Centre for Internet and Society

The Global Nature of Cybersecurity in a Changing World

Admin — 2019-07-05T02:26:52Z

Arindrajit Basu represented CIS at the annual grantee convening of the Hewlett Foundation held at San Diego from 20 - 22 June 2019.

Cybersecurity knows no borders and is not limited to any one geography or culture. The challenges and opportunities facing cybersecurity experts, policymakers and the public areglobal in nature and require globally-minded solutions at all levels. At the same time, rapid changes in technology have a direct impact on societies around the world and the changingthreat environment. The Hewlett Foundation’s 2019 Cyber Initiative Grantee Convening will focus on two pillars: (1) the global nature of cyberspace and (2) emerging technologychallenges and solutions. We will come together to share our work in this space and identify opportunities for meaningful collaboration.

For more info, click here.

For more details visit https://cis-india.org/telecom/news/the-global-nature-of-cybersecurity-in-a-changing-world

DesiSec: Cybersecurity and Civil Society in India

Laird Brown — 2015-06-29T16:25:43Z

As part of its project on mapping cyber security actors in South Asia and South East Asia, the Centre for Internet & Society conducted a series of interviews with cyber security actors. The interviews were compiled and edited into one documentary. The film produced by Purba Sarkar, edited by Aaron Joseph, and directed by Oxblood Ruffin features Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad.

Originally the idea was to do 24 interviews with an array of international experts: Technical, political, policy, legal, and activist. The project was initiated at the University of Toronto and over time a possibility emerged. Why not shape these interviews into a documentary about cybersecurity and civil society? And why not focus on the world’s largest democracy, India? Whether in India or the rest of the world there are several issues that are fundamental to life online: Privacy, surveillance, anonymity and, free speech. DesiSec includes all of these, and it examines the legal frameworks that shape how India deals with these challenges.

From the time it was shot till the final edit there has only been one change in the juridical topography: the dreaded 66A of the IT Act has been struck down. Otherwise, all else is in tact. DesiSec was produced by Purba Sarkar, shot and edited by Aaron Joseph, and directed by Oxblood Ruffin. It took our team from Bangalore to Delhi and, Dharamsala. We had the honour of interviewing: Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad. Everyone brought something special to the discussion and we are grateful for their insights. Also, we are particularly pleased to include the music of Charanjit Singh for the intro/outro of DesiSec. Mr. Singh is the inventor of acid house music, predating the Wikipedia entry for that category by five years. Someone should correct that.

DesiSec is released under the Creative Commons License Attribution 3.0 Unported (CC by 3.0). You can watch it on Vimeo: https://vimeo.com/123722680 or download it legally and free of charge via torrent. Feel free to show, remix, and share with your friends. And let us know what you think!

Video

For more details visit https://cis-india.org/internet-governance/blog/desi-sec-cybersecurity-and-civil-society-in-india

Most emerging firms low on cyber security: Experts

praskrishna — 2015-06-29T16:02:51Z

When Pavitra Badrinath saw that the upgrade to a shopping application on her smartphone asked access to her contacts and messages, she decided against it. "Laws on privacy are not clear in India. So I am doing what I can to protect my information," the 26-year-old technology firm employee said.

The article by Malavika Murali and Payal Ganguly was published in the Economic Times on June 24, 2015. Sunil Abraham gave his inputs.

Are users taking a risk by allowing applications to gain access to personal data shadowed by an upgrade? "Most definitely ," said Bikash Barai, cofounder and chief executive of security firm iViz Security .

With at least 10 alleged breaches and hacks into the databases of startups such as Ola and Gaana this year, the alarm bells are going off.

Experts warn that emerging businesses are lax with security frameworks, which is especially worrying as millions more Indians are shopping online, including on their phones, exposing crucial personal and financial data to fraud.

More than 70 per cent of Indian companies are under-prepared when it comes to cyber security, according to a report by CISO Platform, a social platform for security experts where Barai is chief adviser.

India's largest cab-hailing company, Ola denied hackers' claims in an email response to ET, stating that its data were not compromised.

Music service Gaana.com, in response to being hacked by a person in Pakistan calling himself MakMan, said it had strengthened its security team and offerings in recent weeks. "In addition, we are working on a `bug bounty' program, which will allow individuals to point out any potential vulnerability in a safe way," said Pawan Agarwal, business head at Gaana.com.

According to Google India, the number of online shoppers is expected to cross 100 million by the end of next year, from 35 million ear, from 35 million n 2014. But lack of roust regulations and ata privacy laws as ell as the fragmentd nature of the starup ecosystem, do not llow much scope for esearch on cyber seurity , said experts."Under the Indian "Under the Indian regime, there are no self-regulatory mechanisms for putting out breach notifications," said Sunil Abraham, executive director of the Centre for Internet and Society. "The numbers available with a central body like Data Security Council of India will be a gross underestimation of the cases of breach."

