sets of rules takes place between Clause (3) of the 419A Rules and Clause (8) of the 69 Rules, where the phrase “while issuing directions [...] the officer shall consider possibility of acquiring the necessary information by other means” has been changed to “the competent authority shall, before issuing any direction under Rule (3), consider possibility of acquiring the necessary information by other means”. This is an important distinction, as the latter requires other options to be looked at before issuing the order for any interception or monitoring or decryption of any information, whereas the former could possibly allow the interception of messages while other options to gather the “necessary” information are being considered. It seems unreasonable that the state and various state-approved agencies could possibly be intercepting the personal messages of Indian citizens in order to gather “necessary” information without having first established that interception was a last resort.

Another potentially significant change between the rules can be found between Clause (15) of the 419A Rules, which states, in the context of punishment of a service provider, the action taken shall include “not only fine but also suspension or revocation of their licenses”, whereas Clause (21) of the 69 Rules states that the punishment of an intermediary or person in-charge of computer resources “shall be liable for any action under the relevant provisions of the time being in force”. This is an interesting distinction, possibly made to avoid issues with legal arbitrariness associated with assigning punishments that differ for those punishments for the same activities laid out under the Indian Penal Code. Either way, the punishments for a violation of the maintenance of secrecy and confidentiality as well as unauthorized interception (or monitoring or decryption) could potentially be much harsher under the 69 Rules.

In the same vein, the most significant clarification through a change in language takes place between Clause (10) of the 419A and Clause (14) of the 69 Rules: “the service providers shall designate two senior executives of the company” from the 419A Rules appears as “every intermediary or person in-charge of computer resource shall designate an officer to receive requisition, and another officer to handle such requisition” in the 69 Rules. This may be an actual difference between the two sets of Rules, but either way, it appears to be the most significant change between the equivalent Clauses.

The addition of certain clauses in the 69 Rules can also give us some interesting insights about what was of concern when the 419A rules were being written. To begin, the 419A rules provide no definitions for any of the specific terms used in the Rules, whereas the 69 Rules include a list of definitions in Clause (2). Clause (4) of 69 Rules, which deals which the authorisation of an agency of the Government to perform interception, monitoring and decryption, is sorely lacking in the 419A rules, which alludes to “authorised security [agencies]” without ever providing any framework as to how these agencies become authorised or who should be doing the authorising.

The 69 Rules also include Clause (5), which deals with how a state should go about obtaining authorisation to issue directions for interception, monitoring and/or decryption in territories outside of its jurisdiction, which is never mentioned in 419A rules, lamely sentencing states to carry out the interception of messages only within their own jurisdiction.

Lastly, Clause (24), which deals with the prohibition of interception, monitoring and/or decryption of information without authorisation, and Clause (25), which deals with the prohibition of the disclosure of intercepted, monitored and/or decrypted information, have fortunately been added to the 69 Rules.

For more details visit https://cis-india.org/internet-governance/blog/indian-telegraph-act-419-a-rules-and-it-amendment-act-69-rules