"Most of the startups in India want to do everything in-house. This can lead to a potential compromise or lack of expertise on the security front, even if it is made priority," said Harshit Agarwal, founder and chief executive of Singapore-based Appknox, which provides security services to Paytm, Freecharge and Myntra among other clients.

Jabong founder and managing director Praveen Sinha said the online fashion retailer spends 15-20 per cent of its revenue on cyber security. But other startups contended that budgets and teams sizes are not accurate indicators of security preparedness.

"We do not work with any external security firms as we have realised that the average report is as good as our internal team can make," said Mukesh Singh, chief executive officer of online grocer ZopNow.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-24-2015-malavika-murali-and-payal-ganguly-most-emerging-firms-low-on-cyber-security-experts

CIS Cybersecurity Series (Part 22) - Anonymous

purba — 2015-07-13T13:40:42Z

CIS interviews a Tibetan security researcher and information activist, as part of the Cybersecurity Series. He prefers to remain anonymous.

"I don't know technology but I am aware of the information people share with me. So yes, they can track you down through your mobile phone. The last time I was in Nepal, I met a westerner. We went to this restaurant and she asked me to take the battery out of the phone. That was the first time I had heard of this and so when I asked why she said that it is possible that people had followed us and it has happened to other Tibetans in Nepal..."

Centre for Internet and Society presents its twenty second installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-22-anonymous

CIS Cybersecurity Series (Part 23) – Justin Searle

purba — 2015-07-15T14:44:38Z

CIS interviews Justin Searle, security expert, as part of the Cybersecurity Series.

"I think that people here in India, just like everywhere else, are broadening the areas where security can be applied. We see elsewhere, like in the United States and in Europe, that a lot of security researchers are starting to get into not just control systems, but also embedded devices and hardware and wireless... And we are seeing the same trends here in India as well. It is fun to see that growth and continual development, and not only that, but we are seeing security projects and research coming out of India, that's unqiue and fresh and contributing back to what originally came more from the United States and Europe."

Centre for Internet and Society presents its twenty third installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Justin Searle is the managing partner for Utilisec. Utisix provides security services to the energy sector. They also assist oil, water, gas, and manufacturing companies. Justin specializes in security assessments and finding vulnerabilities in systems.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-23-2013-justin-searle

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

Zomato hack: You need to enhance online security with a password manager

praskrishna — 2017-05-23T15:54:50Z

Hacking incident at Zomato underlines need to employ different passwords for different accounts.

The article by Sanjay Kumar Singh was published in the Business Standard on May 23, 2017.

Recently, food-tech company Zomato suffered a security breach where 17 million user records were stolen, including email addresses and passwords. Such hacking incidents can have wider consequences, including, in the gravest of scenarios, financial losses. They emphasise the need for people to adopt newer protection mechanisms, such as password managers.

In Zomato's case, the passwords are said to be hashed, which means they were converted into unintelligible characters. However, experts say that depending on the hashing protocol used, hashes can be re-engineered to generate the password.

The hacking of one account can have wider ramifications. "By hacking one account, hackers get access to your email ID and password. To save themselves the bother of remembering many passwords, users often use the same password in all their accounts. So, the hackers get access to your email and other accounts. Sometimes, they use your email account to reset the passwords in your other accounts," explains Shomiron Das Gupta of NetMonastery, a threat management provider. He adds that people often store sensitive information, including their net banking and credit card numbers and passwords within their email accounts. Also, on a website like Amazon, you can only view the last four digits of your credit card number. Other websites may not blur this information, in which case hackers would get access to this and other sensitive information.

Experts recommend you create complex passwords and use different ones for different accounts. Since generating complex passwords and remembering them all is difficult, you should use a password manager. Some of the good ones are LastPass, 1Password, Dashlane and TrueKey.

Password managers can generate long and complex passwords that are difficult to replicate. They also remember on your behalf the passwords on all the sites and apps you use. Also, hackers sometimes steal passwords by inserting a malware that copies keystrokes. Since a password manager inputs the password, you don't have to type them in, thereby doing away with the risk of your keystrokes being captured and stolen.

A password manager is a secure vault that stores all your passwords. You get access to the vault with a master password. Instead of remembering many passwords, you have to remember just one.

Browsers like Google Chrome and Mozilla Firefox also offer password managers. However, if you wish to use your password manager across browsers and apps, use a third-party one like those mentioned above. And while a password manager that is stored locally is safer, one that is cloud-based is more convenient, since you can use it across devices having internet connection. Password managers also offer two-factor authentication. They either send a password to your phone or generate it on your device. Unless your device also gets stolen, the password manager is difficult to break into.

As for whether password managers are themselves safe, experts concede they are a prime target for hackers who know that the information stored within will be valuable. "The password manager is safe provided you set a strong master password. Your password should have at least 13 characters of which two should be small, two should be in capital, two should be random numbers, and two should be special characters. Using a word that is not there in the dictionary will enhance its strength. Keep changing your master password every three-six months," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru. Since their primary job is to provide security, most password managers do have strong security practices, he adds.

Most password managers offer a free account but you have to pay to use their advanced security features.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager

50p and Digital Payments Masterclass Learning - CIS

Udbhav Tiwari — 2017-06-15T12:29:52Z

Sunil Abraham, Saikat Dutta and Udbhav Tiwari from the CIS team attended 50p on the 24 and 25 of January 2017 in Bangalore, India. We had the following learnings from the event, which will shape our work in the digital finance and payments space in the future.

Historical Developments of Digital Payments Regulation in India - The historical development of the digital payments ecosystem in India, starting with mobile/SMS banking around 2004, focusing mostly on high-end consumers. The widely varying implementations across banks led to the RBI taking an active regulatory approach, beginning with the introduction of compulsory two factor authentication in the form of mandatory PIN usage for credit and debit cards. This move helped secure “card not present” (CNP) transactions, which in turn allowed the e commerce, online streaming services and other digital services to rapidly gain customers. This serves as an example of how simple, targeted and uniformly imposed regulations can help secure widely used digital payment modes, securing customers while expanding opportunities for businesses. The Watal Committee report has also stressed on how the the industry and consumers alike, in the medium term, will benefit from focused sectoral regulation for the FinTech industry.

Expansion in the Modern Digital Payments Industry - The digital payments industry has expanded from having three main stakeholders (banks, card issuing agencies and customers) in mid 2000s to over eight distinct entities who take part in the same payments chain. These include Digital Wallet Providers, Payment Gateways, Payment Processors, Ticketing or Payment Service Providers Billers, all of which are operate with millions of transactions per day. This not only increases the potential attack surface for possible attempts at compromising them but also governance under traditional banking regulations difficult for the regulatory authority. The introduction of BBPS (Bharat Bill Pay System) to integrate the thousands of local utility bill payment system in India, into one centrally administered programme, is just one example of the vast amounts of data being generated (and integrated) by the digital payments industry. Therefore, the need for unique FinTech regulations and standards (maybe even a regulator) to handle the rapidly expanding and critical industry is quite strong in the booming space in India.

UPI - The Unified Payments Interface (UPI) is a set of standards that allow for a single application to connect to and control multiple bank accounts (of participating banks), allowing users to use several banking services such as funds transfer (P2P), merchant payments, etc. Initially launched in August, 2016 with support from 16 banks and is gaining rapid acceptance among users, businesses and payment providers alike. While built on the same technological underpinnings as the IMPS system, the UPI standard allows for a wide variety of data, including credit scores, Aadhaar numbers and geographical location to be transmitted. While the standard itself seems reasonably secure, its diverse and closed source implementation allow for the usual closed source development risks of security and unresolved bugs. It is stipulated to become the most widely used digital transaction protocol in India and the backbone of the FinTech industry due to its interoperability and regulatory acceptance. A set of security guidelines and practices that allow for a uniform, secure and auditable implementation of the UPI standard as well as its operational usage will aid in faster and more secure development of the standard while simultaneously protecting consumer interest.

Need for Consumer Advocacy - The need for educating consumers about the technical operations of the digital payments industry, best practices to maximise user facing security and strategies for effective dispute redressal were tagged as key focus areas by various groups. The inadequacy of the Consumer Protection Act to deal with the labyrinth of digital payments and the relative lack of liability and breach notification laws (especially in the non-banking finance companies sector) have lead to bargaining power in consumer contracts to fall in the favour of the digital payments industry. While initiatives such as Cashless Consumer are attempting to rectify this, sustained and well planned initiatives implemented in a diverse and multi-lingual manner will be needed to keep up with the rapid pace of expansion in the industry and is burgeoning user base. Incidental benefits of such programmes (an increase in the demand for data protection and privacy aware practices) will also serve to further consumer interest in a manner that will have a positive impact outside the FinTech industry.

USSD - The recent push towards USSD based banking, which allows banking transactions to be carried using feature phones, has led to various concerns regarding its security, reliability and implementation. The varying levels of GSM encryption in the providers in India, the lack of open standards (such as HTTPS for Internet Banking) that allow consumers to verify security and the rapid but untested implementation by most banks have led to some players raising doubts about the possibility of exploitation of the particularly vulnerable section of users that will use USSD banking. The need for a detailed investigation into current practices, open and auditable standards unique to USSD banking in India and regulations that mandate a minimum level of compliance was expressed by multiple stakeholders.

For more details visit https://cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis

Roundtable on Enhancing Indian Cyber Security through Multi-Stakeholder Cooperation

Admin — 2018-02-01T14:04:36Z

A closed door round-table on enhancing Indian cyber security is being organized on 4 November 2017 at Indian Islamic Centre, Lodhi Road in New Delhi.

With the proliferation of digital technologies and the central role they play in national infrastructure and governance, security of systems and services is fundamental to the economic, political, and social development and success of a nation. Digital India, the National Payments Corporation of India, IndiaStack, and the Aadhaar ecosystem are just a few examples of such digital infrastructure. Yet the digital realm is increasingly becoming more complex and difficult to secure and monitor for vulnerabilities, threats, breaches, and attacks. The responsibility of identifying and monitoring such vulnerabilities can be spearheaded by designated governmental bodies like CERT-IN and NCIIPC, but for effective identification of threats and vulnerabilities, collaboration is needed across stakeholder groups including security researchers, industry, and government bodies. Transparency about breaches and attacks is also key in enabling consumer awareness and building trust with the public. Examples of such mechanisms include bug bounty programs and breach notification frameworks.

This closed door roundtable will seek to bring together government, industry, civil society, academia, and security researchers to identify different areas and tools of collaboration between stakeholders towards enhancing Indian cyber security. It will broadly focus on vulnerability identification and reporting and vulnerability/breach notification. This will include a reflection on:

Existing frameworks, forms of collaborations, policies and practices in India.
Practices, standards, certifications, and programmes adopted in other jurisdictions.
The way forward for India addressing issues like establishing trust, harmonization and communication across stakeholders and sectors, and ensuring quality and response.

RSVP: pranav@cis-india.org

Download the Invite

See the Report

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation

Govt working to set up financial CERT to tackle cyber threats

Admin — 2017-11-25T02:28:18Z

IT secretary Ajay Prakash Sawhney says the government is getting the framework in place for financial CERT, which will be followed by other sectoral CERTs later.

The article by Komal Gupta was published in Livemint on November 16, 2017

The government is working to set up a financial Computer Emergency Response Team (CERT) to tackle a rise in cyber threats to India’s financial institutions.

This will be the first sectoral CERT to be introduced in India, said IT secretary Ajay Prakash Sawhney on Wednesday.

“Right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors, said Sawhney, responding to a question on the progress of setting up of sectoral CERTs in the country. “It will oversee the entire financial sector including banks and financial institutions,” he added.

He was addressing the Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in the capital on Wednesday.

In March, the power ministry had announced setting up of four sectoral CERTs for cyber security in power systems—CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution).

According to Sawhney, as of now, there is a national CERT and no other sectoral CERTs. While addressing the conference, he said one of the themes to be discussed will be “How sectoral CERTs can function in conjunction with the national CERT.”

CERT-In is the national nodal agency under the ministry of electronics and IT (MeitY), which deals with cyber security threats such as hacking and phishing. The agency is tasked with the collection, analysis and dissemination of information on cyber incidents and even taking emergency measures for handling cyber security incidents.

“The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack; normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank

“From April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries,” said cyber security chief Gulshan Rai, who was also present at the event.

A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June 2017, PTI reported in August.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats

Multinational Cyber Security Forum at University of Haifa

Admin — 2017-11-27T14:34:59Z

Sunil Abraham participated in a meeting in Israel on Multinational Cyber Security Forum hosted by Center for Cyber, Law and Policy and University of Haifa in collaboration with the Hewlett Foundation Cyber Initiative.

The workshop was held from November 5 to 7, 2017. The objective of the workshop was to facilitate a free and open exchange among participants under the Chatham House Rules. The workshop sought to identify areas of agreement and dissent pertaining to cyber security regulation and to explore issues that require further research, clarification and development.

For more details visit https://cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa

Don't dive headlong into money-making schemes on the internet

praskrishna — 2017-02-07T15:02:24Z

If you do fall victim to fraud, file your complaint at RBI's Sachet web site.

The article by Sanjay Kumar Singh was published in the Business Standard on February 7, 2017. Udbhav Tiwari was quoted.

By now you have surely read the news about a Noida-based company called Ablaze Info Solutions, which is said to have defrauded about 700,000 people of Rs 3,700 crore. In this scheme, participants first had to pay a substantial subscription fee to join it, after which they were compensated for clicking on links. There were also incentives for bringing in other members, which made it akin to a multi-level marketing (MLM) scheme. Experts advise that investors should do the due diligence before putting their money in such schemes. According to cyber experts, this scheme took off because the activity it was pursuing was a legitimate one per se. There is an entire industry on the Internet, wherein you can earn money by clicking on links: This improves the traffic on websites and allows them to demand higher advertising rates. Many websites outsource the task of improving traffic to third parties, which in turn recruit people in countries like India for the task. You can also earn money through activities like filling up forms, answering surveys, etc.

The mistake participants made in this case was to join the scheme without exploring other options. "Many players would have offered a similar level of compensation without demanding a subscription fee. Moreover, the very fact that the company was demanding a substantial subscription fee should have made people suspicious," says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru. Before participating in such money-making schemes, spend time doing a detailed background check of the company's credentials, especially if the promised returns are realistic or not. "If the return offered by the company is high compared to the market rates of return, or the company is new, you should be extra cautious. Check various blogs and forums on the internet for possible complaints against the company and its key stakeholders," says Mukul Shrivastava, partner, fraud investigation and dispute services, EY India.

If you join such a programme, be warned the moment the company defaults on payments, delays them, or avoids your queries. Stop all interactions with it and lodge a complaint with the police. If the company had used forged documents, especially the ones claiming that the scheme had the approval of a regulator like Sebi, submit them.

You can also file a complaint at Sachet, a website set up by the Reserve Bank of India (see box). Another option is to contact the Serious Fraud Investigation Office (SFIO) under the Ministry of Corporate Affairs. As the police take up a case usually when many complaints pour in against an entity, motivate other victims to complain, too. The state fights the case on your behalf. Your task after complaining is to cooperate with the investigation and depose in court. Nowadays victims can be compensated under the Criminal Procedure Code as well. They also have the option to file a civil suit for recovering their money.

Finally, there is a need for new laws to tackle online frauds. "There is a gap both in terms of legislation and effective enforcement. We only have a central 1978 Act for Prize Chits and allied rules in states, which need to be updated," says Nishant Joshi, partner, Shardul Amarchand Mangaldas.

Word box
Turn to Sachet

RBI has launched a website, sachet.rbi.org.in, where you can complain if you have been cheated by an entity that has illegally collected money from you
The website also provides information on legitimate entities that are authorised to collect money
Many regulators and enforcement agencies take up the complaints filed on this site
Investors don’t have to know the regulator under whose jurisdiction the company they want to complain against falls
You will get an email informing you about the regulator/entity that will take up your case

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet

WWW: The Hackers’ Haven

praskrishna — 2015-02-05T02:20:04Z

In an increasingly connected world, it pays to be careful when sharing personal information

This story by Abraham C. Mathews was published in BW | Businessworld Issue Dated 09-02-2015. Sunil Abraham gave his inputs.

Last year, Whatsapp changed its encryption algorithm several times and, every time, it was breached,” says Saket Modi, hacker, entrepreneur and CEO of Lucideus Technologies, which just created an app that monitors wayward activity on your smartphone. That’s geekspeak for: “Your WhatsApp chats, including deleted ones, would have been accessible to any hacker worth his salt”. And we are talking about a company that was valued at $19 billion at some point during the year. Only in November 2014 did WhatsApp finally embrace end-to-end encryption, which will ostensibly address the issue.

Or take the sales claim that every smartphone purchaser has heard — “Android is safe from virus.” That’s not, however, what a joint study by security solutions company Kaspersky and Interpol found. In the first half of 2014, 1,75,442 unique malicious programmes targeted at Android were discovered. Clearly a tribute to the platform on which 85 per cent of smartphones run.

In a TEDx talk last year titled ‘What’s physically possible in the virtual world’, Modi demonstrated how, with access to your smartphone for barely 20 seconds, he can see everything that has ever happened on your phone — text messages, call log, browsing history, and so on. He also showed how fraudulent emails could be disguised so as to appear to have come from a yahoo.com email address, and how you could be hacked even without being connected to the Internet. “There are only two kinds of people in the world,” he says. “Those who know they have been hacked and those who don’t.”

Epidemic Proportions
For cyber security, 2014 was annus horribilis. From celebrities whose intimate pictures were dumped on the Internet, to corporates such as Sony, JP Morgan and Target whose records were hacked into and personal information of millions of their customers compromised, it was the year when the proverbial shit hit the fan. Details (names, numbers, even favourite pizza toppings) of six lakh customers of Domino’s Pizza in France and Belgium were stolen for a $40,000 ransom. One hundred and ten million records (credit card details, social security numbers, along with addresses) from Target were stolen. The company later admitted that its sales were “meaningfully weaker” after the data theft was disclosed. One hundred and forty-five million records were stolen from eBay, 109 million from Home Depot and 83 million from JP Morgan during the year.

In 2013, a group that calls itself the Syrian Electronic Army hacked into Swedish company TrueCaller’s database. TrueCaller, an app, allows you to identify phone numbers. The data is collected from the contact list of those who download the app, which means, it even has details of those who haven’t downloaded or used the app in any way. Estimates put the number of Indians whose numbers could have been stolen at a million.

Cyber security is not yet a boardroom topic, says Anil Bhasin, MD, India & Saarc, Palo Alto Networks, which claims to create comprehensive security solutions for users but is fast becoming one with the increase in security breach incidents. Enterprises still use legacy technology that at times is 20 years old, he says, giving the example of banks that sometimes have a layer-3 staple inspection firewall, when they should ideally be running on layer-7.

When companies store your information, you also benefit. For example, when an e-commerce company does so, online shopping becomes faster and easier. But these companies should invest in measures to protect the information, says Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore. But then again, he says, a lot of breaches, like the celebrity iCloud hack, happen because users are negligent with measures designed to protect them. Passwords, for instance.

A Pew Research report found that only four out of 10 Internet users changed passwords after the ‘heartbleed’ virus (which found a way to unlock encrypted data) was uncovered in April 2014. Only 6 per cent thought their information was stolen. But, in August, it emerged that a Russian crime ring had amassed 1.2 billion user name-password combinations of 500 million email addresses from 4,20,000 websites. A Kaspersky study found that the number of malicious programmes detected rose 10 times in just six months to 6,44,000 in March 2014. This shows the call for vigil cannot not be more critical.

Interestingly, your online financial payments may be relatively more secure, thanks to Reserve Bank of India’s dogged persistence in continuing with the two-step verification process for electronic payments (a one-time password and PIN verification). The central bank drew a lot of flak for barring taxi app Uber from storing payment information and automatically deducting charges at the end of a ride. But Modi isn’t impressed. He likens the two-step verification to a batsman going onto the pitch wearing just a helmet. “The rest of your body is still exposed,” he says.

Easy Targets
Here’s one easy hack that Modi describes. Any app that you download from the app store on your phone asks for a set of permissions, which mostly come as an ‘all or nothing’ option. You either grant all the access it asks for, or you can’t download the app. Suppose, you grant a scrabble app access to your text messages. Your number can then be accessed by the app provider. Now think about how your banking transactions are verified — with a one-time password sent as a text message. With access to your text messages, entering that password would hardly be a challenge for hackers, says Modi. Or, suppose you were to set up a new WhatsApp account with that same number. The verification, like we all know, comes through a one-time password sent to your number. With access to your text messages, the hacker is given a virtual key to your entire WhatsApp history.

Or, take for instance, an app that requests access to your SD card (the storage card in your phone). With that permission, the app gets access to everything on your SD card, including your most private photos. Modi’s company Lucideus recently came out with an app, UnHack, that scans your phone to see which apps can access what data. If you use the app, you will find that not only can Facebook access the call logs on your phone, but apps like Wunderlist (which organises to-do lists) and Pocket (which stores articles for future offline reading) can access your contacts as well. The apps from TED (of TED Talks fame) as well as Flipkart can see as well as edit your personal photos and documents.

Companies —Uber, for instance — have in the past been found to be frivolous with data collected. Late last year, Uber greeted a Buzzfeed reporter who had arrived at the company’s New York headquarters with “There you are — I was tracking you”. No prior permission was sought. A venture capitalist, Peter Sims, had written earlier that his exact whereabouts in New York were displayed to a room full of people as part of a demonstration at a company event in Chicago.

Information Overload
Adam Tanner, a Harvard fellow and a Forbes columnist, was at an annual conference of the Direct Marketers Association, where he noticed a list of names of 1.8 million people with erectile dysfunction (ED), along with their email addresses and numbers. The organisers claimed the details were volunteered by the people themselves. Knowing that ED is something that men rarely admit to, he made the organisers an offer — “Let me purchase a list of a thousand people, and write to them to see if they know that they are on such a list.” The organisers refused, saying it would be an immoral use of their data. From this, one can tell that the information came from websites that took their details, promising a cure.

This, and other similar anecdotes made their way to his recent book, What Stays in Vegas, which deals with the world of personal data and the end of privacy as we know it. When Tanner meets Indians, he brings up matrimonial websites. What surprises him is the volume of information that people disclose. To westerners, details such as sub-caste or blood type, as well as in many cases the admission that a person is HIV+ is an outright breach of privacy. That people would volunteer to put this out in public is shocking. “When you are looking for a suitable match, giving the information may be important at the moment, but you must not forget that once something is on the Internet, it can never be completely deleted,” he warns.

But what is the problem if somebody has all the details, you may ask. Is the potential risk greater than the possibility of a perfect match? A PTI report from 2009 talks about a confession by an Indian Mujahideen operative who used information from such sites to get a student identity card as well as a driving licence. Mukul Shrivastava, a partner in the forensic practice at EY, gives you another alarming scenario. Let’s say somebody trawls your Facebook, what is the amount of information that such a person can get access to? Your daily routine, your physical movement, your favourite restaurant or whether you will be at home at a certain time (from a status message like “Can’t wait to watch the Devils trouncing Liverpool at ManU Café tonight!”). Even if a physical attack is not on the agenda, much of the information can be used to guess security questions (favourite cat, first school) and find out required details for phone banking (date of birth, email address, mother’s name). An HDFC Bank official says there is a rise in vishing (the voice equivalent of phishing) attacks, where people with access to bank account numbers as well as personal details pose as bank executives and lure customers with special benefits and convince them to divulge their banking passwords.

Security is an individual’s responsibility, says Sunil Abraham. “You have to remember that you have volunteered to put the information online,” he says. Information once put online is not private anymore. It’s like making an announcement in a large hall that is broadcast on TV. That’s what the Internet is. And once the Internet gets to know, it can never really be forgotten, says Vishnu Gopal, chief technology officer at MobME, a mobile value-added services provider. It will be available on some weblink or at least on archive.org, which claims to have ‘435 billion pages saved over time’.

While reclaiming lost information might be difficult, one can still reclaim privacy. Both Facebook and Gmail have options to disable monitoring by other applications. It might be worthwhile to pay the permissions page a visit. Routine password changes, as well as keying them in every time (rather than saving them on the system) might be worth the trouble. That said, nothing works like caution.

An Attacking Refrigerator!
A year ago, Proofpoint, a US-based security solutions provider, noticed an unusual type of cyber attack. Emails were sent in batches of about a lakh, thrice a day, aimed at slowing down large enterprises. What was unique about this attack was that upto 25 per cent of the volume was sent by devices other than computers, laptops, mobile phones or such devices. Instead, the emails came from everyday consumer electronic items like network routers, televisions, and at least one refrigerator, according to the company, with not more than 10 emails from any one device, making the attack difficult to block. This is now known as the first Internet of Things or IoT-based attack, where connected everyday-use devices are hacked into and used as cyber weaponry.

With the IoT, you have devices talking to one another, opening up multiple places to be breached, says MobME’s Gopal. From your shoe to T-shirt, everything becomes a potential bot. India should be concerned. Research by securities provider Symantec says India tops the list of countries wherein Distributed Denial of Service (DDoS) attacks originate. DDoS attacks are those where hundreds of bots target a website (say, an e-commerce company) on its big discount day, thereby slowing down traffic to the site. The report says a bot’s services can be bought for as low as Rs 300 to bring down a site for a few minutes. Monthly subscription plans are available for lengthier attacks.

Corporates can never be too careful, feels Shrivastava who, as part of his investigations, comes across several instances where companies are hacked into because of lack of best practices. How many companies have blocked pen drives on office machinery, he asks. In a tiny device, a humungous amount of data can be stolen. Till the first incident happens, nobody realises the importance of security, he says. For example, at EY, the IT security does not permit copying of the text of emails by the recipient. Recent reports suggest that the JP Morgan security breach was the result of neglect of one of its servers in terms of a security upgrade.

According to a study by Microsoft, the estimated loss to enterprises from lost data in 2014 was $491 billion.

You Against The Mafia
The fight really is about who’s weaker, says Altaf Halde, managing director, Kaspersky Lab-South Asia. “The problem here is the consumer.” Nothing excuses us from not protecting ourselves. That includes getting an anti-virus installed, but most people often disable it when it flags a particular activity that we want to pursue online.

Halde also brings up the BYOD (bring your own device) culture that is taking root. Asking employees to bring their own devices could help cut costs for a company, but that also brings in their inadequate protection, which could potentially translate into a much higher cost to the company, he says.

On the other side of the ring is the virtual underground mafia that profits from all types of data that get compromised — details of one’s sexual preferences, favourite restaurants or credit card details. Modi says in underground circles, the going rate for a stolen credit card number is $2.2 for a Visa, $2.5 for a MasterCard and $3 for an AmEx number. Transactions are made through crypto-currencies such as bitcoins, making them virtually untraceable.

As Modi says, the ideal scenario would be for all of us to throw away our smartphones and live an entirely offline existence. “But since that isn’t feasible, let’s embrace the risk, but with adequate measures to ensure that we are not affected.”

For more details visit https://cis-india.org/internet-governance/news/business-world-9-2-2015-abraham-c-mathews-www-the-hackers-haven

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

International Cooperation in Cybercrime: The Budapest Convention

vipul — 2019-04-29T22:35:37Z

In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.

Click to download the file here

However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.^{^[1]}

Extradition

Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.^{^[2]} In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.^{^[3]} Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.^{^[4]} The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.^{^[5]}

The Convention also recognises the principle of "aut dedere aut judicare" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,^{^[6]} then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.^{^[7]} The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.^{^[8]}

Mutual Assistance Requests

The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.^{^[9]} Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.^{^[10]} However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.

The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.^{^[11]} Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.^{^[12]}

Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;^{^[13]} (ii) the request concerns an offence considered as a political offence by the requested Party;^{^[14]} or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, ordre public or other essential interests.^{^[15]} The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.^{^[16]} In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.^{^[17]}

In practice it has been found that though States refuse requests on a number of grounds,^{^[18]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.^{^[19]} A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:

“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.

British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.

Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.

A.T. was extradited to Norway and prosecuted.”^{^[20]}

It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.

In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.^{^[21]} On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.^{^[22]} If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.^{^[23]}

In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.^{^[24]} Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.^{^[25]}

The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,^{^[26]} (ii) provide real time collection of traffic data with specified communications in its territory;^{^[27]} and (iii) provide real time collection or recording of content data of specified communications.^{^[28]} The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.

The procedure for sending mutual assistance requests under the Convention is usually the following:

Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.
Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).
The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.

The following procedure is then followed in the corresponding receiving Party:

Receipt of the request by the Central Authority.
Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).
Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).
Issuance of a court order (if needed).
Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.
Data obtained is examined against the MLA request, which may entail translation or

using a specialist in the language.

The information is then transmitted to requesting State via MLA channels.^{^[29]}

In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.^{^[30]} Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.^{^[31]}

Preservation Requests

The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.

The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.^{^[32]} However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.^{^[33]} In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, ordre public or other essential interests of the requested Party.^{^[34]}

In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.^{^[35]} Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.^{^[36]} If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.^{^[37]}

Jurisdiction and Access to Stored Data

The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.^{^[38]} The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.^{^[39]} These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.^{^[40]}

Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.^{^[41]} It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.

The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.^{^[42]} The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.^{^[43]} The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.^{^[44]}

The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.^{^[45]} The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.^{^[46]}

Production Order

A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.^{^[47]} It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.^{^[48]} Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.^{^[49]} However subscriber information^{^[50]} can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.^{^[51]}

Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.^{^[52]} Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.

Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.^{^[53]}

The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.^{^[54]} A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.^{^[55]} The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:^{^[56]}

PRODUCTION ORDER CAN BE SERVED
IF The criminal justice authority has jurisdiction over the offence
AND The service provider is in possession or control of the subscriber information
AND
The service provider is in the territory of the Party (Article 18(1)(a))	Or	A Party considers that a service provider is “offering its services in the territory of the Party” when, for example: - the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and - the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party. (Article 18(1)(b))
AND
		the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.

The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[57]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[58]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,^{^[59]} and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.^{^[60]}

Language of Requests

It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.^{^[61]} Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.^{^[62]}

24/7 Network

Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.^{^[63]} The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.^{^[64]} In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[65]}

Drawbacks and Improvements

The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:

Weakness and Delays in Mutual Assistance: In practice it has been found that though States refuse requests on a number of grounds,^{^[66]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.^{^[67]} The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.

Access to data stored outside the territory: Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.^{^[68]} It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[69]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[70]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.

Language of requests: Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.^{^[71]}

Bypassing of 24/7 points of contact: Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[72]}

India and the Budapest Convention

Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:

India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.^{^[73]}
Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.^{^[74]}
The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.^{^[75]}
It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.^{^[76]}
Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.^{^[77]}

Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.^{^[78]}

Conclusion

The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.^{^[79]} This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.

^{^[1]} Council of Europe, Explanatory Report to the Convention on Cybercrime, https://rm.coe.int/16800cce5b, para 304.

^{^[2]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.

^{^[3]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(5).

^{^[4]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(3).

^{^[5]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(2).

^{^[6]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 251.

^{^[7]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(6).

^{^[8]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(7).

^{^[9]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(1).

^{^[10]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[11]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(2).

^{^[12]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.

^{^[13]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[14]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(a).

^{^[15]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(b).

^{^[16]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(5).

^{^[17]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(6).

^{^[18]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[19]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[20]} Pedro Verdelho, Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice, 2008, pg. 5, https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF, accessed on March 28, 2019.

^{^[21]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(8).

^{^[22]} However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. See para 278 of the the Explanatory Note to the Budapest Convention.

^{^[23]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 28.

^{^[24]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(a) and (b).

^{^[25]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.

^{^[26]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 31.

^{^[27]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 33.

^{^[28]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 34.

^{^[29]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 37.

^{^[30]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 123.

^{^[31]} Ibid at 124.

^{^[32]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.

^{^[33]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(4).

^{^[34]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(5).

^{^[35]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(6).

^{^[36]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(7).

^{^[37]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 30.

^{^[38]} Anna-Maria Osula, Accessing Extraterritorially Located Data: Options for States, http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf, accessed on March 28, 2019.

^{^[39]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 32.

^{^[40]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 293.

^{^[41]} Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, Transborder access and jurisdiction: What are the options?, December 2012, para 310.

^{^[42]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.

^{^[43]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.

^{^[44]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.

^{^[45]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.

^{^[46]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.

^{^[47]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 18.

^{^[48]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 170.

^{^[49]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[50]} Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

^{^[51]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[52]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.

^{^[53]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.

^{^[54]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.

^{^[55]} Id.

^{^[56]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.

^{^[57]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[58]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[59]} Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, Criminal justice access to data in the cloud: challenges (Discussion paper), May 2015, pgs 10-14.

^{^[60]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.

^{^[61]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 35.

^{^[62]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[63]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 35.

^{^[64]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 298.

^{^[65]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[66]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[67]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 7.

^{^[68]} Giovanni Buttarelli, Fundamental Legal Principles for a Balanced Approach, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf

^{^[69]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[70]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[71]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[72]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[73]} Dr. Anja Kovaks, India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders, available at https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/

^{^[74]} Alexander Seger, India and the Budapest Convention: Why not?, Digital Debates: The CyFy Journal, Vol III, available at https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

^{^[75]} Id.

^{^[76]} Id.

^{^[77]} Id.

^{^[78]} https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/

^{^[79]} Elonnai Hickok and Vipul Kharbanda, Cross Border Cooperation on Criminal Matters - A perspective from India, available at https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention